Hello All.
I have been playing a bit with Cisco Threat Response (CTR) in the context of improving / speeding up our response processes and in particular have been a bit excited with the CTR Intelligence piece where I could create an Indicator List containing Malicious Judgments and convert this to a feed which could be shared to interested parties/devices. In my case I would be looking to have WSA ingest am External URL Category Feed of domain names we identified as malicious in CTR hosting 0-day phish content which penetrated our e-mail security for whatever reason and AMP/Firepower/WSA/Umbrella have not yet seen/blocked.
Unfortunately the CTR feed is a txt file with a new domain on each line (which is firepower compatible) but the WSA requires that each domain be in a csv file with a new domain on each line separated by a comma, furthermore WSA URL cannot have special characters such as ? in the path which really limits trying to use a serverless conversion service.
Has anyone used CTR feeds in WSA and how did you go about completing the integration?