Cisco Threat Response (CTR) / SecureX
Last updated 2023-05-05
Cisco Threat Response (CTR) is a tool used by incident responders that aggregates data from various Cisco security products like AMP for Endpoints, Firewall, Umbrella, Email Security, and Stealthwatch in addition to data from certain third party products including Signal Sciences. Within CTR, an investigator can perform a lookup against some object (file hash, URL, IP address) and CTR will fetch data from all of the products that are integrated including any indicators of compromise and associated metadata.
The Signal Sciences CTR integration is a native integration that’s easy to install in minutes. The integration is available within the SecureX console:
Log in to the Signal Sciences console.
From the Sites menu, select a site if you have more than one site.
Log in to your SecureX console.
Click the Integrations tab. The integrations menu page appears.
From the Integrations menu in the navigation bar on the left, select Available Integrations. The list of available integrations appears.
Locate the Signal Sciences Next-Gen WAF in the list of available modules and click Add New Module. The add new module menu page appears.
In the Module Name field, leave the default name or enter a custom name. Custom names are useful if you plan to have multiple integrations for several cloud instances.
In the URL field, enter
<corpname>is present in the address of your Signal Sciences console, such as
<corpname>can also be retrieved from the List Corps API endpoint.Your corp name is the string that appears in the URL after logging into the Signal Sciences console).
In the Authorization Bearer Token field, enter the base64-encoded token you generated in Step 3.
Once the integration is installed, any lookups within CTR that include an IP address that’s been flagged by SigSci will return a record of the event in the Observables widget under Sightings and Indicators.
The Sighting will show when the IP address was flagged, the URL that was targeted, and a link back to the flagged IP address event within the SigSci console. The Indicator will describe the attack signal that was associated with the flagged IP address (i.e., XSS).