I've recently rolled out a FTD 184.108.40.206 and FMC 6.5 setup of two FMCs and eight pairs of FTDs running 2110s and 5516-Xs. Today I started looking into the CTR integration since it's supposed to be included with the Firepower licenses witch are all malware/URL/IPS by the way. I've been looking into this for most part of a day and so far nothing is shown in the cloud event viewers which is odd since the guides are pretty straight forward.
I set up the Cisco Security account earlier today, in the EU at first since that's where we operate and linked it to our Cisco account where the smart licenses are. All good and the FMCs showed up in the SSE as well ass the CTR, but no events.
I then realized the limitations of the EU cloud was all 6.5 which we don't have on the FTDs yet. I set up a Cisco security account for the US as well and linked it to the same Cisco account as the EU account. Somehow the US SSE ingested all our devices having a smart license, not only the FMC as the EU cloud but a complete list of all FTDs connected to the FMC and some older Firepower modules as well. That's nice but still no events in the SSE and even stranger is the US CTR dashboard show no managed devices while the EU CTR does.
Is this normal behavior? Is there a longer wait period that the 2+ hours I've been waiting for events?
Solved! Go to Solution.
Thank you for trying out Threat Response, and for your question.
The Firepower-CTR integration is entirely reliable, for what it was designed to do. Where and how are you expecting to see those events? At no point is CTR going to show you an unfiltered list of all events; that's not the goal and you can already see that in the FMC. What it will do, is show you in the Threat Response Incident Manager a selection of more urgent events from the total alert set available in FMC, and also allow you to see matches from your FirePower device alerts when you are conducting other investigations.
Most SOCs are inundated with alerts, many of which get ignored or missed. The Incident Manager is here to help alleviate that problem by performing some simple first-level triage. There are three ways an event from your Firepower devices can be promoted from SSE to the Incident Manager:
If you want to test the event flow:
If all three of these steps work, then everything is working as intended. If you want to see more events than the ones that are getting promoted due to external IP reputation, select a few high value subnets in your organization and add them to auto-promotion rules in SSE.
For more information about what the Firepower and Threat Response integration brings, see this article, here in the CTR Community: