cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
650
Views
0
Helpful
0
Replies
Highlighted
Beginner

Cisco WSA and Cisco Threat Response Feed Integration

Hello All. 

I have been playing a bit with Cisco Threat Response (CTR) in the context of improving / speeding up our response processes and in particular have been a bit excited with the CTR Intelligence piece where I could create an Indicator List containing Malicious Judgments and convert this to a feed which could be shared to interested parties/devices. In my case I would be looking to have WSA ingest am External URL Category Feed of domain names we identified as malicious in CTR hosting 0-day phish content which penetrated our e-mail security for whatever reason and AMP/Firepower/WSA/Umbrella have not yet seen/blocked. 

Unfortunately the CTR feed is a txt file with a new domain on each line (which is firepower compatible) but the WSA requires that each domain be in a csv file with a new domain on each line separated by a comma, furthermore WSA URL cannot have special characters such as ? in the path which really limits trying to use a serverless conversion service. 

Has anyone used CTR feeds in WSA and how did you go about completing the integration?

0 REPLIES 0
Content for Community-Ad