Beginning in Firepower release 6.4, you can configure your Firepower system to send supported events directly to the Cisco cloud from Firepower Threat Defense (FTD) devices.
Specifically, your Firepower devices send events to Security Services Exchange (SSE), from where they can be automatically or manually promoted to incidents that appear in Cisco Threat Response (CTR).
|
Do This |
More Information |
|
|---|---|---|
| Step 1 |
Meet requirements |
Requirements for Direct Integration and its subtopics. |
|
Step 2 |
In your browser, access Security Services Exchange, the cloud portal for Cisco Threat Response that you will use for managing devices and filtering events. |
|
|
Step 3 |
In Security Services Exchange, enable the eventing service. |
Click Cloud Services and enable these options:
|
|
Step 4 |
In Security Services Exchange, link your licensing accounts so that you can view and work with event data from devices registered to different accounts in your organization. |
See Link Accounts. Important! You cannot un-link accounts after you link them. |
| Step 5 |
In your Firepower product, enable integration with the Cisco cloud. |
Tip: Don't skip the prerequisites in these topics!
|
|
Step 6 |
Generate events |
-- |
| Step 7 |
Verify that your integration is set up correctly. If necessary, troubleshoot issues. |
See: |
|
Step 8 |
(Optional) Configure Security Services Exchange to automatically delete certain non-significant events, and to automatically promote certain events to incidents and make them visible in Cisco Threat Response. |
See information in the online help in Security Services Exchange about filtering events and promoting events. |
|
Step 10 |
Verify that promoted events appear as expected in Cisco Threat Response Incident Manager. |
In Cisco Threat Response, click Incidents. |
|
Step 11 |
In Cisco Threat Response, add a Firepower module. With this module configured, CTR will return sightings from intrusion events in SSE even if they have not been promoted. |
Navigate to Modules > Integration Modules > Configure Modules and select the Firepower module. Fore more information about this module, see the online help in CTR. |
|
Requirement Type |
Requirement |
|---|---|
|
Firepower device |
Firepower Threat Defense devices
|
|
Firepower version |
6.4 or later Support for regional clouds was introduced in Firepower version 6.5. Version requirement applies to both devices and FMC (if applicable). |
|
Cisco Threat Response cloud |
North America cloud The European cloud, https://visibility.eu.amp.cisco.com, is supported beginning in Firepower version 6.5. |
|
Licensing |
|
|
Account |
|
|
Connectivity |
FMC and managed devices must be able to connect outbound to the Cisco cloud at the following addresses:
|
|
General |
Your Firepower system is generating events as expected. |
In order to access the cloud, you must have an administrator-level Cisco Security Account, AMP for Endpoints account, or Cisco Threat Grid account.
Your account must be created on or associated with the regional cloud to which you will send your Firepower event data.
If you or your organization already has a Cisco Security account on the regional cloud that you will use, do not create another.
For information about obtaining and activating a Cisco Security account, see Get an Account to Access Cisco Threat Response.
You must have administrator privileges for the Cisco Smart Account from which your products are licensed.
To determine your Smart Account user role, go to https://software.cisco.com, click Manage Smart Account, select a Smart Account in the top right area of the page, click the Users tab, and search for your User ID.
Your licensing Smart Account and the account you use to access the cloud must both be associated with the same Cisco CCO account.
Your Firepower account must have one of the following user roles:
Admin
Access Admin
Network Admin
Security Approver
In your browser, disable pop-up blocking.
| Step 1 |
In a browser window, go to Cisco Threat Response:
|
| Step 2 |
Sign in using the credentials for your AMP for Endpoints, Cisco Threat Grid, or Cisco Security account. Your account credentials are specific to the regional cloud you sign into. |
| Step 3 |
Navigate to Security Services Exchange: Select Modules > Devices > Manage Devices. Security Services Exchange will open in a new browser window. |
To integrate products registered under different licensing Smart Accounts into a single view in the cloud, you must link those Smart Accounts to the account you use to access Cisco Threat Response.
 Caution |
If you link accounts, you cannot unlink them. You must contact Cisco TAC. |
In order to link accounts, you must have administrator-level privileges for all of the licensing Smart Accounts (not just the virtual accounts) and for the account you use to access Cisco Threat Response.
To view linked accounts, a user-level account is sufficient.
