Cisco Threat Intelligence Director (TID)

Size: px
Start display at page:

Download "Cisco Threat Intelligence Director (TID)"

Transcription

1 The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Using TID Sources to Ingest Feed Data, page 6 Using Access Control to Publish TID Data and Generate Events, page 26 Using TID to Analyze Incident and Observation Data, page 27 Common TID Tasks, page 34 Common Firepower Management Center Tasks, page 40 Troubleshooting Common Issues With TID, page 45 Overview The operationalizes threat intelligence data, helping you aggregate intelligence data, configure defensive actions, and analyze threats in your environment. When installed and configured on your hosting platform, TID ingests data from threat intelligence sources and publishes the data to all configured elements. For more information about the hosting platforms and elements supported in this release, see Platform and Element Requirements, on page 4. Sources contain indicators, which contain observables. An indicator conveys all of the characteristics associated with a threat, and individual observables represent individual characteristics (e.g. a SHA-256 value) associated with the threat. Simple indicators contain a single observable, and complex indicators contain two or more observables. 1

2 TID and Security Intelligence Observables and the AND/OR operators between them form an indicator's pattern, as illustrated in the following examples. Figure 1: Example: Indicator Patterns After publishing to elements, TID generates observations when the system identifies observables in traffic. TID also updates the incidents associated with the observable's parent indicator(s). An incident is fully realized when an indicator's pattern is fulfilled. For more information, see Observation and Incident Generation, on page 27. TID and Security Intelligence As part of your access control policy, Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domains. Security Intelligence uniquely provides access to industry-leading threat intelligence from Cisco Talos Security Intelligence and Research Group (Talos). For more information on Security Intelligence, see About Security Intelligence. TID enhances the system's ability to block connections based on security intelligence from third-party sources as follows: TID supports additional traffic filtering criteria Security Intelligence allows you to filter traffic based on IP address, URL, and (if DNS policy is enabled) domain name. TID also supports filtering by these criteria and adds support for filtering on SHA-256 hash values. TID supports additional intelligence ingestion methods With both Security Intelligence and TID, you can import threat intelligence into the system by either manually uploading flat files or configuring the system to retrieve flat files from a third-party host. TID provides increased flexibility in managing 2

3 Ingestion and Operationalization Strategy those flat files. In addition, TID can retrieve and ingest intelligence provided in Structured Threat Information expression (STIX ) format. TID provides granular control of filtering actions With Security Intelligence, you can specify filtering criteria by network, URL, or DNS object. A given object can contain multiple IP addresses, URLs, or DNS domain names, but you can only blacklist or whitelist by object, not by individual components of an object. With TID, you can configure filtering actions for individual criteria (that is, simple indicators or individual observables). TID configuration changes do not require redeployment After you modify Security Intelligence settings in the access control policy, you must redeploy the changed configuration to managed devices. With TID, after initial deployment of the access control policy to the managed devices, you can configure sources, indicators, and observables without redeploying, and the system automatically publishes new TID data to the elements. Note If you have enabled both Security Intelligence and TID in an access control policy, the system filters traffic first by Security Intelligence criteria and then by TID criteria. For more information, see TID-Firepower Management Center Action Prioritization, on page 42. Ingestion and Operationalization Strategy Note If you encounter an issue during TID configuration or operation, see Troubleshooting Common Issues With TID, on page 45. This strategy is as follows: Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Configure which sources of intelligence you want TID to ingest. For more information, see Using TID Sources to Ingest Feed Data, on page 6 and Source Requirements, on page 5. TID ingests the intelligence data and allows you to aggregate and analyze that data in a consolidated view. In this view, you can refine the actions the system takes when it detects indicators and observables in traffic passing through your elements. Configure access control policies to publish TID data to your elements. For more information, see Using Access Control to Publish TID Data and Generate Events, on page 26 and Platform and Element Requirements, on page 4. TID operationalizes the data by publishing it to the elements. The elements monitor traffic and report observations to the Firepower Management Center. The Firepower Management Center collects observations from all elements, evaluates the observations against TID indicators, and generates or updates incidents as appropriate. Perform incident analysis. For more information, see Using TID to Analyze Incident and Observation Data, on page 27 3

