Beginning in Firepower release 6.4, you can configure your Firepower system to send supported events directly to the Cisco cloud from Firepower Threat Defense (FTD) devices.
Specifically, your Firepower devices send events to Security Services Exchange (SSE), from where they can be automatically or manually promoted to incidents that appear in Cisco SecureX threat response.
|
Requirement Type |
Requirement |
|---|---|
|
Firepower device |
Firepower Threat Defense devices
|
|
Firepower version |
US cloud: 6.4 or later EU cloud: 6.5 or later APJC cloud: 6.5 or later Version requirement applies both to devices and to FMC (if applicable). |
|
Licensing |
No special license is required for this integration. However:
|
|
Account |
|
|
Connectivity |
FMC and managed devices must be able to connect outbound on port 443 to the Cisco cloud at the following addresses:
|
|
General |
Your Firepower system is generating events as expected. |
You must have an account for the regional cloud to which you will send your Firepower event data.
For supported account types, see Required Account for Cisco SecureX threat response Access.
If you or your organization already has an account on the regional cloud that you will use, do not create another. You will not be able to aggregate or merge data in different accounts.
To obtain an account, see Get an Account to Access Cisco SecureX threat response.
Your cloud account must have administrator-level privileges.
You must have administrator privileges for the Cisco Smart Account from which your products are licensed.
To determine your Smart Account user role, go to https://software.cisco.com, click Manage Smart Account, select a Smart Account in the top right area of the page, click the Users tab, and search for your User ID.
Your licensing Smart Account and the account you use to access the cloud must both be associated with the same Cisco CCO account.
Your Firepower account must have one of the following user roles:
Admin
Access Admin
Network Admin
Security Approver
 Note |
If your devices are already sending events to the cloud, you do not need to configure sending them again. SecureX and Cisco SecureX threat response use the same set of event data. |
|
Do This |
More Information |
|||
|---|---|---|---|---|
| Step | Make decisions about the events to send, the method of sending those events, the regional cloud to use, etc. | See the topics under Important Information About Integrating Firepower and Cisco SecureX threat response | ||
|
Step |
Meet requirements |
Requirements for Direct Integration and its subtopics. |
||
|
Step |
In your browser, access Security Services Exchange, the cloud portal for Cisco SecureX threat response that you will use for managing devices and filtering events. |
|||
|
Step |
(FDM Only) If you are using CDO to manage configurations on your FTD device, you must merge your CDO account with the account you use for the services described in this document. |
See (FTD Managed by FDM Only) Merge Your CDO and Security Accounts. |
||
|
Step |
In Security Services Exchange, link your licensing accounts so that you can view and work with event data from devices registered to different accounts in your organization. |
|||
|
Step |
In Security Services Exchange, enable the eventing service. |
Click Cloud Services and enable these options:
|
||
|
Step |
In your Firepower product, enable integration with the Cisco cloud. |
Tip: Don't skip the prerequisites in these topics!
|
||
|
Step |
Allow time for your Firepower system to generate events. |
-- |
||
|
Step |
Verify that your integration is set up correctly. If necessary, troubleshoot issues. |
See: |
||
|
Step |
In Security Services Exchange, configure the system to automatically promote significant events. |
See information in the online help in Security Services Exchange about promoting events. To access SSE, see Access Security Services Exchange. |
||
|
Step |
(Optional) In Security Services Exchange, configure automatic deletion of certain non-significant events. |
See information in the online help in Security Services Exchange about filtering events. To access SSE, see Access Security Services Exchange. |
||
|
Step |
In SecureX, add a Firepower module. With this module configured, CTR will return sightings from intrusion events in SSE even if they have not been promoted. |
In SecureX, navigate to Integration Modules > Available Integration Modules and add a Firepower module. For more information about this module, see the online help in SecureX. |
||
|
Step |
In Cisco SecureX threat response, verify that promoted events appear as expected in the Incident Manager. |
In Cisco SecureX threat response, click Incidents. |
In your browser, disable pop-up blocking.
| Step 1 |
In a browser window, go to your Cisco SecureX threat response cloud:
|
| Step 2 |
Sign in using the credentials for your SecureX, AMP for Endpoints, Cisco Threat Grid, or Cisco Security account. Your account credentials are specific to the regional cloud. |
| Step 3 |
Navigate to Security Services Exchange: Select Modules > Devices > Manage Devices. Security Services Exchange will open in a new browser window. |
If your FDM-managed Firepower Threat Defense (FTD) device will be used with Cisco Defense Orchestrator (CDO) and SecureX or Cisco SecureX threat response, you must merge your CDO account with the account associated with the device for SecureX or Cisco SecureX threat response.
