Cisco Threat Response (CTR) / SecureX

Cisco Threat Response (CTR) is a tool used by incident responders that aggregates data from various Cisco security products like AMP for Endpoints, Firewall, Umbrella, Email Security, and Stealthwatch in addition to data from certain third-party products including Next-Gen WAF. Within CTR, an investigator can perform a lookup against some object (file hash, URL, IP address) and CTR will fetch data from all of the products that are integrated including any indicators of compromise and associated metadata.


The CTR integration is a native integration that is available in the SecureX console:


The user setting up the CTR integration must have permission to create API Access Tokens.

  1. Log in to the Next-Gen WAF control panel.
  2. From the Sites menu, select a site if you have more than one site.
  3. Create an API Access Token for your user.

  4. Generate an Authorization Bearer Token from this API Access Token by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated. An example of this in JavaScript is:

    btoa("") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu"
  5. Log in to your SecureX console.

  6. Click Integrations.

  7. From the Integrations menu in the navigation bar on the left, select Available Integrations.

  8. Locate Signal Sciences Next-Gen WAF in the list of available modules and click Add New Module.

  9. In the Module Name field, leave the default name or enter a custom name. Custom names are useful if you plan to have multiple integrations for several cloud instances.

  10. In the URL field, enter<corpname>/ctr.

    • Your <corpname> is present in the address of your Next-Gen WAF control panel, such as<corpname>/overview.
    • Your <corpname> can also be retrieved from the List Corps API endpoint. Your corp name is the string that appears in the URL after logging into the Next-Gen WAF control panel.
  11. In the Authorization Bearer Token field, enter the base64-encoded token you generated in Step 3.

  12. Click Save.

Using the Cisco Threat Response Integration

Once the integration is installed, any lookups within CTR that include an IP address that’s been flagged by SigSci will return a record of the event in the Observables widget under Sightings and Indicators.

The Sighting will show when the IP address was flagged, the URL that was targeted, and a link back to the flagged IP address event within the Next-Gen WAF control panel. The Indicator will describe the attack signal that was associated with the flagged IP address (i.e., XSS).

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.