The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter lists the most up-to-date data set for the Secure Workload pipeline that identifies and quarantines threats. Quarantining happens by inspecting the data center workloads against externally known malware command and control addresses, and security flaws in processes and geographical locations. The chapter also describes in detail, any identifiable communication from workloads to well-known malicious IPv4 addresses. The malicious IP addresses are updated every 24 hours. You can choose to automatically update the threat intelligence data sets or manually upload the data sets to Secure Workload.
 Attention |
Due to recent GUI updates, some of the images or screenshots used in the user guide may not fully reflect the current design of the product. We recommend using this guide in conjunction with the latest version of the software for the most accurate visual reference. |
To manage threat intelligence, from the navigation pane, choose .
Note |
By default, the feature to identify well-known malicious IP addresses is disabled. To enable this feature, see Visibility of Well-Known Malicious IPv4 Addresses. |
Cisco Secure Workload updates threat data sets regularly between 3 to 4 a.m. UTC by synchronizing with the global data set hat is available here. The global data set is refreshed weekly, either on a Friday or Monday. The Threat Intelligence dashboard lists the data sets and the date on which the data set was last updated.
The Threat Intelligence page displays the updated status of threat intelligence data sets. These data sets are updated automatically.
Note |
The Threat Intelligence feature requires a connection to Cisco Secure Workload servers to automatically update. Your enterprise outbound HTTP request may require the following:
In environments without an outbound connection, manually upload the data sets. |
Note |
Schedule Manual Uploads: Data set RPM files are published to the Secure Workload Update Portal weekly. We recommend that you install the latest releases periodically by configuring a schedule for an administrator. |
|
Data set |
Description |
|---|---|
|
NVD CVEs |
Security related software flaws, CVSS base score, vulnerable product configuration, and weakness categorization |
|
MaxMind Geo |
Identification of the location and other characteristics of source IPs |
|
NIST RDS |
NIST Reference Data Set of digital signatures of known, traceable software applications |
|
Team Cymru |
Insight on 3,000+ botnet command and control IPs |
|
Hash Verdict |
Verdict of Secure Workload on process hashes (only available with the Automatic Updates section). |
Note |
In case the MaxMind Geo data set is manually uploaded in an earlier release, you must reupload the corresponding RPM to view the location and related information on the Flow Visibility page. |
Download the latest threat data sets from here.
Log in as a Site Administrator or Customer Support Executive.
|
Step 1 |
From the navigation pane, choose . |
|
Step 2 |
Under the Upload Threat Dataset section, enable manual upload. |
|
Step 3 |
Click Select Supplemental RPM and select the RPM files that are downloaded from the Secure Workload Update Portal. |
|
Step 4 |
Click Upload. 
|
Feedback