Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
0
Helpful
0
Replies

Cisco WSA and Cisco Threat Response Feed Integration

Eric101
Level 1
Level 1

‎05-19-2020 09:27 AM

Hello All. 

I have been playing a bit with Cisco Threat Response (CTR) in the context of improving / speeding up our response processes and in particular have been a bit excited with the CTR Intelligence piece where I could create an Indicator List containing Malicious Judgments and convert this to a feed which could be shared to interested parties/devices. In my case I would be looking to have WSA ingest am External URL Category Feed of domain names we identified as malicious in CTR hosting 0-day phish content which penetrated our e-mail security for whatever reason and AMP/Firepower/WSA/Umbrella have not yet seen/blocked. 

Unfortunately the CTR feed is a txt file with a new domain on each line (which is firepower compatible) but the WSA requires that each domain be in a csv file with a new domain on each line separated by a comma, furthermore WSA URL cannot have special characters such as ? in the path which really limits trying to use a serverless conversion service. 

Has anyone used CTR feeds in WSA and how did you go about completing the integration?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents