Threat Response integrates with Cisco's Web Security Appliance (WSA) to provide visibility into web-bourne threats. By adding a Web Security or SMA Web module to Threat Response, investigators will be able to search for domains, URLs, and file hashes that have been recorded by your WSA, or by your SMA managing WSA devices.    Threat Response integrates with Cisco Web Security in one of two ways: Directly from the WSA, or via an SMA. Each has its own module, but either will bring web visibility into your investigations performed in Threat Response.  Both modules (WSA and SMA Web) are enrichment modules. The WSA and/or SMA modules allows investigators to take actions such as searching web traffic records across data from either one WSA (SA module) or all WSAs connected to the SMA (SMA module). Multiple WSA modules may be configured, if the user has multiple WSAs but no SMA. For a guided step by step walkthrough on how to quickly configure these products to work with Threat Response, view the related topics in the in-product help in the Threat Response portal. Learn more about Threat Response here, or check out   other FAQs here.  ... View more

Threat Response integrates with Cisco Stealthwatch Enterprise (SWE) to provide Visibility into network threats. By adding an SWE module to Threat Response, investigators will be able to search for network flows to or from IP addresses that have been recorded by Stealthwatch. Additionally, Stealthwatch Alarms will be populated into Threat Response's Incident Manager feature.     To integrate your Stealthwatch Enterprise deployment with Threat Response, review the   in product configuration steps. or the SWE CTR Integration Guide  Learn more about Threat Response here, or check out   other FAQs here.   ... View more

There's a lot of material published about Threat Response, in places like http://cisco.com/go/threatresponse - but something I get asked by users is what can they do, to proactively stay informed and up to date? We are adding new integrations and new features on a frequent basis and a rapid schedule, and it can be hard to stay on top of the newest developments. There are a number of ways you can stay in touch with what's new with Threat Response:   We frequently will post new articles to announce and describe recent integrations with both Cisco and 3rd party products, in the Cisco blogs. The Threat Response blog is here: https://cs.co/ctr_blog - and you can subscribe to it via Google Feedburner to receive updates (by email) here: https://feedburner.google.com/fb/a/mailverify?uri=CiscoThreatResponseCiscoBlog   The Cisco Threat Response FAQ answers many common questions (including this one) and is here:  http://cs.co/ctr_faq And you can subscribe to receive updates via email by clicking the Options menu at the top right of the page, and then selecting Subscribe.   The online Cisco Threat Response community is at: http://cs.co/ctr_community And that also can be subscribed to, in the same way as the FAQ: by clicking the Options menu at the top right of the page, and then selecting Subscribe.   There is a curated Threat Response playlist on Youtube here: https://cs.co/CTRvideos. YouTube users can't currently subscribe to a playlist, but you can click "Save" and have it be added to your YouTube menu and be able to quickly check for new content.   If APIs are of interest, you can find the official Threat Response repositories in Github at http://cs.co/ctr_github. Click 'Watch' on any repositories of interest to be kept up to date.   In the UI itself, you can always find the latest release notes at /help/release_notes https://visibility.amp.cisco.com/help/release_notes (Americas) https://visibility.eu.amp.cisco.com/help/release_notes (EMEA) https://visibility.apjc.amp.cisco.com/help/release_notes (Asia)   Following the subscription steps above, where available, will go a long way to making sure you are always getting the most value out of Cisco Threat Response, now and in the future.  ... View more

Threat Response integrates with Cisco's Email Security Appliance (ESA) to provide Visibility into email-bourne threats. By adding an Email Security or SMA Email module to Threat Response, investigators will be able to search for email subject lines, email addresses, Cisco Message IDs, IP addresses, domains, URLs, attachment file names, and attachment file hashes that have been recorded by your ESA, or by your SMA managing ESA devices.    Threat Response integrates with Cisco Email Security in one of two ways: Directly from the ESA, or via an SMA. Each has its own module, but either will bring email visibility into your investigations performed in Threat Response.  Both modules (ESA and SMA Email) are enrichment modules. The ESA and/or SMA modules allows investigators to take actions such as searching email records for sender email and IP, email subject and message header, among other elements, across data from either one ESA (ESA module) or all ESAs connected to the SMA (SMA module). Multiple ESA modules may be configured, if the user has multiple ESAs but no SMA. The SMA module also handles Cloud Email Security (CES).   For a guided step by step walkthrough on how to quickly configure these products to work with Threat Response, view the Quick Start Guide here: https://www.cisco.com/c/dam/en/us/products/collateral/security/threat-response/guide-c07-741919.pdf   For additional information, consult the in product documentation: ESA module: in product configuration steps SMA email module: in product configuration steps   Learn more about Threat Response here, or check out   other FAQs here.  ... View more

Question How do I configure a Threat Response browser plugin? Answer The browser plugins are easily configured. First you need to generate an "API Client" in Threat Response. An API Client is essentially a set of credentials that identifies a program has having the authority to act in Threat Response on your behalf.   In order to generate an API Client for the Browser Plugin, navigate to Settings->API Clients in Threat Response. Click Add API Credentials  Give the Client a meaningful name that will make sense to you later, such as "<username> browser plugin" Scopes control what rights the program will be granted once it provides these credentials. Select Select All Optionally, give the Client a description. Click Add New Client Save the resulting Client ID and Client secret; these are your credentials. Treat these as you would your Threat Response passwords; effectively they grant the same privileges. To prevent or diagnose transcription errors, keep this tab open until the plugin configuration is complete.  Next, download and install the browser plugin for your browser, one of: Chrome: http://cs.co/ctr4chrome Firefox: http://cs.co/ctr4firefox Configure the plugin In the plugin, if not immediately presented with a form for your credentials, click 'casebook' on the top left, and then the gear on the top right. Select the appropriate region Enter the credentials saved above Click Authenticate to test. If the test is not successful, double check that you entered the strings correctly.  If the test is successful, you may close the API Client tab and begin using the browser plugin! Congratulations! That's it. You can now leverage the power of Threat Response without even having to go to Threat Response.   If you would like to see a video describing these steps, go here.  ... View more

Question What are the "qualifying products" that entitle me to access to Cisco Threat Response? Answer Here is the current list: AMP for Endpoints (Public Cloud only) Threat Grid (Public Cloud portal licenses only) Umbrella (Insights or Platform license) Firepower devices (Firepower software v6.3 or higher) ESA (SMA-managed, v12.0 or higher) or standalone  Stealthwatch Enterprise (v.7.1.2+) Web Security (SMA-managed or standalone)   ... View more