Showing results for 
Search instead for 
Did you mean: 

Firepower Thread Intellegence Director Elements.



I was just looking into setting up the TID feature on Firepower management center. I have most of it configured, but my SFR modules are not showing up as "Elements" under the Intelligence tab. I have Access policies running on all of my modules, what else specifically needs to be set up to be able to tie the modules to the TID?


FMC 6.2.3 (build 79)

SFR 6.2

1 Reply 1

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Have you checked the following? I have done this in my lab and the managed devices (FTDv in my case) show up fine. (Note the embedded links won't work as they are taken from my FMC server's help page.)


Configure Policies to Support TID


Smart License

Classic License

Supported Devices

Supported Domains






Admin/Threat Intelligence Director (TID) User

You must configure access control policies to publish TID data from the Firepower Management Center to your managed devices (elements). In addition, we recommend that you configure your access control policies to maximize observation and Firepower Management Center event generation.

For each managed device that you want to support TID, perform the steps below to configure the associated access control policy.

Elements that are configured to use TID after data has been published will automatically receive all currently-published observables.


Step 1   Verify that the Enable Threat Intelligence Director check box is checked in the Advanced Settings tab of the access control policy. This option is enabled by default.

For more information, see Access Control Policy Advanced Settings.

Step 2   Add rules to the access control policy if they are not already present. TID requires that the access control policy specify at least one rule.

For more information, see Creating a Basic Access Control Policy.

Step 3   If you want SHA-256 observables to generate observations and Firepower Management Center events:
  1. Create a file policy containing one or more Malware Cloud Lookup or Block Malware file rules.

    For more information, see Configuring an Access Control Rule to Perform File Control and AMP.

  2. Associate this file policy with one or more rules in the access control policy.
Step 4   If you want IPv4, IPv6, URL, or Domain Name observations to generate connection and security intelligence events, enable connection and security intelligence logging in the access control policy:
  1. In access control rules where you invoked a file policy, enable Log at End of Connection and File Events: Log Files, if not already enabled.

    For more information, see Logging Connections with Access Control Rules.

  2. Verify that default logging (DNS Policy, Networks, and URLs) is enabled in your Security Intelligence settings.

    For more information, see Logging Connections with Security Intelligence.

Step 5   Deploy configuration changes; see Deploying Configuration Changes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers