Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
1409
Views
10
Helpful
2
Comments

Cognitive Release Note, March 2020: Additional annotations introduced for customers using AMP for Endpoints and annotations for more threats available for Stealthwatch customers

aligarci
Cisco Employee
Cisco Employee
‎04-02-2020 12:05 PM

User Experience Enhancements

cx.png

As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.

 

Early Access introduces additional annotations for customers  using AMP for Endpoints

Customers using AMP for Endpoints and sending proxy logs to Cognitive Intelligence now have  the option to enable Early Access!1.png

 

 

Enabling Early Access unlocks a new view in Cognitive Intelligence for both Detected and Confirmed threats. This provides additional descriptions for anomalies that elaborate not only on the machine learning outcomes, but also the several layers of inference that are used to reach that verdict.

 

This additional information provides context about the capabilities and potential risks of the attack, information obtained by passive DNS, user statistics, details on the attack technique used, specific triggers or IoCs that have raised the alarm, components of the Global Risk Map, and others.

 

The Cognitive Intelligence research team  enabled annotations for a subset of threats that are more critical and can benefit from additional context. Approximately 60% of all incidents are showing additional annotations, and we’ll continue to steadily increase this percentage.

 

New annotations  are provided  with these anomalies  for customers using AMP for Endpoints with Early Access enabled:

  • Known malicious hostnamesw malicious hostnames.png

     

  • Known malicious domainsw known malicious domains copy.png

     

  • Known malicious IP addressesw malicious ip.png

     

  • Typosquatted hostnamesw typo copy.png

 

  • Punycode‐substituted hostnamesw punycode .png

     

  • Combosquatted hostnamescombosquatted.png

     

 

Stealthwatch customers can see annotations for more threats  

Additional annotations have been added for Stealthwatch customers with Early Access enabled:

  • Stratum protocol communication

n stratum not known.png

 

  • Known stratum protocol servicesn stratum.png

     

  • Known Sality URL pattern

w sality copy.png

 

  • RESP communication

n resp.png

 

  • Uncommon executable download

4.png

 

  • ICMP communication

n icmp.png

 

  • Large data transfers will be explained with the IP address the endpoint is connecting to and the amount of traffic exchanged.

5.png

 

  • Typosquatted hostnames

n typo.png

 

  • Punycode‐substituted hostnames

n puny.png

 

  • Combosquatted hostnamesn combo.png

     

 

Leveraging Cognitive Intelligence

Cognitive Intelligence capabilities are available to AMP customers with a compatible web proxy such as the Cisco Web Security Appliance, and all Stealthwatch Enterprise customers. Reach out to your account executive to learn how to turbocharge your existing cybersecurity investment with Cognitive.

2 Comments
Martin L
VIP
VIP
‎06-10-2020 01:48 PM
‎06-10-2020 01:48 PM

interesting; thanks for sharing!

0 Helpful
aligarci
Cisco Employee
Cisco Employee
‎06-25-2020 10:08 AM
‎06-25-2020 10:08 AM

Happy that you like it @Martin L!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents