This blog extends information from Cognitive Threat Analytics (CTA): Release Notes
February 2018 Update
(by Ivan Nikolaev and Lukas Machlica)
Malicious hosting detection: CTA engine is able to detect new type of incidents. The incidents manifest communication with endpoints associated with malicious hosting activity. The association is determined from global behaviour of the host, learned accross various data sources.
Example: this incident is an example of communication with malicious hosting infrastructure. There are three domains labelled as malicious hosting. Two of them are associated with the the same IP. These IPs also host other DGA domains (domains generated algorithmically), as seen in the incident. The communication happens over HTTPS and there are several successful downloads from the domains.