Indicator Detail
You can view all of the information about the indicator when you click View indicator detail in the Indicator drawer. You can also edit and delete a private indicator from this page using the Edit indicator and Delete indicator buttons in the upper right corner. See Indicators for more information on editing and deleting indicators.
Overview
The Overview panel displays threat intelligence context for a selected indicator in the investigation results. This threat context provides actionable and relevant information to help you gain insight to the nature of the threat and accelerate remediation.
It includes the confidence and severity level, TLP, and when the indicator expires. It also shows the source; click the URL to open the source product instance.
Likely Impact
The Likely Impact panel displays the expected impact within the relevant context if the indicator occurs.
Kill Chain Phases
The Kill Chain Phase panel displays the relevant kill chain phases indicated by the indicator.
Judgments
The Judgments panel displays the list of judgments associated with the indicator. The following information is displayed:
|
Column Name |
Description |
|---|---|
|
Observable |
The observable name based on the type (for example, the IP address or file hash). |
|
Disposition |
The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted). |
|
Reason |
Why the observable disposition was determined. |
|
Type |
The type of observable (IP address, MD5 hash, SHA1 hash). |
|
Start/End Times |
The date and time the judgment was created and the date and time it expires (if expiration date is set). |
|
Source |
Where the CTIM entity (data) originated; what reported the indicator to the Cisco XDR integration. |
|
Severity |
The seriousness of the threat that the observable presents (None, High, Medium, or Low). |
|
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white) |
Feeds
The Feeds panel displays the list of feeds associated with the indicator. The following information is displayed:
|
Column Name |
Description |
|---|---|
|
Title |
The name and description of the feed. |
|
Output |
The output of the generated feed; observables or judgments. |
|
Modified |
The date and time the feed was created or updated. |
|
Created |
Date and time the feed was created. |
|
Expiration |
The lifetime of the feed, which is specified when it is created. If a specific date is included when the feed is created, it displays how many days from the current date the feed will expire. |
External References
The External References panel displays the name, description, and external ID of the external sources of the indicator.
Indicator Type
The Indicator Type panel displays the type classifications assigned to the indicator.
Tags
The Tags panel displays the searchable descriptors for the indicator.