search close

Cisco Threat Response / SecureX

access_time Updated Jan 11, 2022

Cisco Threat Response (CTR) is a tool used by incident responders that aggregates data from various Cisco security products like AMP for Endpoints, Firewall, Umbrella, Email Security, and Stealthwatch in addition to data from certain 3rd party products including Signal Sciences. Within CTR, an investigator can perform a lookup against some object (file hash, URL, IP address) and CTR will fetch data from all of the products that are integrated including any indicators of compromise and associated metadata.


The Signal Sciences CTR integration is a native integration that’s easy to install in minutes. The integration is available within the SecureX console:

Note: The user setting up the CTR integration must have permission to create API Access Tokens.

  1. Log into the Signal Sciences Console

  2. Create an API Access Token for your user

  3. You will need to generate an Authorization Bearer Token from this API Access Token:

    • The Authorization Bearer Token is created by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated

    • An example of this in Javascript is:

      btoa("") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu"
  4. Log into your SecureX console

  5. Click on the Integrations tab at the top

  6. In the navigation bar on the left, select Integrations > Available Integrations

  7. In the list of available modules, locate the Signal Sciences Next-Gen WAF module and click on Add New Module

  8. Complete the form by entering the following:

    • Module Name - Leave the default name or enter a name that is meaningful to you (for example, if you plan to have multiple integrations for several cloud instances)

    • URL -<your-corp-name>/ctr (your corp name is the string that appears in the URL after logging into the Signal Sciences console)

    • Authorization Bearer Token - The base64-encoded token you generated in Step 3

  9. Click the Save button to finish setting up the integration

Using the Cisco Threat Response Integration

Once the integration is installed, any lookups within CTR that include an IP that’s been flagged by SigSci will return a record of the event in the Observables widget under Sightings and Indicators.

The Sighting will show when the IP was flagged, the URL that was targeted, and a link back to the flagged IP event within the SigSci console. The Indicator will describe the attack signal that was associated with the flagged IP (i.e. XSS).