search close

Cisco Threat Response / SecureX

access_time Updated Jun 29, 2022

Cisco Threat Response (CTR) is a tool used by incident responders that aggregates data from various Cisco security products like AMP for Endpoints, Firewall, Umbrella, Email Security, and Stealthwatch in addition to data from certain 3rd party products including Signal Sciences. Within CTR, an investigator can perform a lookup against some object (file hash, URL, IP address) and CTR will fetch data from all of the products that are integrated including any indicators of compromise and associated metadata.

Installation

The Signal Sciences CTR integration is a native integration that’s easy to install in minutes. The integration is available within the SecureX console:

Note: The user setting up the CTR integration must have permission to create API Access Tokens.

  1. Log in to the Signal Sciences console.

  2. Select a site if you have more than one site.

  3. Create an API Access Token for your user.

  4. Generate an Authorization Bearer Token from this API Access Token by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated. An example of this in Javascript is:

    • An example of this in Javascript is: js btoa("user@example.com:api-access-token") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu"
  5. Log in to your SecureX console.

  6. Click the Integrations tab. The integrations menu page appears.

  7. From the Integrations menu in the navigation bar on the left, select Available Integrations. The list of available integrations appears.

  8. Locate the Signal Sciences Next-Gen WAF in the list of available modules and click Add New Module. The add new module menu page appears.

  9. In the Module Name field, leave the default name or enter a custom name. Custom names are useful if you plan to have multiple integrations for several cloud instances.

  10. In the URL field, enter https://dashboard.signalsciences.net/api.v0/corps/<corpname>/ctr.

    • Your <corpname> is present in the address of your Signal Sciences console, such as https://dashboard.signalsciences.net/corps/<corpname>/overview.

    • Your <corpname> can also be retrieved from the List Corps API endpoint.Your corp name is the string that appears in the URL after logging into the Signal Sciences console).

  11. In the Authorization Bearer Token field, enter the base64-encoded token you generated in Step 3.

  12. Click Save.

Using the Cisco Threat Response Integration

Once the integration is installed, any lookups within CTR that include an IP that’s been flagged by SigSci will return a record of the event in the Observables widget under Sightings and Indicators.

The Sighting will show when the IP was flagged, the URL that was targeted, and a link back to the flagged IP event within the SigSci console. The Indicator will describe the attack signal that was associated with the flagged IP (i.e. XSS).