11-25-2019 04:56 AM
Greetings
I've recently rolled out a FTD 6.4.0.4 and FMC 6.5 setup of two FMCs and eight pairs of FTDs running 2110s and 5516-Xs. Today I started looking into the CTR integration since it's supposed to be included with the Firepower licenses witch are all malware/URL/IPS by the way. I've been looking into this for most part of a day and so far nothing is shown in the cloud event viewers which is odd since the guides are pretty straight forward.
I set up the Cisco Security account earlier today, in the EU at first since that's where we operate and linked it to our Cisco account where the smart licenses are. All good and the FMCs showed up in the SSE as well ass the CTR, but no events.
I then realized the limitations of the EU cloud was all 6.5 which we don't have on the FTDs yet. I set up a Cisco security account for the US as well and linked it to the same Cisco account as the EU account. Somehow the US SSE ingested all our devices having a smart license, not only the FMC as the EU cloud but a complete list of all FTDs connected to the FMC and some older Firepower modules as well. That's nice but still no events in the SSE and even stranger is the US CTR dashboard show no managed devices while the EU CTR does.
Is this normal behavior? Is there a longer wait period that the 2+ hours I've been waiting for events?
Regards
Fredrik
Solved! Go to Solution.
11-26-2019 09:59 PM
Hi
Thank you for the answer. I raised the question with TAC and it seems the problem is me having 6.5 on the FMC and 6.4.X on the FTDs which isn't supported, apparently it has to be either 6.4 or 6.5 all over the board.
/Fredrik
11-26-2019 04:44 PM - edited 11-26-2019 04:46 PM
Hi Fredrik,
Thank you for trying out Threat Response, and for your question.
The Firepower-CTR integration is entirely reliable, for what it was designed to do. Where and how are you expecting to see those events? At no point is CTR going to show you an unfiltered list of all events; that's not the goal and you can already see that in the FMC. What it will do, is show you in the Threat Response Incident Manager a selection of more urgent events from the total alert set available in FMC, and also allow you to see matches from your FirePower device alerts when you are conducting other investigations.
Most SOCs are inundated with alerts, many of which get ignored or missed. The Incident Manager is here to help alleviate that problem by performing some simple first-level triage. There are three ways an event from your Firepower devices can be promoted from SSE to the Incident Manager:
If you want to test the event flow:
If all three of these steps work, then everything is working as intended. If you want to see more events than the ones that are getting promoted due to external IP reputation, select a few high value subnets in your organization and add them to auto-promotion rules in SSE.
For more information about what the Firepower and Threat Response integration brings, see this article, here in the CTR Community:
https://community.cisco.com/t5/security-documents/firepower-ngfw-ngips-what-capabilities-does-it-provide-and-how/ta-p/3928694
11-26-2019 09:59 PM
Hi
Thank you for the answer. I raised the question with TAC and it seems the problem is me having 6.5 on the FMC and 6.4.X on the FTDs which isn't supported, apparently it has to be either 6.4 or 6.5 all over the board.
/Fredrik
11-27-2019 06:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide