Cisco FirePower Threat Intellegence Director

williamkwan · ‎10-18-2017

On the new FirePower version 6.2.2, there is a new feature call Threat Intelligence Director (TID).

Has anyone start leveraging this new feature and what are some of the common open feeds that the TID can be imported to FMC automatically?

Patrick Moubarak · ‎11-01-2017

I added AlienVault OTX as a start...

dimosatteia · ‎11-08-2019

Can you help me to add AlienVault OTX to my TID?

dncl · ‎11-03-2017

I would be interested in learning more of how people are using this feature.

Here is some documentation I found:

https://www.cisco.com/c/dam/en/us/products/collateral/security/firesight-management-center/at-a-glance-c45-738455.pdf

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/threat_intelligence_director_tid.pdf

Thanks in advance

Marvin Rhoads · ‎08-25-2018

I have seen customers who are members of an ISAC (Information Sharing and Analysis Center) use feeds from the ISAC in their FMC's TID.

Here's a listing of some of the ISACs out there:

https://www.nationalisacs.org/member-isacs

williamkwan · ‎11-05-2017

For those that are interested in this topic, I found a very useful video(s) from Youtube on explainining the usage of TID with uploading flat file or constanting connecting to a threat intelligence site.

Cisco Firepower Threat Defense 6 2 2 : Threat Intelligence Director (Flat File): youtu.be/s-laX74reXo?a

Cisco Firepower Threat Defense 6 2 2: Threat Intelligence Director (Hail A TAXII): youtu.be/0usmyIrA0fA?a

Credit for Jason Maynard, videos are not mine.

pro_engineering · ‎04-19-2018

All,

After we enable TID, add the Flat, URL or STIX. Do we need to mess with ACL to get this rolling? Lets say just foor flat file, i have added a text file and uploaded. After then, do i literally need to go to Policies and change something as in Default?

Any help is much appreciated!

Jason Maynard · ‎08-25-2018

You do not need to re-deploy policies when leveraging TID. EX: if you have an sources, indicators, observable that you set to block within TID then it would be blocked on FTD without re-deployment of policy. This is different from security intelligence - details here

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco_threat_intelligence_director__tid_.html

TID configuration changes do not require redeployment—After you modify Security Intelligence settings in the access control policy, you must redeploy the changed configuration to managed devices. With TID, after initial deployment of the access control policy to the managed devices, you can configure sources, indicators, and observables without redeploying, and the system automatically publishes new TID data to the elements.

pro_engineering · ‎08-30-2018

Awesome, thanks for the detailed response. But i managed to get your answer from your Youtube video. :)

Thanks again!

Jason Maynard · ‎08-30-2018

Fantastic!

tcweller · ‎04-09-2019

This is very interesting. Threat feeds can get very large in size. What are the limitations as far as the number of IPs and domains the NGFW can handle from third-party threat feeds? Thanks!