Assets and Observables

The Assets and Observables panel displays more information about the assets and observables seen in the current investigation.

Expand the Assets panel to view the total number and list of assets based on the most frequently seen to the least frequently seen in the investigation. Each asset is represented by a color-coded purple icon based on asset type, and includes the asset name, source, value, and labels.

Assets Panel

Expand the Observables panel to view the total number and list of observables that were seen in the investigation. The (Investigated) icon and label display next to the observables that were included in the initial investigation; observables without this icon were added during the enrichment process.

Observables Panel

Click the (Pivot Menu) icon next to an asset or observable to open the Pivot menu and view the verdicts for the asset, investigate it, create a judgment, or perform additional tasks by leveraging your integrated Cisco products.

The verdicts of an asset or observable are the most current, unexpired judgments with the highest priority.

To view the verdicts of an asset or observable, click the (Pivot Menu) icon next to it. The verdict source and the number of verdicts for the assets or observable are displayed in the upper portion of the Pivot menu. Click the (Expand) icon to view the details of the verdicts.

Pivot Menu

There are three critical judgment values for determining a verdict:

  • End Time (determines expiration)

  • Disposition (determines priority)

  • Start Time (determines most current)

First, all expired judgments are removed from consideration, and all remaining judgments have a status of Current. A current judgment with the highest priority disposition is then selected as the verdict.

Disposition priority is ranked from highest to lowest: Clean, Malicious, Suspicious, Common, and Unknown. A Clean disposition is the highest priority and an Unknown disposition is the lowest priority.

When more than one judgment shares equally ranked dispositions (for example, two or more malicious judgments), the Start Time is then used to determine which judgment is used as the verdict (the judgment with the oldest Start Time). This single judgment is the verdict for that module.

While there is only one verdict per module, more than one module may see an observable. For this reason, an observable may have more than one verdict (one verdict for each module that saw that observable). In this case, the most current verdict (determined by Start Time) is displayed when only one verdict is required. This singular verdict typically pre-fixes the observable type (for example, Malicious Domain), and is color-coded based on the disposition (red = malicious) and in proximity to the observable title.

To investigate an asset or observable, click the (Pivot Menu) icon next to it and choose Investigate observable. The investigation begins and the results are displayed on the Investigation Results page. For more information, see the Investigation Results help topic.

To create a private judgment for an asset or observable and associate indicators, click the (Pivot Menu) icon next to it and choose Create Judgment. For more information, see the Create Private Judgment help topic.