4 Platform and Element Requirements Platform and Element Requirements TID supports hosting platforms and element types listed below. Hosting Platforms You can host TID on physical and virtual Firepower Management Centers: running Version or later of the Firepower System. configured with a minimum of 15 GB of memory. configured with REST API access enabled. Note If you host TID on the active Firepower Management Center in a high availability configuration, the system does not synchronize TID configurations and TID data to the standby Firepower Management Center. We recommend performing regular backups of TID data on your active Firepower Management Center so that you can restore the data after failover. For more information, see Firepower Management Center Access and License Requirements, on page 5 and Firepower Management Center and Managed Device Performance Impact, on page 5. Elements You can use any Firepower Management Center-managed device as a TID element if the device is running Version or later of the Firepower System. The following diagram shows data flow in a sample Firepower System configuration. Figure 2: Firepower Management Center Data Flow 4

5 Source Requirements Firepower Management Center Access and License Requirements Access You can use Firepower Management Center user accounts to access the TID menus and pages: Accounts with the Admin or Threat Intelligence Director User user role. Accounts with a custom user role containing the Intelligence permission. In addition, you can use Firepower Management Center user accounts with the Admin, Access Admin, or Network Admin user role to enable or disable TID in your access control policies. For more information about user accounts, see Firepower System User Management. Licensing The Firepower System requires a Malware license (Classic or Smart) if you want to configure file policies for SHA-256 observable publishing. For more information, see Using Access Control to Publish TID Data and Generate Events, on page 26 and About Firepower Feature Licenses. Firepower Management Center and Managed Device Performance Impact Firepower Management Center In some cases, you may notice the following: The system may experience minor performance issues while ingesting particularly large STIX sources, and ingestion may take longer than expected to finish. The system may take up to 15 minutes to publish new or modified TID data down to elements. Managed Device Source Requirements There is no exceptional performance impact. TID impacts performance identically to the Firepower Management Center Security Intelligence feature. Feeds must meet the following type and delivery requirements to be used as sources in TID: Table 1: Source Type Requirements Source Type STIX Requirements Files must be STIX Version 1.0, 1.1, 1.1.1, or 1.2 and adhere to the guidelines in the STIX documentation: suggested-practices/. 5

6 Using TID Sources to Ingest Feed Data Source Type Flat File Requirements Files must be ASCII text files with one observable value per line. TID does not support: Delimiter characters separating observable values (e.g. observable, is invalid). Enclosing characters around observable values (e.g. "observable" is invalid). Note For information about the flat file Content types TID supports, see Source Configuration Fields, on page 6. Table 2: Source Delivery Requirements Delivery Method Upload Requirements Files can be a maximum of 500 MB. Using TID Sources to Ingest Feed Data If you want TID to ingest threat intelligence data for later analysis, you must configure TID sources to ingest feed data: Source Configuration Fields Fetching TAXII Feeds to Use as Sources, on page 14 Fetching Hosted Files to Use as Sources, on page 15 Uploading Local Files to Use as Sources, on page 16 The table below defines the fields you use to configure sources in TID. Your selections in the Delivery and Type fields populate the configuration page with the necessary fields for the source. For more information about supported sources, see Source Requirements, on page 5. For troubleshooting information, see Troubleshooting Common Issues With TID, on page 45. 6

7 Source Configuration Fields Field Delivery The method you want TID to use to retrieve the source. TAXII TID connects to a TAXII server and fetches one or more feeds. For more information about configuring TAXII sources, see Fetching TAXII Feeds to Use as Sources, on page 14. URL TID connects to a host and fetches a single file containing a single feed. For more information about configuring URL sources, see Fetching Hosted Files to Use as Sources, on page 15. Upload TID receives a manually uploaded local file containing a single feed. For more information about configuring Upload sources, see Uploading Local Files to Use as Sources, on page 16. Displays if you choose the following Delivery value Type The data format of the source (STIX or Flat File). During STIX ingestion, TID creates a simple or complex indicator from the contents of the STIX file. During Flat File ingestion, TID creates a simple indicator for each observable value in the flat file. URL, Upload 7

8 Source Configuration Fields Field Content Displays if you specify Flat File for Type. The type of data contained within the flat file source. SHA-256 source contains one or more SHA-256 hash values. Domain source contains one or more valid domain names, as defined in RFC URL source contains one or more valid URLs, as defined in RFC Note TID normalizes any URLs that contain port, protocol, or authentication information, and uses the normalized version when detecting indicators. For example, TID normalizes any of the following URLs: google.com:8080/index.htm google.com/index.htm as: google.com/index.htm Or, for example, TID normalizes the following URL: Displays if you choose the following Delivery value URL, Upload as IPv4 source contains one or more valid IPv4 addresses, as defined in RFC 791. Note TID does not accept CIDR blocks. IPv6 source contains one or more valid IPv6 addresses, as defined in RFC Note TID does not accept prefix lengths. The system uses this value to identify the data types of the observables and observations related to the source. 8

9 Source Configuration Fields Field URL The URL specifying the location of the source. When the Delivery of the source is TAXII, this is the discovery URL for the TAXII discovery service. When the Delivery of the source is URL, this is the URL specifying where the text file is located on a server. You must specify the protocol, domain name or IP address, and file name. Specifying a port for communications with the server is optional. Note HTTP connections are insecure. For example: If the Delivery of the source is TAXII, you might enter: If the Delivery of the source is URL, you might enter: where the protocol (http), domain name (domainname.com), port (8080), and file name (filename.txt) are specified. Displays if you choose the following Delivery value TAXII, URL SSL Settings > Self-Signed Certificate When enabled, TID uses a self-signed server certificate for communicating with your URL or TAXII server. URL 9

10 Source Configuration Fields Field SSL Settings > SSL Hostname Verification Displays if you enable Self-Signed Certificate. The SSL hostname verification method you want TID to use with your self-signed server certificate: Strict TID requires the source URL to match the hostname provided in the server certificate. If the hostname includes a wildcard, TID cannot match more than one subdomain. Browser Compatible TID requires the source URL to match the hostname provided in the server certificate. If the hostname includes a wildcard, TID matches all subdomains. Allow All TID does not require the source URL to match the hostname provided in the server certificate. For example, if subdomain1.subdomain2.cisco.com is your source URL and *.cisco.com is the hostname provided in the server certificate: Strict hostname verification fails. Browser Compatible hostname verification succeeds. Allow All hostname verification ignores the hostname values completely. Displays if you choose the following Delivery value URL SSL Settings > Server Certificate SSL Settings > User Certificate Displays if you enable Self-Signed Certificate. The server's PEM-encoded certificate for communicating with your URL or TAXII server, if required by the self-signed server certificate. If you have access to the self-signed server certificate, open the certificate in a text editor and copy the entire block of text, including the BEGIN CERTIFICATE and END CERTIFICATE lines. Enter this entire string into the field. If you do not have access to the self-signed server certificate, leave the field blank. After you save the source, TID retrieves the certificate from the server. Take note of the certificate's expiration date. After the certificate expires, enter a new Server Certificate or delete the existing Server Certificate. The user's PEM-encoded certificate for communicating with your URL or TAXII server, if required by the server. Open the certificate in a text editor and copy the entire block of text, including the BEGIN CERTIFICATE and END CERTIFICATE lines. Enter this entire string into the field. URL URL 10

11 Source Configuration Fields Field SSL Settings > User Private Key Username / Password Feeds File Name Action Update Every (minutes) or Never Update The user's PEM-encoded private key for communicating with your URL or TAXII server, if required by the server. Open the private key file in a text editor and copy the entire block of text, including the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines. Enter this entire string into the field. The credentials, if required, to access the TAXII server's directory service where the files are stored. Note If you specified an value in the URL field, TID sends the user name and password over an insecure connection. One or more feeds from the TAXII delivery service that you want to import as sources in TID. Click to fetch feeds from the specified TAXII delivery service URL. TID creates one source for each selected feed. The local file that you want to import as a source in TID. A unique name for the source. (Optional) A description for the source. The action (Block or Monitor) you want to perform on traffic matching the data contained within this source. Note You can block flat files at the source, indicator, and observable level. You cannot block STIX feeds at the source level. However, you can block a simple indicator from a STIX feed at the indicator or observable level. For more information, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. Indicators can inherit Action settings from a parent source, and observables can inherit Action settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The frequency that TID should update the source, in minutes; for example, When TID updates a URL source, it overwrites the old file with the new file. When TID updates a TAXII source, it updates the old data with new or changed information from the new file. If you check the Never Update checkbox, TID never updates the source. Displays if you choose the following Delivery value URL TAXII TAXII Upload URL, Upload URL, Upload any TAXII, URL 11

12 Inheritance in TID Configurations Field TTL (days) The time to live for stagnant indicators and observables, in days; for example, 90. After the TTL elapses, TID deletes all of the source's indicators that have not been seen or updated since the time the indicator was ingested. TID also deletes all observables associated with the indicators if there are no surviving indicators referencing the observables. Displays if you choose the following Delivery value any Publish Specifies whether TID publishes data from the source to registered elements. When this option is enabled, the system automatically publishes the initial source data and any subsequent changes including: changes from periodic source refreshes changes resulting from system action (for example, TTL expiration) any user-initiated changes (for example, a change in the Action setting for an indicator or observable) For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Indicators can inherit Publish settings from a parent source, and observables can inherit Publish settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. any Inheritance in TID Configurations When TID ingests intelligence data from a source, it creates indicators and observables as child objects of that source. On creation, these child objects inherit Action and Publish settings from the parent configuration. An indicator inherits these settings from the parent source. An indicator can only have one parent source. An observable inherits these settings from the parent indicator(s). An observable can have multiple parent indicators. For more information, see: Inheriting TID Settings from Multiple Parents, on page 12 Overriding Inherited TID Settings, on page 13 Inheriting TID Settings from Multiple Parents If an observable has multiple parent indicators, the system compares the inherited settings from all the parents and assigns the "strongest" setting to the observable. The relative strengths of inherited settings are: Action: Block > Monitor 12

13 Inheritance in TID Configurations Publish: On > Off For example, SourceA might contribute IndicatorA and related ObservableA: Setting SourceA IndicatorA ObservableA Action Block Block Block Publish Off Off Off If SourceB later contributes IndicatorB, which also includes ObservableA, the system modifies ObservableA as follows: Setting SourceB IndicatorB ObservableA Action Monitor Monitor Block (inherited from IndicatorA) Publish On On On (inherited from IndicatorB) In this example, ObservableA has two parents: one parent for its Action setting and one parent for its Publish setting. If you manually edit the settings for the observable and then revert the settings, the system sets the Action setting to the IndicatorA value and the Publish setting to the IndicatorB value. Overriding Inherited TID Settings Note If you whitelist an observable, whitelisting always takes precedence over the Action setting, whether the setting in the observable is an inherited or override value. To override an inherited setting, change the setting at the child level; see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37 and Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. After you override an inherited setting, the child object retains that setting despite changes to the parent object(s). For example, you might start with the following original settings, with no overrides set: Setting SourceA IndicatorA ObservableA1 ObservableA2 Publish Off Off Off Off If you override the setting for IndicatorA, the settings would be the following: Setting SourceA IndicatorA ObservableA1 ObservableA2 Publish Off On On On 13

14 Fetching TAXII Feeds to Use as Sources In this case, any changes to the Publish setting for SourceA no longer cascade automatically to IndicatorA. However, inheritance from IndicatorA to ObservableA1 and ObservableA2 continues, because the observable settings are not currently set to override values. If you later override the setting for ObservableA1: Setting SourceA IndicatorA ObservableA1 ObservableA2 Publish Off On Off On changes to the Publish setting for IndicatorA no longer cascade automatically to ObservableA1. However, those changes continue to cascade to ObservableA2, because it is not set to an override value. At the observable level, you can revert from an override setting to the inherited setting, and the system resumes cascading setting changes automatically from the parent indicator to that observable. Fetching TAXII Feeds to Use as Sources Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User 14

