On the new FirePower version 6.2.2, there is a new feature call Threat Intelligence Director (TID).
Has anyone start leveraging this new feature and what are some of the common open feeds that the TID can be imported to FMC automatically?
I would be interested in learning more of how people are using this feature.
Here is some documentation I found:
Thanks in advance
I have seen customers who are members of an ISAC (Information Sharing and Analysis Center) use feeds from the ISAC in their FMC's TID.
Here's a listing of some of the ISACs out there:
For those that are interested in this topic, I found a very useful video(s) from Youtube on explainining the usage of TID with uploading flat file or constanting connecting to a threat intelligence site.
Cisco Firepower Threat Defense 6 2 2 : Threat Intelligence Director (Flat File): youtu.be/s-laX74reXo?a
Cisco Firepower Threat Defense 6 2 2: Threat Intelligence Director (Hail A TAXII): youtu.be/0usmyIrA0fA?a
Credit for Jason Maynard, videos are not mine.
After we enable TID, add the Flat, URL or STIX. Do we need to mess with ACL to get this rolling? Lets say just foor flat file, i have added a text file and uploaded. After then, do i literally need to go to Policies and change something as in Default?
Any help is much appreciated!
You do not need to re-deploy policies when leveraging TID. EX: if you have an sources, indicators, observable that you set to block within TID then it would be blocked on FTD without re-deployment of policy. This is different from security intelligence - details here
TID configuration changes do not require redeployment—After you modify Security Intelligence settings in the access control policy, you must redeploy the changed configuration to managed devices. With TID, after initial deployment of the access control policy to the managed devices, you can configure sources, indicators, and observables without redeploying, and the system automatically publishes new TID data to the elements.
This is very interesting. Threat feeds can get very large in size. What are the limitations as far as the number of IPs and domains the NGFW can handle from third-party threat feeds? Thanks!