Judgments

Column Name	Description
Observable	The observable name based on the type (for example, the IP address or file hash). Click the (Pivot Menu) icon next to the observable and view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See View Verdicts and Tasks in Pivot Menu for more information. Click the Observable to open the Judgment Details drawer and view additional information.
Disposition	The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted).
Reason	Why the observable disposition was determined.
Type	The type of observable (IP address, MD5 hash, SHA1 hash).
Start/End Times	The date and time the judgment was created and the date and time it expires (if expiration date is set).
Source	Where the CTIM entity (data) originated, for example who encoded the intel into a data object.
Severity	The seriousness of the threat that the observable presents (Critical, High, Medium, Low, None).
TLP	Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white).

Search and Sort Judgments

Use the Search text box in the upper portion of the page to narrow the display of judgments. Click the tooltip next to the text box to view the search criteria and examples of common searches. Only stored data is searchable; data sources outside of Cisco XDR are not searchable.

You can sort the Judgments table based on the start date. Click the (Sort) icon next to the Start/End Date column to sort by oldest or most recent date and time.

Filter Judgments

Filter the display of judgments listed in the judgments table by using the Filters drawer. Perform the following steps to use the Filters drawer to narrow the display of judgments:

Choose Intelligence in the navigation menu and click the Judgments tab.
Click the (Filters) icon to open the Filters drawer.

Configure the following filter options for those incidents you want to be displayed:
- Hide expired judgments - Check the check box to remove judgments with expired date and time from the judgments list. By default, the check box is unchecked and all the judgments are displayed in the judgments list.
- Created by Me - Check the check box to display a list of private judgments that have been created by you. By default, the check box is unchecked and all judgments are displayed in the judgments list.
- Disposition - From the drop-down list, check the check boxes of the observable disposition to filter the judgments displayed in the judgments list. Click the (Clear) icon to remove your selections.
- Observable Type - From the drop-down list, check the check boxes next to the observable type to filter the judgments displayed in the judgments list. Click the (Clear) icon to remove your selections.
- Severity - From the drop-down list, check the check boxes next to the observable severity to filter the judgments displayed in the judgments list. Click the (Clear) icon to remove your selections.
- TLP - From the drop-down list, check the check boxes next to the TLP to filter the judgments displayed in the judgments list. Click the (Clear) icon to remove your selections.
- Source - Enter a partial or complete source name to filter the judgments displayed in the judgments list. The source entry is not case sensitive.
Click Apply to save your filter options.

The judgments list will refresh and only display those judgments that match the filter criteria and the criteria applies to both public and private judgment lists.

The Filters applied area is displayed across the top of the judgments list. Click the (Expand) icon to display all the filter selections with the filter category and the filter tags. To remove a selected filter category, click the (Delete) icon or click the X in the filter tag to remove a specific selection within the filter category and the list will refresh.

View Verdicts and Tasks in Pivot Menu

Click the (Pivot Menu) icon next to the observable in the judgment to open the Pivot menu and view the verdicts associated with the observable, investigate it, create a new judgment, or perform additional tasks by leveraging your integrated Cisco products.

Create Private Judgment

You can create private judgments for an observable and associate the appropriate indicators from the Pivot menu. Once the judgment is created, it is displayed in the private judgments table.

Perform the following steps to create a private judgment:

Choose Intelligence in the navigation menu and click the Judgments tab.
Click the (Pivot Menu) icon next to the observable and choose Create Judgment.

Click Link Indicators to open the Link Indicators form.

You can search for indicators and narrow the list by checking the check boxes for Confidence, Severity, and TLP.

Check the check box next to the indicators you want to include in the judgment and then click Select Indicators to add them to the judgment.

On the Create Judgment form, complete the following information:

Field	Description
Disposition	Required. Click the drop-down arrow and choose Unknown, Common, Malicious, Suspicious to indicate the disposition for the observable.
Expiration	Specify the period the judgment is valid. Enter or scroll to the number value, and then click the drop-down arrow and choose Days, Weeks, or Years.
TLP	Required. Click the drop-down arrow and choose the appropriate TLP designation to be assigned to the judgment (Red, Amber, Green, or White).
Reason	Enter a descriptive reason for creating a judgment for the observable.

Click Create. A color-coded message is displayed in the lower right corner indicating the new judgment has been created; the color indicates the disposition.

View Judgment Drawer

Click the judgment name to open the Judgment drawer and view additional information, download the judgment in JSON format, and delete a private judgment.

In the upper panel, the severity level and observable name are displayed.

General

Expand the General panel in the Judgment drawer and view the following information:

Column Name	Description
Start Time/End Time	The date and time the judgment was created and the date and time it expires (if expiration date is set).
Observable	The (Pivot Menu) icon next to the observable indicates the disposition and shows the verdicts that determined the disposition for the judgment. You can perform additional tasks from the Pivot menu, such as investigate the observable to view all of the verdicts or create a new judgment for the observable.
Disposition	The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted).
Reason	Why the observable disposition was determined.
Source	Where the CTIM entity (data) originated, for example who encoded the intel into a data object. Click the Source to go to that instance and view more information.
Confidence	The confidence level of the system that produced the data of its accuracy.
Priority	A value 0-100 that represents the importance of a judgment, where automated judgments use a priority of 90 or less, known good products within your organization use a priority of 95, and human judgments use a priority of 100.
TLP	Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white).