15 Fetching Hosted Files to Use as Sources Procedure Step 1 Choose Intelligence > Sources. Step 2 Click the add icon ( ). Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Choose TAXII as the Delivery method for the source. Enter the discovery URL for the TAXII discovery service. (Optional) If required, enter the Username and Password for a user with credentials to access the TAXII server's directory service. (Optional) If the host server requires an encrypted connection, configure the SSL Settings as described in Configuring SSL Settings for a TID Source, on page 17. Click Feeds to populate the field with feeds from the TAXII server. Choose one or more Feeds to import as sources in TID. TID creates one source for every selected feed. Notice that the Action for a source with STIX as the Type is automatically set to Monitor. Enter the Update Every interval (in minutes) to specify the frequency that TID should update the source. Check the Never Update checkbox if you do not want TID to update the source. Enter the TTL interval (in days) to specify the time to live for stagnant indicators and observables. Step 12 If you want to immediately begin publishing to elements, confirm that the Publish slider ( ) is enabled. For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Step 13 Click Save. Fetching Hosted Files to Use as Sources Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Configure a URL source if you want TID to fetch a single feed from a file on a host. For more information about source configuration fields, see Source Configuration Fields, on page 6. 15

16 Uploading Local Files to Use as Sources Procedure Step 1 Choose Intelligence > Sources. Step 2 Click the add icon ( ). Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Choose URL as the Delivery method for the source. Choose the Type to indicate the data format of the source. If your source is Flat File, choose a Content type that describes the data contained within the source. (Optional) If the host server requires an encrypted connection, configure the SSL Settings as described in Configuring SSL Settings for a TID Source, on page 17. Enter a unique Name for the source. (Optional) Enter a for the source. If your source is Flat File, choose an Action. The Action is automatically set to Monitor if your source is STIX. Enter the Update Every interval (in minutes) to specify the frequency that TID should update the source. Check the Never Update checkbox if you do not want TID to update the source. Enter the TTL interval (in days) to specify the time to live for stagnant indicators and observables. Step 12 If you want to immediately begin publishing to elements, confirm that the Publish slider ( ) is enabled. For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Step 13 Click Save. Uploading Local Files to Use as Sources Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Configure an Upload source if you want TID to receive a local file containing a single feed. For more information about source configuration fields, see Source Configuration Fields, on page 6. 16

17 Configuring SSL Settings for a TID Source Procedure Step 1 Choose Intelligence > Sources. Step 2 Click the add icon ( ). Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Choose Upload as the Delivery method for the source. Choose the Type to indicate the data format of the source. If you are uploading a flat file, choose a Content type that describes the data contained within the source. To upload the file, click the upload box and browse to the file you want to upload, or drag and drop the file into the upload box. Enter a unique Name for the source. (Optional) Enter a for the source. If you are uploading a flat file, choose an Action. Notice that the Action for a source with STIX as the Type is automatically set to Monitor. Enter the TTL interval (in days) to specify the time to live for stagnant indicators and observables. Step 11 If you want to immediately begin publishing to elements, confirm that the Publish slider ( ) is enabled. For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Step 12 Click Save. Configuring SSL Settings for a TID Source Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Configure SSL Settings if the host server requires an encrypted connection. For more information about source configuration fields, see Source Configuration Fields, on page 6. Before You Begin Begin configuring a TAXII or URL source, as described in Fetching TAXII Feeds to Use as Sources, on page 14 or Fetching Hosted Files to Use as Sources, on page

18 Viewing and Managing Sources Procedure Step 1 In the Edit Source dialog, expand the SSL Settings section. Step 2 (Optional) If your server certificate is self-signed, enable Self-Signed Certificate. If not, skip to Step 5. Step 3 Step 4 Step 5 (Optional) Choose a SSL Hostname Verification method. (Optional) If you have access to the self-signed server certificate, enter a Server Certificate. If you do not have access to the self-signed server certificate, leave the Server Certificate blank. After you save the source, TID retrieves the certificate from the server. (Optional) If your server requires a user certificate, enter a User Certificate and a User Private Key. What to Do Next Continue configuring the source. Viewing and Managing Sources Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User The Sources page displays summary information about all configured sources; see Source Summary Information, on page 19. For detailed information about configurable source fields, see Source Configuration Fields, on page 6. Before You Begin Configure one or more sources as described in Fetching TAXII Feeds to Use as Sources, on page 14, Fetching Hosted Files to Use as Sources, on page 15, or Uploading Local Files to Use as Sources, on page 16. Procedure Step 1 Step 2 Choose Intelligence > Sources. View your sources: To filter the sources displayed on the page, click the Filter icon ( TID Data in Table Views, on page 38. ). For more information, see Filtering To sort the sources displayed on the page, click on any column's Sort icon ( ). For more information, see Sorting TID Data in Table Views, on page

