As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early access introduces additional annotations
Comprehensible descriptions are now available in the anomalies section. They elaborate not only on the machine learning outcomes, but also the several layers of inference that are used to reach that verdict. Furthermore, they are displayed in a logical way to support the prediction.
These include information obtained by passive DNS, user statistics, details on the attack technique used, the capabilities and potential risks of the attack, specific triggers or IoCs that have raised the alarm, components of the Global Risk Map, and others.
Note: Early access to annotations will first be enabled for Stealthwatch customers and subsequently to all customers.
Figure 1: Bad actors often use domain names which are similar to legitimate ones in order to carry on their attacks. With the new annotations, a comprehensible anomaly description is provided.
If there are specific confirmed threats identified, they will be linked with the specific anomaly that set them off. This is very useful in cases where the event is related to several confirmed threats, as we will know the specific triggers for each of them.
Figure 2: When an anomaly is related to a specific confirmed threat, the actions that led to identifying this specific threat are enumerated. The ID of the confirmed threat is also mentioned.
Currently, most events generated from Stealthwatch network traffic have annotations, but not all of them. We will increase the coverage in the coming months. Access to annotations for AMP and other customers that send proxy logs to Cognitive Intelligence is expected to happen in the coming weeks.
If you are a Stealthwatch customer, you can enroll for Early Access now!
Figure 3: To see additional annotations in the Cognitive Intelligence portal, enable early access with one click from any confirmed or detected threat page.
New Confirmed Threats
List of new Confirmed Threat types in January:
Confirmed Threat ID
NetWire Remote Access Trojan (RAT)
Malware / Remote Access Trojan
Threat related to the NetWire Remote Access Trojan (RAT). NetWire gives the attacker complete remote control and administration of the infected device. Threat is capable of stealing information, executing commands, modifying registry keys, and grabbing screen captures of the infected host. RATs are used in targeted attacks, espionage, financial theft, and stealing of sensitive corporate information. RATs are commonly used by malicious actors to bypass second-factor authentication methods.
Spelevo exploit kit (EK)
Malware/ Exploit kit
Threat related to the Spelevo exploit kit (EK) which exploits vulnerabilities in Adobe Flash to infect the device with malware. This exploit kit uses Windows Management Instrumentation (WMI) to execute the payload.
Hi ,I try to configure to setup NAT with ASA firewall.i see a lot of reference guide and tried so many time but i only can do outgoing nat.i would like to do below design.All outgoing traffic of web server,server2 and server 3 are nat with 10.1.1.1 to acc...
Hi,can any one help on this issue,as we are recieving consistent alert from the Ironport ( Async C390 12.5.37 ) , is this bug or any activity at Cisco side. Unable to connect to Cisco Web Security Service.URL Filtering will not work correctly.P...
Hi,We are setting a loadbalanced ISE PSN infrastructure by using F5 LTM. ISE nodes and F5 internal interface are on the same vlan and f5 external interface is on a different vlan which. We have configured the infrastructure as described below link. h...
I am trying to configure one weekly summary report of AMP for Endpoints , where i did not have option to send that report to distribution email address. ( example SecurityIT@domain.com) , where i see that i can receive on my own email address( xyzna...