on 06-26-201908:14 PM - edited on 06-12-202011:44 AM by ben.greenbaum
1. I’m a Firepower user. How can I get access to Cisco Threat Response?
To get started with Threat Response, create your account and configure your Firepower device for Threat Response integration, simply follow the steps in this starting guide.
2. What is the cost to use Threat Response?
Threat Response is free with the purchase of qualifying Cisco Security products – including Firepower devices.
3. What is the benefit of integrating my Cisco Firepower device with Threat Response?
Integrating these devices with Threat Response gives you the opportunity to do two things:
Use Threat Response’s Incident Manager to automatically triage and investigate high priority intrusion events
See intrusion events from your device alongside other reports from Cisco Security products and threat intelligence sources in your investigations
Requirements & Availability
4. What Cisco Firepower products do I need to have to integrate with Threat Response?
Threat Response integration is possible with any Firepower software at version 6.3 or higher. Configuration steps vary between version 6.3 and versions 6.4 or higher of the Firepower software.
5. Is the Firepower integration with Threat Response available in the EU or APJC clouds?
Yes, it is available in all clouds. The North American cloud is supported as of version 6.3+, and support for the Europe and APJC clouds was introduced in version 6.5 and higher.
6. Do I need to have Cisco Defense Orchestrator (CDO) to integrate my Firepower device with Threat Response?
No, CDO is not needed. Only a device is necessary.
7. Do I need Firepower Management Center (FMC) to integrate my Firepower device with Threat Response?
No, locally managed Firepower devices can also be integrated with Threat Response.
8. What is the Firepower version release required to integrate with Threat Response?
6.4 and higher versions of Firepower software with Smart Licensing can upload events directly.
Version 6.3 is the minimal version that can be integrated with Threat Response. 6.3 devices will require additional configuration and usage of a CSSP virtual device that forwards intrusion events to the cloud. The CSSP device is free and can be downloaded as part of the configuration steps.
9. Can both Smart and Classic Licensed software integrated with Threat Response?
Yes, both Smart-licensed and Classic-licensed software are supported. Event delivery methods vary; only Smart-Licensed software can upload events directly to SSE. Devices covered by Classic Licensing will need to use the free CSSP image to relay syslog messages into SSE. See table below for license requirements and integration methods available.
Device running Firepower software
License required for operation*
Integration via Syslog
Firepower Threat Defense
Yes - v6.3+
Yes - v 6.4+
ASA with FirePOWER Services
Yes - v6.3+
Yes - v6.3+
Yes - v6.3+
* irrespective of Cisco Threat Response integration
10. Can I link more than one Smart Account to the same Threat Response account?
13. How can I know whether I have successfully configured my Firepower device with Threat Response?
You can verify the integration at a high level in Threat Response by clicking the Devices button in the left navigation menu under settings. You should see your Firepower or CSSP device(s) listed. Click Manage Devices to be cross-launched into SSE in a new tab, and click Events in that new tab to view your list of events. If there are events from your device, then the device is properly configured in SSE. If there are not, then either the device is not properly configured, your CSSP is not configured properly or not working (if applicable), or there have been no Intrusion events in your device since the integration was configured. Confirm on the device (and/or CSSP) to determine which is the case.
You can test the Firepower enrichment module by selecting an intrusion event from within the FMC or FDM consoles, and searching for either of the reported IP addresses in Threat Response. The selected event needs to have happened after the integration was configured, and within the last 7 days. If the integration is successful, both of the IP addresses will be displayed in the graph and the alert will be recorded as a sighting. This confirms that alerts are being sent from your device into SSE and that Threat Response has visibility into that data.
You can test Incident Manager by clicking Incidents and checking to see if any exist. Because the event promotion rules rely on certain thresholds to promote raw events to Incidents, there may legitimately not be any Incidents. If there are none, you can test event promotion by viewing the SSE event store (by clicking Settings -> Devices -> Manage Devices -> Events) and manually promoting any event to an Incident. To promote an incident click the circled up arrow on the far right of the incident row. Then refresh the view of your Incidents in Threat Response, and that Incident should be listed.
Sending data to the Cloud
14. Does Threat Response integration with Firewall require sending my data to the cloud? What information is sent to the cloud?
All supported events (Intrusion events at v6.3+, and file/malware/intelligence events at higher versions) are sent to Cisco’s Security Service Exchange (SSE) cloud infrastructure. These alerts include the nature of the event that was detected, as well as the IP addresses, ports, etc. No packet data is sent.
15. What is SSE?
SSE (Security Services Exchange) is a Cisco cloud platform that handles cloud-to-cloud and premise-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.
16. What is CSSP?
CSSP (Cisco Security Services Proxy) is a downloadable image provided by Cisco at no cost that forwards syslog alerts from Firepower devices to SSE.
In 6.3 version devices, this is the only way to get events to SSE and thereby to Threat Response.
6.4 and higher versions of Firepower Threat Defense have SSE connectivity capabilities built in, but CSSP may still be used with those devices as an alternative to giving them direct internet access.
CSSP only forwards Intrusion Events
Using Threat Response with Firepower
17. How is my firewall data displayed on the Threat Response relations graph?
Firewall events are a sighting and will result in two IP nodes and the relation between them being displayed in the graph. Depending on event type, there may be other observables as well such as a URL or file hash. These sightings and the relevant metadata will be displayed in the Observable Details panel under the Sightings tab as well.
18. What are the criteria used to promote Events to Incident Manager (in Threat Response)?
There are currently three ways an event can be promoted to an Incident, all implemented in the Eventing Service of SSE. All promoted Incidents are then provided to the user's Private Intel Store in Threat Response, and displayed in the Incident Manager.
Cisco-controlled automatic promotion
The Eventing Service will promote any event that involves an IP address with a sufficiently low (malicious) Talos reputation score. The promotion reason for the Incident is denoted in the Incident Manager as "ipReputation".
Other filters and thresholds are currently being developed.
User-controlled automatic promotion
Users can set lists of IP addresses and CIDR ranges for either automatic promotion, or automatic filtration. Alerts involving those IP addresses with either be promoted or discarded accordingly. At Threat Response, the promotion reason in the Incident is denoted as organizationFilter. This configuration is performed at the Eventing Service options at the Security Services Exchange. Navigate to Cloud Services > Eventing Service > Settings icon.
Other user-configurable filters and thresholds are currently being developed.
Users can manually promote one or more alerts from the SSE Event viewer to Incidents. The promotion reason in the Incident is denoted as userSelection.
19. Can I create rules on what events to send / not to send to Incident Manager?
Yes, SSE offers the ability to create user-authored lists of IP addresses and ranges to be used in event promotion and filtration. Other user-configurable filters and thresholds are currently being developed.
20. Are there limits to how many IP addresses and/or ranges I can filter?
The current supported limit for supported list items (either addresses or ranges) is 100.
21. Why am I not getting any events on Incident Manager?
A lack of Incidents in the Incident Manager can be caused by one of three things:
A lack of events uploaded to SSE
A lack of events in SSE that meet the promotion criteria
A configuration error
See the question “How can I know whether I have successfully configured my Firepower Device with Threat Response?” to determine which of these is the cause.