19 Viewing and Managing Sources To view detailed status data, hover the cursor over the text in the Status column. For more information, see Source Status Details, on page 20. Step 3 Manage your sources: To edit the Action setting, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. If an action is fixed, it is the only supported action for the source Type. To edit the Publish setting, click the slider ( ). For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. To view or edit other fields, click the edit icon ( ). To pause or resume TID updating the source, click Pause Updates or Resume Updates. If you pause updates, updating is paused but existing indicators and observables remain in TID. To delete the source, click the delete icon ( ). This icon is greyed out if the source is still processing. Deleting a source deletes all indicators associated with that source. Associated observables may also be deleted; they are retained if they are associated with indicators remaining in the system. Source Summary Information Table 3: Sources Summary Information The Sources page displays summary information for all configured sources. The table below provides brief descriptions of the fields in the summary display. For detailed information on these fields, see descriptions in Source Configuration Fields, on page 6. Field Name Type Delivery Action Publish Last Updated The source name. The data format of the source (STIX or Flat File). The method TID uses to retrieve the source. The action (Block or Monitor) that the system is configured to perform on traffic matching the data contained within this source. Indicators can inherit Action settings from a parent source, and observables can inherit Action settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. On or Off toggle specifying whether TID publishes data from the source to registered elements. Indicators can inherit Publish settings from a parent source, and observables can inherit Publish settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The date and time TID last updated the source. 19

20 Viewing and Managing Sources Field Status The current status of the source: New The source is newly created. Scheduled The initial download or subsequent update is scheduled, but not yet in progress. Downloading TID is performing the initial download or update refresh. Parsing or Processing ( ) TID is ingesting the source. Completed ( ) TID finished ingesting the source. Completed with Errors ( or invalid. ) TID finished ingesting the source, but some observables are unsupported Error ( ) TID experienced a problem. If the source is a TAXII or URL source with an Update Frequency specified, and updates are not paused, TID retries on the next scheduled update. Clicking this icon allows you to edit settings for the source. Clicking this icon permanently deletes the source. Source Status Details When you hover over a source's Status value in the Sources summary page, TID provides the additional details described below. Data Status Message Last Updated Next Update Indicators Briefly describes the current status of the source. Specifies the date and time TID last updated the source. Specifies when TID will update the source next. Specifies indicator counts: Consumed The number of indicators TID TID processed during the most recent source update. This number represents all indicators contained in the update, regardless of whether they were ingested or discarded. Discarded The number of malformed indicators that the system did not add to TID during the most recent update. Note For TAXII sources, TID provides separate Last Update and Total indicator counts, because TAXII updates add incremental data, rather than replacing existing data. For indicators from other source types, TID provides only the Last Update count, because updates from those sources replace the existing data set entirely. If all of an indicator's observables are Invalid, TID discards the indicator. 20

21 Viewing and Managing Indicators Data Observables Specifies observable counts: Consumed The number of observables TID TID processed during the most recent source update. This number represents all observables contained in the update, regardless of whether they were ingested or discarded. Unsupported The number of unsupported observables that the system did not add to TID during the most recent update. For more information about supported observable types, see the Content description in Source Configuration Fields, on page 6. Invalid The number of invalid observables that the system did not add to TID during the most recent update. An observable is invalid if it is improperly constructed. For example, is not a valid IPv4 address. Note For TAXII sources, TID provides separate Last Update and Total observable counts, because TAXII updates add incremental data, rather than replacing existing data. For observables from other source types, TID provides only the Last Update count, because updates from those sources replace the existing data set entirely. Viewing and Managing Indicators Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User The Indicators page displays summary information about all indicators for configured sources. For more information, see Indicator Summary Information, on page 22. Before You Begin Configure one or more sources as described in Fetching TAXII Feeds to Use as Sources, on page 14, Fetching Hosted Files to Use as Sources, on page 15, or Uploading Local Files to Use as Sources, on page 16. Procedure Step 1 Step 2 Step 3 Choose Intelligence > Sources. Click Indicators. View your current indicators: 21

