This event had place on Tuesday 18th, February 2020 at 10hrs PDT
Ben Greenbaum is a Technical Marketing Engineer with over twenty years of experience in the Cyber Threat Intelligence field, primarily in the realm of product design and development. His security software career has included roles that span development, architecture, product design, and management of research and development teams. At Cisco, his role is largely to be a liaison between customers and engineering, and to help users get the most from the Cisco Security architecture.
You can download the slides of the presentation in PDF format here.
Q: Can we integrate Cisco TR with third party security vendors like Malware protection for trend micro
A: Threat Response is designed with an 'API first mindset', our open API will allow integration to any piece of threat response (enrichment, privet intelligence, etc..).We do have an engineering team solely dedicated to third party integrations that actively releasing new features. The browser extension Ben demonstrated can be used with any tool accessed with a browser.
Q: So, if we use Splunk SIEM, we could see that in the Threat Response console?
A:Yes, you can definitely use Splunk SIEM with CTR plug-in, and an out-of the-box integration is coming soon!
Q: Can I use CTR with just FTD or will I always have to have a valid AMP4E / TG account?
A: Yes, can use CTR with Firepower.
Q: I am a regular user of CTR. I don't believe the Umbrella API is ready for this as I experience consistent timeouts on that enrichment activity.
A: We agree the enrichment took too long. We will Definity review this with the Engineering team.
Q: Are there plans to ramp up the capacity ability of the Umbrella API so it doesn't time out when there's more than 10-20 observable?
A: We're glad to hear that you are a regular user of CTR. We are aware of the API limitations and are looking at improving the issue. Thanks for your valuable feedback, our team is dedicated to making Threat Response better.
Q: The click/change, is there any way to get a change report each day?
A: If you are looking to capture the relations graph, we have a "snapshot" feature which is a downloadable JSON.
Q: I just want to clarify these products Cisco Umbrella and StealthWatch are both hardware and software?
A: Umbrella - Cloud, StealthWatch Enterprise are hardware.
Q: So, the solution is putting together the report as the presenter speaks?
A: Yes, that's correct.
Q: It is showing the threats, does it indicate any currently active risk?
A: At the bottom of the page you can see a sightings timeline. There does seem to be some very recent activity.
Q: Can you block IP address on Firepower?
A: It is possible, currently. It’s different to the response actions that are available from the product directly, the ones mentioned at the beginning of the presentation, but it’s technically feasible.
Q: What min type of license we must have to use Threat Response on Firepower?
Our customer has a requirement to log BYOD sessions based on Username/IP to a syslog server. We are using Meraki APs and I have tested the Meraki splash page, the generated Syslogs do not contain the usernames. Not sure if this can be collated via the API...
Hi!After clients connected via AnyConnect and succesfully passed posture and CoA,information in Context Visibility - Endpoints about active endpoints is incorrect. Status - "disconnected", but it should be "Connected"Authorization policy - "Post...
Sometimes after rebooting device connected to 801.x port this device successfully perfoming 802.1x authenticationOct 19 13:29:27.869 MSK: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/23, changed state to down
Oct 19 13:29:28.980 MSK: %AUTHMGR-5-START: Sta...
anyone got experience if wanted to change management port example from Eth2/8 to Eth 1/8, what is the process? go to FXOS configure another interface as Management, then plug the cable to it then can d? it does not mention clearly from the documentat...