Only one CDO tenant can be merged with one SecureX/Cisco SecureX threat response account.
If you have accounts on more than one regional cloud, you must merge accounts separately for each regional cloud.
If you merge accounts for a SecureX cloud, you do not need to do it again for Cisco SecureX threat response on the same cloud, and vice-versa.
This operation is not reversible.
You must be able to sign in to CDO and to the applicable regional SecureX or Cisco SecureX threat response cloud with the credentials for the accounts you need to merge.
Your CDO user account must have admin or super admin privileges.
Your SecureX or Cisco SecureX threat response account must have admin privileges.
| Step 1 |
Sign in to the appropriate regional CDO site using the credentials for the account to be merged: For example, the US cloud is https://defenseorchestrator.com and the EU cloud is https://defenseorchestrator.eu. |
| Step 2 |
Choose the tenant account to merge. |
| Step 3 |
In CDO, generate a new API token for your account:
For more information about API tokens, see the online help in CDO at https://docs.defenseorchestrator.com/Configuration_Guides/Devices_and_Services/API_Tokens |
| Step 4 |
If you are not already looking at Security Services Exchange (SSE): |
| Step 5 |
In SSE, click |
| Step 6 |
Paste the token that you copied from CDO. |
| Step 7 |
Verify that you are linking the accounts that you intended to link. |
| Step 8 |
Click Link CDO Account. |
Your account credentials do not change as a result of this procedure. After the merge, continue to use the same credentials to access each product (CDO, SecureX, CTR, etc.) that you used before the account merge.
If you completed this procedure before registering your devices to SSE:
Continue with the steps in How to Send Events Directly to the Cisco Cloud.
If you performed this procedure after registering your devices for CDO and SecureX or Cisco SecureX threat response integration, you may have duplicate device instances on the Devices page in SSE.
In this case, the instance of your device that was previously associated with your CDO registration is now also associated with the account used for SecureX or Cisco SecureX threat response integration.
Events generated by devices before the merge will have a different device ID than events generated by the same device after the merge.
If you do not need to map events to the devices that generated them, you can delete the "Unregistered" device entries for devices that are now associated with the merged account.
To integrate products registered under different licensing Smart Accounts (or Virtual Accounts) into a single view in the cloud, you must link those licensing accounts to the account that you use to access SecureX and Cisco SecureX threat response.
In order to link licensing accounts, you must have administrator-level Smart Account or Virtual Account privileges for all of the licensing accounts and for the account you use to access SecureX or Cisco SecureX threat response.
To view linked accounts, a user-level account is sufficient.
If you have linked accounts already for use with Cisco SecureX threat response, you do not need to link them again for SecureX and vice-versa.
You will need your Cisco.com (CCO) credentials to complete this procedure.
| Step 1 |
In the top right corner of any page in Security Services Exchange, click the Tools button ( |
| Step 2 |
Click Link more accounts. |
| Step 3 |
If prompted, sign in with your Cisco.com (CCO) credentials. |
| Step 4 |
Select the accounts to integrate with this cloud account. |
| Step 5 |
Click Link Accounts. |
If you need to unlink Smart Licensing accounts that are currently linked, see instructions in the online help in Security Services Exchange (SSE).
Note |
Available options depend on your FDM version. Skip any steps that are not applicable to your version. For example, the ability to choose region and event types are version-dependent. |
Perform the steps up to this point in How to Send Events Directly to the Cisco Cloud.
In FDM, make sure your device has a unique name. If not, assign one now, in Device > System Settings > Hostname.
In FDM, apply intrusion and other applicable policies to at least one access control rule and verify that the device is successfully generating events.
Make sure you have your cloud credentials and can sign in to the Cisco SecureX threat response regional cloud on which your account was created.
For URLs, see Cisco SecureX threat response Regional Clouds.
In your browser:
Disable pop-up blocking
Allow third-party cookies
| Step 1 |
In Firepower Device Manager: Click Device, then click the link. If you are already on the System Settings page, simply click Cloud Services in the table of contents. |
| Step 2 |
If you have not already selected a regional cloud, select the region in which you have created your account. |
| Step 3 |
Select the types of events to send to the cloud. If you choose to send connection events, only Security Intelligence connection events are used in this integration. All other connection events are not used in this integration. |
| Step 4 |
Click the Enable control for the Cisco Threat Response feature. If prompted, read the disclosure and click Accept. |
| Step 5 |
Verify that your device has registered successfully in Security Services Exchange: |
If your deployment is a high availability configuration, see the online help in FDM for additional instructions.
