Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
4
Replies

Can any one tell me the answer

TuhinsubhraSanpui51006
Level 1
Level 1

‎08-10-2021 04:01 AM

Hi 

Can you please tell me the difference between SLIC and TALOS ?

 

And also what are different fields of Netflow and Ipfix

1 person had this problem
Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-10-2021 05:44 AM - edited ‎08-10-2021 05:44 AM

Some time Cisco confuses us :

 

The Stealthwatch Threat Intelligence Feed (formerly known as SLIC or Stealthwatch Labs Intelligence Connection) is a IP list that is updated sometimes several times per day based on data from a variety of sources with Cisco and the security industry. That list resides locally on the Stealthwatch Management Console (SMC).

 

Cisco Talos does some kind same  Threat Intelligence & Interdiction, Detection Research, Engineering & Development, Vulnerability Research & Discovery, Communities, Global Outreach and Incident Response   - This feeds used in WSA  . NGFW , IPS, ESA, Umbrella,
Stealthwatch, and ThreatGrid  so on.

 

Personally -  Since Cisco keep buying or acquiring different companies different portfolios, they need to come in to one umbrella to get centralized information feed. (way to go i guess)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ed Long
Level 1
Level 1

‎05-22-2023 01:03 PM

Would appreciate a formal reply from Cisco regarding the differences between SLIC and TALOS.

0 Helpful

Ed Long
Level 1
Level 1
In response to Ed Long

‎08-30-2023 10:40 AM

Need to understand the Talos relationship with the Secure Network Analytics manager. How does the manager get the updated feed? Is the tcp/443 connection bi-directional with the Talos cloud? Does the SNA Manager pull the Talos data? If so, how often? Or does Talos push the updated threat information to the SNA Manager, if so how often? Really need to know if it's a push from Talos, or a pull from the SNA Manager or both.

0 Helpful

Ed Long
Level 1
Level 1
In response to Ed Long

‎08-30-2023 11:37 AM

Received an answer from Cisco to this question just a moment ago (many thanks to Jesse T. for his quick reply!):

So there’s two ways to SNA interacts with Talos. The direct interaction would be via what we call the SLIC feed. It’s listed here under external services.

 

EdLong_0-1693420573242.png

 

 

If you have it enabled, you can SSH to your SMC and see the interactions with this command:

grep -i "SlicFeedPoller" /lancope/var/smc/log/smc-core.log

 

I believe it’s either updated every hour or once per day. And if it’s having trouble reaching the server it will continually try every minute if it’s enabled… I enabled it on my lab which doesn’t have internet access and you can see proof of that here:

EdLong_1-1693420573252.png

 

 

This is a poll from the SMC to download the threat feed in question.

 

The 2nd way SNA works with Talos is via CTA which has been renamed cognitive analytics instead of cognitive threat analytics. But it works with it in directly. If you have it enabled on your collector and SMC, the collector will send a copy of your outbound flows to Cisco’s cloud. And then information from talos is used within that cloud (in conjunction with all the other analytics, it looks at and rules that it runs through) to generate cognitive alerts, which are intern sent back to the SMC and displayed under the cognitive widget.

 

EdLong_2-1693420573253.png

 

0 Helpful
Customers Also Viewed These Support Documents