22 Viewing and Managing Indicators To filter the indicators displayed on the page, click the Filter icon ( Filtering TID Data in Table Views, on page 38. ). For more information, see To sort the order of the indicators displayed on the page, click on any column's Sort icon ( ). For more information, see Sorting TID Data in Table Views, on page 39. To view additional details about an indicator (including associated observables), click the indicator name. For more information, see Indicator Details, on page 23. In the Incidents column, click the number to view information about incidents associated with an indicator, or hover the cursor over the icon to view whether the incidents are fully- or partially-realized. To determine whether TID finished ingesting an indicator from the source, view the Status column. Step 4 Manage your current indicators: To edit the Action, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. If an action is fixed, it is the only supported action for the source Type. To edit the Publish setting, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. To whitelist one or more of an indicator's observables, click the indicator name to access the Indicator Details page. For more information, see Whitelisting TID Observables, on page 38. Indicator Summary Information The Indicators page displays summary information for all indicators associated with configured sources. Table 4: Indicators Summary Information Field Type The indicator type: Simple Contains a single observable. Complex Contains two or more observables. Name Source Incidents The indicator name. The source that contained the indicator (the parent source). Information about any incidents associated with the indicator: an icon specifying whether the incident is partially ( ) or fully ( ) realized the number of incidents associated with the indicator 22

23 Viewing and Managing Indicators Field Action Publish Last Updated Status The action associated with the indicator. For more information, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. Indicators can inherit Action settings from a parent source, and observables can inherit Action settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The publish setting for the indicator. For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Indicators can inherit Publish settings from a parent source, and observables can inherit Publish settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The date and time TID last updated the indicator. The current status of the indicator: Pending ( ) TID is ingesting the indicator's observables. Completed ( ) TID successfully ingested all of the indicator's observables. Completed With Errors ( ) TID finished ingesting the indicator, but some observables are unsupported or invalid. Indicator Details Table 5: Indicator Details Information The Indicator Details page displays indicator and observable data for an incident. Field Name Source Expires Action The indicator name. The indicator description provided by the source. The source that contained the indicator. The date and time the incident will expire, based on the source's TTL value. The action associated with the indicator. For more information, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. Indicators can inherit the Action setting from a parent source, and observables can inherit the Action setting from a parent indicator. For more information, see Inheritance in TID Configurations, on page

24 Viewing and Managing Observables Field Publish Indicator Pattern The publish setting for the indicator. For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Indicators can inherit the Publish setting from a parent source, and observables can inherit the Publish setting from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The observables and operators that form the indicator's pattern. Operators link the observables within the indicator. AND relationships are indicated with the AND operator. OR relationships are indicated with the OR operator or by a close grouping of several observables. Optionally, use the Whitelist icon ( TID Observables, on page 38. ) to whitelist an observable. For more information, see Whitelisting Viewing and Managing Observables Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User The Observables page displays all successfully ingested observables; see Observable Summary Information, on page 25. Before You Begin Configure one or more sources as described in Fetching TAXII Feeds to Use as Sources, on page 14, Fetching Hosted Files to Use as Sources, on page 15, or Uploading Local Files to Use as Sources, on page 16. Procedure Step 1 Step 2 Step 3 Choose Intelligence > Sources. Click Observables. View your current observables: To filter the observables displayed on the page, click the Filter icon ( Filtering TID Data in Table Views, on page 38. ). For more information, see To sort the order of observables displayed on the page, click on any column's Sort icon ( ). For more information, see Sorting TID Data in Table Views, on page 39. To view complete observable data, hover the cursor over text in the Value column. 24

25 Viewing and Managing Observables To view indicators that contain the observable, click the number in the Indicators column. The Incidents page opens with the observable value as the filter. For more information, see Viewing and Managing Indicators, on page 21. Step 4 Manage your current observables: To edit the Action, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. To edit an observable's Publish setting, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. To change an observable's expiration date, modify the TTL for the parent source. For more information, see Viewing and Managing Sources, on page 18. To whitelist an observable, click the Whitelist icon ( Observables, on page 38. ). For more information, see Whitelisting TID Observable Summary Information The Observables page displays summary information for all ingested observables. Table 6: Observables Summary Information Field Type Value Indicators Action Publish Updated At Expires The type of observable data: SHA-256, Domain, URL, IPv4, or IPv6. The data that comprises the observable. The number of parent indicators containing the observable. The action configured for the observable. For more information, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. Indicators can inherit Action settings from a parent source, and observables can inherit Action settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The publish setting for the observable; see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Indicators can inherit Publish settings from a parent source, and observables can inherit Publish settings from a parent indicator. For more information, see Inheritance in TID Configurations, on page 12. The date and time TID last updated the observable. The date that the observable will be automatically purged from TID based on TTL for the parent indicator. 25