Continue with the remaining steps in How to Send Events Directly to the Cisco Cloud.
Important |
If you enable integration with Cisco Defense Orchestrator after you configure this, your devices may become unregistered from SSE. If you see this problem in the Devices tab of SSE, see (FTD Managed by FDM Only) Merge Your CDO and Security Accounts. |
Configure the Firepower Management Center to have managed Firepower Threat Defense devices send events directly to the cloud.
Note |
Available options depend on your FMC version. Skip any steps that do not apply to your version. |
In the Firepower Management Center:
Go to the System > Configuration page and give your FMC a unique name so it will be clearly identified in the Devices list in the cloud.
Add your FTD devices to the FMC, assign licenses to them, and ensure that the system is working correctly. (That is, you have created the necessary policies, and events are being generated and display as expected in the Firepower Management Center web interface under the Analysis tab.)
Perform the steps up to this point in How to Send Events Directly to the Cisco Cloud.
Make sure you have your cloud credentials and can sign in to the Cisco SecureX threat response regional cloud on which your account was created.
For URLs, see Cisco SecureX threat response Regional Clouds.
| Step 1 |
In Firepower Management Center: Select System > Integration. |
| Step 2 |
Click Cloud Services. |
| Step 3 |
Enable the slider for the Cisco Cloud or Cisco Cloud Event Configuration (depending on your FMC version). |
| Step 4 |
If you have not already done so, select the Cisco Cloud Region on which you have created your account. |
| Step 5 |
Enable the types of events to send to the cloud. If you send connection events, only Security Intelligence connection events are used in this integration. All other connection events are not used in this integration. |
| Step 6 |
Click Save. If the Save button is unavailable, this means the FMC is already registered to the selected regional cloud. |
| Step 7 |
Verify that the feature is properly enabled: |
Continue with the remaining steps in How to Send Events Directly to the Cisco Cloud.
Verify that the events you expect appear in Firepower as expected.
| Step 1 |
If you are not already working in Security Services Exchange, Access Security Services Exchange. |
| Step 2 |
Click Events. |
| Step 3 |
Look for events from your device. If you do not see expected events, see the tips in Troubleshooting a Direct Integration and look again at How to Send Events Directly to the Cisco Cloud. |
If you activate your cloud account immediately before attempting to configure this integration and you encounter problems implementing this integration, try waiting an hour or two and then logging in to your cloud account.
Make sure you are accessing the correct URL for the regional cloud associated with your account.
The device may be licensed using a Smart Account or virtual account that is not linked to your cloud account. Do one of the following:
In SSE, link the account from which the device was licensed.
License the device from a linked account:
Disable the integration on the FMC or in FDM, unregister the current license from the device, re-license the device from a linked account, then re-enable the integration in FDM or FMC.
Make sure you are looking at the same regional cloud that you selected in your Firepower settings. If you didn't select a region when you started sending events to the cloud, try the North America cloud first.
(Releases earlier than 6.4.0.4) Manually give the device a unique name: Click the pencil icon for each row in the Devices list. Suggestion: Copy the IP address from the Description.
This change is valid only for this Devices list; it does not appear anywhere in your Firepower deployment.
(Releases between 6.4.0.4 and 6.6) Device name is sent from FMC to SSE only at initial registration to SSE and is not updated on SSE if the device name changes in FMC.
If these devices are FTD devices managed by FDM, and you enabled integration with CDO after you registered your devices with SSE for integration with or Cisco SecureX threat response, and you have not yet merged your accounts, complete the procedure in (FTD Managed by FDM Only) Merge Your CDO and Security Accounts.
Make sure you are looking at the correct regional cloud and account.
Make sure your devices can reach the cloud and that you have allowed traffic through your firewall to all required addresses.
Click the Refresh button on the Events page to refresh the list.
Verify that the expected events appear in Firepower.
If you are using FDM, check your access rule logging settings.
Check your configurations for automatic deletion (filtering out events) in the Eventing settings on the Cloud Services page in SSE.
For additional troubleshooting tips, see the online help in SSE.
If you send connection events, only Security Intelligence connection events are used; all other connection events are ignored.
If you are using custom Security Intelligence objects in FMC, including global block or allow lists and Cisco Threat Intelligence Director (TID), you must configure SSE to auto-promote events that are processed using those objects. See information in the SSE online help about promoting events to incidents. .
> 
Feedback