cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6074
Views
5
Helpful
10
Replies
williamkwan
Beginner

Cisco FirePower Threat Intellegence Director

On the new FirePower version 6.2.2, there is a new feature call Threat Intelligence Director (TID).   

 

Has anyone start leveraging this new feature and what are some of the common open feeds that the TID can be imported to FMC automatically?  

10 REPLIES 10
Patrick Moubarak
Enthusiast

I added AlienVault OTX as a start...

Can you help me to add AlienVault OTX to my TID?

dncl
Beginner
Marvin Rhoads
VIP Community Legend

I have seen customers who are members of an ISAC (Information Sharing and Analysis Center) use feeds from the ISAC in their FMC's TID.

 

Here's a listing of some of the ISACs out there:

 

https://www.nationalisacs.org/member-isacs

williamkwan
Beginner

For those that are interested in this topic, I found a very useful video(s) from Youtube on explainining the usage of TID with uploading flat file or constanting connecting to a threat intelligence site.   

 

Cisco Firepower Threat Defense 6 2 2 : Threat Intelligence Director (Flat File): youtu.be/s-laX74reXo?a 

 

Cisco Firepower Threat Defense 6 2 2: Threat Intelligence Director (Hail A TAXII): youtu.be/0usmyIrA0fA?a

 

Credit for Jason Maynard, videos are not mine. 

All,

 

After we enable TID, add the Flat, URL or STIX. Do we need to mess with ACL to get this rolling? Lets say just foor flat file, i have added a text file and uploaded. After then, do i literally need to go to Policies and change something as in Default? 

 

Any help is much appreciated!

 

You do not need to re-deploy policies when leveraging TID. EX: if you have an sources, indicators, observable that you set to block within TID then it would be blocked on FTD without re-deployment of policy. This is different from security intelligence - details here 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco_threat_intelligence_director__tid_.html 

 

TID configuration changes do not require redeployment—After you modify Security Intelligence settings in the access control policy, you must redeploy the changed configuration to managed devices. With TID, after initial deployment of the access control policy to the managed devices, you can configure sources, indicators, and observables without redeploying, and the system automatically publishes new TID data to the elements.

 

 

Awesome, thanks for the detailed response. But i managed to get your answer from your Youtube video. :)

Thanks again!

Fantastic!

tcweller
Beginner

This is very interesting.  Threat feeds can get very large in size.  What are the limitations as far as the number of IPs and domains the NGFW can handle from third-party threat feeds?  Thanks!

Content for Community-Ad