As part of Cisco Customer Experience program, we are working towards a more uniform user experience and terminology harmonization. This program runs across all Cisco security products.
We are aligning the terminology used in the system across Cisco and the network security industry. As a result, these changes have been implemented:
Activities are renamed to Anomalies
Severity of Activities is renamed to Risk Factor It varies from 1 to 9, and now it will also be categorized as low – medium – high - critical, represented in different colors: Low (blue) for 1 to 5, medium (yellow) for 6 to 7, high (amber) for 8 to 9 and critical (red) for 10.
Updated Terminology in the Incident Detail
Permanent Filter is now Ignored Networks The functionality to exclude some IP addresses or subnets from the list of incidents is improved and renamed from Permanent Filter to Ignored Networks. The alerts for hosts matching the configured subnets will also be excluded from reporting in AMP for Endpoints, Stealthwatch, and STIX/TAXII feeds.
You can enable Casebook using the icon or in the Cognitive Threat Response menu.
Better support for moving indicators from the page to Casebook will be improved in subsequent releases.
New Confirmed Threats
In August and September, we added to our growing list of machine-learning-poweredConfirmed Threat detections provided by theCognitive Intelligenceengine. We added two net-new Confirmed Threat types (see list below) and increased detection rates for previously-existing Confirmed Threats in the past six months.
List of new Confirmed Threat types in August and September:
Confirmed Threat ID
Malware - Dropper
Phorpiex infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware that sends spam emails to ransomware and cryptocurrency miners.
Malware - File Infector
The Parite virus is a polymorphic file infector that resides in memory and attempts to disable antivirus solutions. It infects executable files on the local file system and on writeable network shares. Generally classified as a high-risk threat.
Sample Finding of new Confirmed Threat CTAL0194 Phorpiex Trojan
Confirmed Threat Updates
Our semi-automatic Indicator-of-Compromise (IoC) hunt processes (seeMachine Learning Backend Improvedblog) allowed us to increase the IoC coverage of existing Confirmed Threats. In August and September, we observed the re-emergence of the Emotet trojan (see Talos blog) and accordingly identified 97 new IoCs. In total, we added more than 600 high-risk IoCs and 40 mid-risk IoCs, covering over 20 different Confirmed Threat types.
I've inherited an ISE deployment and In our AD there is a ISE service account who is a domain admin.Going through the ISE guides, I can that the service account need specific permission in AD, and I guess they've used a domain admin (the dirty way). ...
I have a FTD2130 HA pair running firmware 126.96.36.199. I have some public facing servers configured with 1to1 static NAT rules on the FTD and associated Access Control Security Policy rules, for example:Source Server#1 192.168.100.100, destination ANY &l...
We are using Cisco ISE to do EAP-TLS authentication from a 3rd party solution. The vendor's documentation states "The NAS ID will be sent in the RADIUS NAS-Identifier attribute of the Access-Request. The RADIUS server uses it to identify this Mobility ser...
Hello Experts, I am am setting up an asa 5508 in transparent firewall. Created a BVI interface and join two inside interfaces to bridge. I am after to create an ACL that can permit only one host per interface Interface BVI ...