Integrate a Cisco Firepower Cloud Device

Configure a Cisco Firepower cloud device to pull IOCs from Threat Command. You must first add the device to Threat Command and then configure the device to pull IOCs from Threat Command.

Limitations

The Cisco Firepower integration is subject to the following limitations:

For additional limitations, see the Cisco Firepower documentation.

Add a Cisco Firepower cloud device

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a Cisco Firepower device to pull IOCs

After a device has been added, you must enable it to pull IOCs from Threat Command.

Before you begin, ensure:

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

When creating the IOC group for a Cisco Firepower device, keep the following in mind:

  • The device has a maximum limit of 500,000 IOCs. You can decrease this limit when creating IOC groups.
  • Due to device limitations, IOC groups can consist of only one type of IOC: domains, URLs, IP addresses and file hashes (SHA 256 only). To support more than one type, create multiple IOC groups.

  1. From Threat Command, copy the Cisco Firepower IOC group URL into the Cisco Firepower Management Center:

    1. From Threat Command, select Automation > Integrations.
    2. From the On-Premises device list, select the Cisco Firepower device.
    3. Click the link icon to the far right of the device IOC group.
      temporary placeholder
      The IOC Group URL dialog is displayed.
    4. From the IOC Group URL dialog, copy the URL.

  2. Log in to the Cisco Firepower Management Center.

  3. Navigate to Intelligence > Sources.

  4. In the top right, click + to add a new source.
    The Add Source dialog is displayed.
    temporary placeholder

  5. In the Add Source dialog, fill the fields, as follows:

    1. For Delivery, select URL.
    2. For Type, select Flat File.
    3. In the URL field, paste the IOC group URL from Threat Command.
    4. In the Content drop-down, select the content type that matches the content of the IOC group (for example, Domain, URL, or IPs).
    5. Type a user-defined name.
    6. To begin pulling IOCs immediately, select Publish.
    7. Click Save.

  6. To verify that IOCs are being pulled into the Cisco Firepower console, navigate to Intelligence > Sources > Sources. The Status will be displayed as Completed.
    This could take some time. Refresh to synchronize the status. temporary placeholder

You can use the Cisco Firepower Management Center Indicators and Observables tabs to drill down in the IOCs and to perform related activities.