At Cisco Talos, we need customers to be able to provide feedback at all times, whether it be about reputation issues such as false positives or false negatives, or missed or incorrect content categories. Because we deal with an abundance of data across our platforms — such as IPS alerts, Cisco Secure Endpoint alerts, Email and Web Security Appliance alerts and more — feedback helps us test the efficacy of those alerts and systems promptly.
Our reputation and categorization dispute ticketing system and our analysts are closely linked together. This allows greater interactivity between our analysts and customers, and gives customers the ability to log into their account on talosintelligence.com and see the resolution of every dispute they have ever filed.
How do verdicts work?
Each ticket type involves unique verdicts, explained on their pages here in the support section. To create consistency across ticket types for customers, Web Reputation, Sender Domain Reputation, Sender IP Reputation, and File Reputation now all request “Malicious” or “Not Malicious” suggestions from users. This suggestion will be taken into consideration in the verdict.
The below chart breaks down the type of reputation and categorization tickets that users can file and track within their user accounts on talosintelligence.com. For all ticket types please provide as much data as possible to assist our investigation team.
|TICKET TYPE||ITEMS TO DISPUTE||WHEN TO USE THIS TICKET|
|Web Reputation||domains, URL, IP addresses||For domains, URLs or IP addresses believed to have an incorrect reputation. Suggest an increase or decrease in current reputation. If known to be malicious, you can suggest a new or alternate threat category. Suggestions of Malicious or Not Malicious will affect the end threat level of Trusted, Favorable, Neutral, Questionable, Untrusted or Unknown.|
|Content Categorization||domains, URLs, web IP addresses||Report domains, URLs or web IP addresses with incorrect categorization, or no assigned content category. Suggest up to five content categories for a given site, ordered from most to least relevant.|
|Sender IP Reputation||email sender IP addresses||Report IP addresses sending malicious emails or request a correction. Users must suggest Malicious or Not Malicious, which will affect the end verdict of Good, Neutral or Poor.|
|Sender Domain Reputation||email sender domains, email addresses||Report email sender domains or email addresses sending malicious emails, or request a reputation correction. Suggestions of Malicious or Not Malicious will affect the end verdict of Good, Neutral or Poor.|
|File Reputation||files in the form of SHA256||Report SHA256 hashes of files believed to be malicious, or request a reputation correction. Submissions are limited to hashes marked by Cisco sources only. Suggestions of Malicious or Not Malicious will affect the end reputation score of 0-100.|