Need to understand the Talos relationship with the Secure Network Analytics manager. How does the manager get the updated feed? Is the tcp/443 connection bi-directional with the Talos cloud? Does the SNA Manager pull the Talos data? If so, how often? Or does Talos push the updated threat information to the SNA Manager, if so how often? Really need to know if it's a push from Talos, or a pull from the SNA Manager or both.

Received an answer from Cisco to this question just a moment ago (many thanks to Jesse T. for his quick reply!):

So there’s two ways to SNA interacts with Talos. The direct interaction would be via what we call the SLIC feed. It’s listed here under external services.

If you have it enabled, you can SSH to your SMC and see the interactions with this command:

grep -i "SlicFeedPoller" /lancope/var/smc/log/smc-core.log

I believe it’s either updated every hour or once per day. And if it’s having trouble reaching the server it will continually try every minute if it’s enabled… I enabled it on my lab which doesn’t have internet access and you can see proof of that here:

This is a poll from the SMC to download the threat feed in question.

The 2nd way SNA works with Talos is via CTA which has been renamed cognitive analytics instead of cognitive threat analytics. But it works with it in directly. If you have it enabled on your collector and SMC, the collector will send a copy of your outbound flows to Cisco’s cloud. And then information from talos is used within that cloud (in conjunction with all the other analytics, it looks at and rules that it runs through) to generate cognitive alerts, which are intern sent back to the SMC and displayed under the cognitive widget.