cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3833
Views
5
Helpful
10
Replies
Beginner

Cisco FirePower Threat Intellegence Director

On the new FirePower version 6.2.2, there is a new feature call Threat Intelligence Director (TID).   

 

Has anyone start leveraging this new feature and what are some of the common open feeds that the TID can be imported to FMC automatically?  

Everyone's tags (2)
10 REPLIES 10
Enthusiast

Re: Cisco FirePower Threat Intellegence Director

I added AlienVault OTX as a start...

Highlighted
Beginner

Re: Cisco FirePower Threat Intellegence Director

Can you help me to add AlienVault OTX to my TID?

Beginner

Re: Cisco FirePower Threat Intellegence Director

Hall of Fame Master

Re: Cisco FirePower Threat Intellegence Director

I have seen customers who are members of an ISAC (Information Sharing and Analysis Center) use feeds from the ISAC in their FMC's TID.

 

Here's a listing of some of the ISACs out there:

 

https://www.nationalisacs.org/member-isacs

Beginner

Re: Cisco FirePower Threat Intellegence Director

For those that are interested in this topic, I found a very useful video(s) from Youtube on explainining the usage of TID with uploading flat file or constanting connecting to a threat intelligence site.   

 

Cisco Firepower Threat Defense 6 2 2 : Threat Intelligence Director (Flat File): youtu.be/s-laX74reXo?a 

 

Cisco Firepower Threat Defense 6 2 2: Threat Intelligence Director (Hail A TAXII): youtu.be/0usmyIrA0fA?a

 

Credit for Jason Maynard, videos are not mine. 

Re: Cisco FirePower Threat Intellegence Director

All,

 

After we enable TID, add the Flat, URL or STIX. Do we need to mess with ACL to get this rolling? Lets say just foor flat file, i have added a text file and uploaded. After then, do i literally need to go to Policies and change something as in Default? 

 

Any help is much appreciated!

 

Cisco Employee

Re: Cisco FirePower Threat Intellegence Director

You do not need to re-deploy policies when leveraging TID. EX: if you have an sources, indicators, observable that you set to block within TID then it would be blocked on FTD without re-deployment of policy. This is different from security intelligence - details here 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco_threat_intelligence_director__tid_.html 

 

TID configuration changes do not require redeployment—After you modify Security Intelligence settings in the access control policy, you must redeploy the changed configuration to managed devices. With TID, after initial deployment of the access control policy to the managed devices, you can configure sources, indicators, and observables without redeploying, and the system automatically publishes new TID data to the elements.

 

 

Re: Cisco FirePower Threat Intellegence Director

Awesome, thanks for the detailed response. But i managed to get your answer from your Youtube video. :)

Thanks again!

Cisco Employee

Re: Cisco FirePower Threat Intellegence Director

Fantastic!

Beginner

Re: Cisco FirePower Threat Intellegence Director

This is very interesting.  Threat feeds can get very large in size.  What are the limitations as far as the number of IPs and domains the NGFW can handle from third-party threat feeds?  Thanks!