Secure Firewall Integration

The integration of Secure Firewall Threat Defense (formerly Firepower Threat Defense) provides automated correlation, triage and prioritization of intrusion events into the XDR Incident Manager for processing and response. It provides the capability to investigate firewall logs for detections of any IP address as the source, and responses include the destination IP and other detection details including ports and direction, specific activity detected, and more.

Combining intel from Secure Firewall Threat Defense with other observations connects the dots of the blended attack. The North/South observations from Secure Firewall Threat Defense combined with indicators from East/West scanning elements and endpoint protection will uncover attacks that one product alone could miss.

This integration provides response capabilities in XDR operations, allowing responders, threat hunters, and other defenders to take actions on specific IPs and domains manually or using XDR Automation components.

To configure this integration, see the Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Firewall integration.

  3. Click Get Started. The Secure Firewall integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Firewall integration in Cisco XDR.

You can perform the following tasks after you integrate Secure Firewall with Cisco XDR:

  • Incidents - When you enable Secure Firewall integration, Cisco XDR automatically ingests the events that are sent by Secure Firewall and uses them for incident correlation. For details, see Integrate with Cisco XDR section in the Cisco Secure Firewall Integrations Overview Guide.

  • Investigate - Start a new investigation into any combination of IP addresses, domains, URLs, file hashes, file names, registry keys, etc., and the results will include any records of them found in Secure Firewall. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Secure Firewall has recent information. For details, see Investigate.

  • Dashboard - Add Secure Firewall cards to a dashboard in Control Center to view data, such as intrusion events, network compliance, or traffic statistics. For details, see Configure Dashboards and Cards. For a list of available Secure Firewall cards, see Integration Cards.

  • Feeds - Create one or more feeds in Cisco XDR for consumption by Secure Firewall and then configure Secure Firewall to consume the feed at its URL. For details, see Feeds.

  • Automation:

    • Atomic Actions - The atomic actions for Secure Firewall can be used as building blocks in custom workflows. These can be found as available Activities in the left menu of the Workflow Editor. The workflows built using the Security Services Exchange (SSX) as proxy authenticate using the Automation APIs target. See Workflows, Atomic Actions,and Default Targets.

    • Playbooks - Cisco XDR has multiple incident response playbooks that can add observables to threat intelligence feeds. These feeds can be used by Secure Firewall to influence policy decisions related to IP addresses, URLs, and domains. See Containment on the Response page.