Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee

User Experience Enhancements

As part of Cisco Customer Experience program, we are working towards a more uniform user experience and terminology harmonization. This program runs across all Cisco security products.


Terminology Updates

We are aligning the terminology used in the system across Cisco and the network security industry. As a result, these changes have been implemented:
  • Activities are renamed to Anomalies
  • Severity of Activities is renamed to Risk Factor
    It varies from 1 to 9, and now it will also be categorized as low – medium – high - critical, represented in different colors:
    Low (blue) for 1 to 5, medium (yellow) for 6 to 7, high (amber) for 8 to 9 and critical (red) for 10.



Updated Terminology in the Incident Detail

  • Permanent Filter is now Ignored Networks
    The functionality to exclude some IP addresses or subnets from the list of incidents is improved and renamed from Permanent Filter to Ignored Networks.
    The alerts for hosts matching the configured subnets will also be excluded from reporting in AMP for Endpoints, Stealthwatch, and STIX/TAXII feeds.

Ignored Networks Configuration

New features

The Cognitive UI now offers Casebook – a small widget that allows for submitting of observables directly to Cisco Threat Response. More details on Casebook can be found in the following blogpost:

You can enable Casebook using the icon or in the Cognitive Threat Response menu.

Better support for moving indicators from the page to Casebook will be improved in subsequent releases.


Casebook Enablement


New Confirmed Threats

In August and September, we added to our growing list of machine-learning-powered Confirmed Threat detections provided by the Cognitive Intelligence engine. We added two net-new Confirmed Threat types (see list below) and increased detection rates for previously-existing Confirmed Threats in the past six months.


List of new Confirmed Threat types in August and September:

Confirmed Threat ID







Malware - Dropper


Phorpiex infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware that sends spam emails to ransomware and cryptocurrency miners.



Malware - File Infector


The Parite virus is a polymorphic file infector that resides in memory and attempts to disable antivirus solutions. It infects executable files on the local file system and on writeable network shares. Generally classified as a high-risk threat.



Sample Finding of new Confirmed Threat CTAL0194 Phorpiex Trojan

Confirmed Threat Updates

Our semi-automatic Indicator-of-Compromise (IoC) hunt processes (see Machine Learning Backend Improved blog) allowed us to increase the IoC coverage of existing Confirmed Threats. In August and September, we observed the re-emergence of the Emotet trojan (see Talos blog) and accordingly identified 97 new IoCs. In total, we added more than 600 high-risk IoCs and 40 mid-risk IoCs, covering over 20 different Confirmed Threat types.

Leveraging Cognitive Intelligence

Cognitive Intelligence capabilities are available to AMP customers with a compatible web proxy such as the Cisco Web Security Appliance, and all Stealthwatch Enterprise customers. Reach out to your account executive to learn how to turbocharge your existing cybersecurity investment with Cognitive.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: