Showing results for 
Search instead for 
Did you mean: 

Cognitive Release Note, January 2020: Early access introduces additional annotations and new Confirmed Threat types

Cisco Employee

User Experience Enhancements


As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.


Early access introduces additional annotations

Comprehensible descriptions are now available in the anomalies section. They elaborate not only on the machine learning outcomes, but also the several layers of inference that are used to reach that verdict. Furthermore, they are displayed in a logical way to support the prediction.

These include information obtained by passive DNS, user statistics, details on the attack technique used, the capabilities and potential risks of the attack, specific triggers or IoCs that have raised the alarm, components of the Global Risk Map, and others.


Note: Early access to annotations will first be enabled for Stealthwatch customers and subsequently to all customers.



 Figure 1: Bad actors often use domain names which are similar to legitimate ones in order to carry on their attacks. With the new annotations, a comprehensible anomaly description is provided.


If there are specific confirmed threats identified, they will be linked with the specific anomaly that set them off. This is very useful in cases where the event is related to several confirmed threats, as we will know the specific triggers for each of them.


several CT.png

Figure 2: When an anomaly is related to a specific confirmed threat, the actions that led to identifying this specific threat are enumerated. The ID of the confirmed threat is also mentioned.



Currently, most events generated from Stealthwatch network traffic have annotations, but not all of them. We will increase the coverage in the coming months. Access to annotations for AMP and other customers that send proxy logs to Cognitive Intelligence is expected to happen in the coming weeks.


If you are a Stealthwatch customer, you can enroll for Early Access now!


early access2.pngFigure 3: To see additional annotations in the Cognitive Intelligence portal, enable early access with one click from any confirmed or detected threat page.



New Confirmed Threats

List of new Confirmed Threat types in January:

Confirmed Threat ID






NetWire Remote Access Trojan (RAT)

Malware /  Remote Access Trojan


Threat related to the NetWire Remote Access Trojan (RAT). NetWire gives the attacker complete remote control and administration of the infected device. Threat is capable of stealing information, executing commands, modifying registry keys, and grabbing screen captures of the infected host. RATs are used in targeted attacks, espionage, financial theft, and stealing of sensitive corporate information. RATs are commonly used by malicious actors to bypass second-factor authentication methods.


Spelevo exploit kit (EK)

Malware/ Exploit kit


Threat related to the Spelevo exploit kit (EK) which exploits vulnerabilities in Adobe Flash to infect the device with malware. This exploit kit uses Windows Management Instrumentation (WMI) to execute the payload.

Leveraging Cognitive Intelligence

Cognitive Intelligence capabilities are available to AMP customers with a compatible web proxy such as the Cisco Web Security Appliance, and all Stealthwatch Enterprise customers. Reach out to your account executive to learn how to turbocharge your existing cybersecurity investment with Cognitive.