Cisco Threat Response (CTR) / SecureX
Last updated 2023-05-05
Cisco Threat Response (CTR) is a tool used by incident responders that aggregates data from various Cisco security products like AMP for Endpoints, Firewall, Umbrella, Email Security, and Stealthwatch in addition to data from certain third-party products including Next-Gen WAF. Within CTR, an investigator can perform a lookup against some object (file hash, URL, IP address) and CTR will fetch data from all of the products that are integrated including any indicators of compromise and associated metadata.
The CTR integration is a native integration that is available in the SecureX console:
- Log in to the Next-Gen WAF console.
- From the Sites menu, select a site if you have more than one site.
Log in to your SecureX console.
From the Integrations menu in the navigation bar on the left, select Available Integrations.
Locate Signal Sciences Next-Gen WAF in the list of available modules and click Add New Module.
In the Module Name field, leave the default name or enter a custom name. Custom names are useful if you plan to have multiple integrations for several cloud instances.
In the URL field, enter
<corpname>is present in the address of your Next-Gen WAF console, such as
<corpname>can also be retrieved from the List Corps API endpoint. Your corp name is the string that appears in the URL after logging into the Next-Gen WAF console.
In the Authorization Bearer Token field, enter the base64-encoded token you generated in Step 3.
Once the integration is installed, any lookups within CTR that include an IP address that’s been flagged by SigSci will return a record of the event in the Observables widget under Sightings and Indicators.
The Sighting will show when the IP address was flagged, the URL that was targeted, and a link back to the flagged IP address event within the SigSci console. The Indicator will describe the attack signal that was associated with the flagged IP address (i.e., XSS).