You will need your Cisco.com (CCO) credentials to complete this procedure.
| Step 1 |
In the top right corner of any page in Security Services Exchange, click the Tools button ( |
| Step 2 |
Click Link More Accounts. |
| Step 3 |
Sign in with your Cisco.com (CCO) credentials. |
| Step 4 |
Select the accounts to integrate with this cloud account. |
| Step 5 |
Click Link Accounts. |
Perform the steps up to this point in How to Send Events Directly to the Cisco Cloud.
In FDM, make sure your device has a unique name. If not, assign one now, in Device > System Settings > Hostname.
In FDM, apply intrusion and other applicable policies to at least one access control rule and verify that the device is successfully generating events.
Make sure you have your cloud credentials and can access Cisco Threat Response:
Go to https://visibility.amp.cisco.com or https://visibility.eu.amp.cisco.com and sign in.
In your browser:
Disable pop-up blocking
Allow third-party cookies
| Step 1 |
In Firepower Device Manager: Click Device, then click the link. If you are already on the System Settings page, simply click Cloud Services in the table of contents. |
| Step 2 |
If you have not already selected a regional cloud, select a region. See Guidelines and Limitations for Choosing a Regional Cloud. |
| Step 3 |
Select the types of events to send to the cloud. |
| Step 4 |
Click the Enable control for the Cisco Threat Response feature. If prompted, read the disclosure and click Accept. |
| Step 5 |
Verify that your device has registered successfully in Security Services Exchange: |
If your deployment is a high availability configuration, see the online help in FDM for additional instructions.
Continue with the remaining steps in How to Send Events Directly to the Cisco Cloud.
Configure the Firepower Management Center to have managed Firepower Threat Defense devices send events directly to Security Services Exchange.
In the Firepower Management Center:
Go to the System > Configuration page and give your FMC a unique name so it will be clearly identified in the Devices list in the cloud.
Add your FTD devices to the FMC, assign licenses to them, and ensure that the system is working correctly. (That is, you have created the necessary policies, and events are being generated and display as expected in the Firepower Management Center web interface under the Analysis tab.)
Perform the steps up to this point in How to Send Events Directly to the Cisco Cloud.
Make sure you have your cloud credentials and can access Cisco Threat Response:
Go to the regional cloud on which your account was created and sign in.
| Step 1 |
In Firepower Management Center: Select System > Integration. |
| Step 2 |
Click Cloud Services. |
| Step 3 |
Enable the slider for the Cisco Cloud Event Configuration. |
| Step 4 |
If you have not already done so, select a Cisco Cloud Region. See Guidelines and Limitations for Choosing a Regional Cloud. |
| Step 5 |
Enable the types of events to send to the cloud. High priority connection events include:
|
| Step 6 |
Click Save. If the Save button is unavailable, this means the FMC is already registered to the selected regional cloud. |
| Step 7 |
Verify that the feature is properly enabled: |
Continue with the remaining steps in How to Send Events Directly to the Cisco Cloud.
Verify that the events you expect appear in Firepower as expected.
| Step 1 |
If you are not already working in Security Services Exchange, Access Security Services Exchange. |
| Step 2 |
Click Events. |
| Step 3 |
Look for events from your device. If you do not see expected events, see the tips in Troubleshooting a Direct Integration and look again at How to Send Events Directly to the Cisco Cloud. |
If you activate your cloud account immediately before attempting to configure this integration and you encounter problems implementing this integration, try waiting an hour or two and then logging in to your cloud account.
Make sure you are accessing the correct URL for the regional cloud associated with your account.
The device may be licensed using a Smart Account or virtual account that is not linked to your cloud account. Do one of the following:
In SSE, link the account from which the device was licensed.
See Link Accounts.
License the device from a linked account:
Disable the integration on the FMC or in FDM, unregister the current license from the device, re-license the device from a linked account, then re-enable the integration in FDM or FMC.
Make sure you are looking at the same regional cloud that you selected in your Firepower settings. If you didn't select a region when you started sending events to the cloud, try the North America cloud first.
Make sure your devices can reach the cloud. For connectivity requirements, see Requirements for Direct Integration.
Click the Refresh button on the Events page to refresh the list.
Verify that the expected events appear in Firepower.
If you are using FDM, check your access rule logging settings.
Check your configurations for automatic deletion (filtering out events) in the Eventing Service settings on the Cloud Services page.
For additional troubleshooting tips, see the online help in SSE.
) and choose 
Feedback