Pivot Menu

If you are viewing the Pivot menu for assets, a list of attributes is displayed and you can click an attribute to perform additional tasks, such as investigate an observable or pivot to an integrated product.

For a Device asset, click the View asset information link to open a new tab and display the device information on the Device Details page. See Device Details for more information.

If there are verdicts for the selected observable, the number of verdicts is displayed as color-coded badges based on the disposition in the upper area of the Pivot menu. Verdicts are the most current, unexpired judgment with the highest priority. Click the (Expand) icon to view the verdict details, sorted by the highest priority at the top. For more information, see View Verdicts.

The Add observable to investigation menu option is only available if you want to add an observable that has not been investigated to an investigation. If you choose this menu option in a saved investigation, a cloned investigation is opened in a new tab and the investigation runs with the newly added observable. To remove an observable from an investigation, choose Remove observable from investigation. You can continue to add or remove observables from the investigation until the cloned investigation is saved. For more information, see Add or Remove Observables in Investigations.

Choose this menu option to open a new tab and investigate only that observable. Alternatively, you can hover over the (Pivot Menu) icon when collapsed and click the (Investigate Observable) icon.

Choose this menu option to create a judgment for the observable and associate it with indicators. Once the judgment is created, it is displayed on the Private Judgments page. For more information, see Create Private Judgment.

Note: New judgments can only be created when linked with one or more private indicators.

There are two copy options in the Pivot menu:

• Copy value - Choose the Copy value menu option to copy the selected observable value to the clipboard for later use elsewhere. Alternatively, you can hover over the (Pivot Menu) icon when collapsed and click the (Copy) icon.

  Note: If the Defang on Copy toggle setting is set to on in Cisco XDR ribbon, the Copy defanged value menu option will be removed from the Pivot menu and the Copy value menu option will update to copy an observable value as a defanged value. For details, see Configure Ribbon Settings.

• Copy defanged value - Choose the Copy defanged value menu option to append a square bracket to the last period or colon in an IP address, URL, domain name, or email address when you copy the selected observable value to the clipboard for later use elsewhere. If the value is a URL, http is also changed to hxxp. This ensures that the value is copied as an inactive link, preventing you from accidentally clicking a malicious link when you paste it elsewhere. For example, the defanged value of 216.238.85.220 is 216.238.85[.]220. Alternatively, you can hover over the (Pivot Menu) icon when collapsed and click the (Copy defanged value) icon.

Choose this option to create a new case in the casebook app and add the observable to it. A Case Created confirmation message is displayed in the upper right corner of the screen.

Choose this menu option to add the observable to the active case in the casebook app. The Observable Added confirmation message is displayed in the upper right corner of the screen.

In the lower portion of the Pivot menu, you can choose to pivot to the integrated products and perform additional tasks by choosing the options beneath the product, such as Search for this domain in Secure Endpoint.

Run Workflows

You can run response workflows from the Automation area in the Pivot menu. Before you can successfully run a workflow from the Pivot menu, you must first open the workflow in the Workflow Editor in Automation to validate the workflow. Once the workflow is validated, you can click on it to run it from the Pivot menu. Additionally, the target should exist in the target group in Automation according to the matching criteria.

Block and Unblock Domain

If integrated with the Umbrella Enforcement API, you can choose Block this domain directly from the Pivot menu to prevent any further intrusion from the domain. After you have investigated the observable, and if you find it is not a threat, you can click the Pivot menu and choose Unblock this domain.

Add or Remove from Quarantine List

If integrated with Secure Client, you can choose Add to custom detections list directly from the Pivot menu of the amp_computer_guid. This functionality adds the file to a custom list for detected and quarantined files.

After you have investigated the observable, and if you find it is not a threat, you can click the Pivot menu of the amp_computer_guid and choose Remove from custom detections list.

Start Isolation

If integrated with Secure Endpoint, you can choose Start Isolation directly from the Pivot menu of the amp_computer_guid to isolate an endpoint to control threats.

After you have investigated the observable, and if you find it is not a threat, you can click the Pivot menu of the amp_computer_guid and choose End Isolation.

Email Remediation

If integrated with Secure Email Appliance or Secure Email and Web Manager, you can perform remedial actions on messages (Cisco Message ID and Email Message ID observables only) using the Initiate Forward, Initiate Deletion, or Initiate Forward/Delete option on the Pivot menu. The messages are processed by Secure Email Appliance or Secure Email and Web Manager to prevent suspected malicious activity.

Note: To perform remedial actions on messages from the Pivot menu, you must configure the Remediation Forwarding Address field when you add or edit the Secure Email Appliance or Secure Email and Web Manager integration.

If integrated with Secure Email Threat Defense, you can choose to Quarantine messages with a specific observable directly from the Pivot menu. Additionally, you can use the Pivot menu to initiate a search in Secure Email Threat Defense.