26 Using Access Control to Publish TID Data and Generate Events Field Clicking this icon whitelists the observable; see Whitelisting TID Observables, on page 38. Using Access Control to Publish TID Data and Generate Events Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User You must configure access control policies to publish TID data from the Firepower Management Center to your managed devices (elements). In addition, we recommend that you configure your access control policies to maximize observation and Firepower Management Center event generation. Perform the steps below for each access control policy deployed to a TID element. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Verify that the Enable Threat Intelligence Director check box is checked in the Advanced Settings tab of the access control policy. This option is enabled by default. For more information, see Access Control Policy Advanced Settings. Add rules to the access control policy if they are not already present. TID requires that the access control policy specify at least one rule. For more information, see Creating a Basic Access Control Policy. If you choose Intrusion Prevention as the default action for the access control policy, associate an SSL policy with the access control policy; see Associating Other Policies with Access Control. If you want SHA-256 observables to generate observations and Firepower Management Center events, create one or more Malware Cloud Lookup or Block Malware file rules and associate the file policy with one or more rules in the access control policy. For more information, see Configuring an Access Control Rule to Perform File Control and AMP. If you want IPv4, IPv6, URL, or Domain Name observations to generate connection and security intelligence events, enable connection and security intelligence logging in the access control policy: In access control rules where you invoked a file policy, enable Log at End of Connection and File Events: Log Files, if not already enabled. For more information, see Logging Connections with Access Control Rules. Verify that default logging (DNS Policy, Networks, and URLs) is enabled in your Security Intelligence settings. For more information, see Logging Connections with Security Intelligence. Step 6 Deploy configuration changes; see Deploying Configuration Changes. 26

27 Using TID to Analyze Incident and Observation Data Using TID to Analyze Incident and Observation Data If you want to analyze incident and observation data generated by TID elements, you must use the Incidents table and Incident Details page. Observation and Incident Generation TID generates an incident when the first observable for an indicator is seen in traffic. Simple indicators are fully realized after a single observation. Complex indicators are partially realized until one or more observations fulfill their pattern. Note TID ignores unsupported, invalid, and whitelisted observables when evaluating an indicator's pattern. After an incident is fully realized, subsequent observations trigger new incidents. Figure 3: Example: Indicator Patterns If TID ingested the observables from the example above and the observables were seen in order, incident generation would proceed as follows: 1 When the system identifies Observable A in traffic, TID: Generates a fully-realized incident for Indicator 1. Generates partially-realized incidents for Indicator 2 and Indicator 3. 27

28 Viewing and Managing Incidents 2 When the system identifies Observable B in traffic, TID: Updates the incident to fully-realized for Indicator 2, since the pattern was fulfilled. Updates the incident to partially-realized for Indicator 3. 3 When the system identifies Observable C in traffic, TID: Updates the incident to fully-realized for Indicator 3, since the pattern was fulfilled. 4 When the system identifies Observable A for a second time, TID: Generates a new fully-realized incident for Indicator 1. Generates new partially-realized incidents for Indicator 2 and Indicator 3. Viewing and Managing Incidents Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User The Incidents page displays summary information about all TID incidents; see Incident Summary Information, on page 29. Before You Begin Configure one or more sources as described in Fetching TAXII Feeds to Use as Sources, on page 14, Fetching Hosted Files to Use as Sources, on page 15, or Uploading Local Files to Use as Sources, on page 16. Confirm that TID is enabled in your access control policy, as described in Using Access Control to Publish TID Data and Generate Events, on page 26. Understand observation and incident generation, as described in Observation and Incident Generation, on page 27. Procedure Step 1 Step 2 Choose Intelligence > Incidents. View your incidents: Click the Filter icon ( ) to add one or more filters. The default filter is 6 hours. For more information, see Filtering TID Data in Table Views, on page 38. To sort the order of incidents displayed on the page, click on any column's Sort icon ( ). For more information, see Sorting TID Data in Table Views, on page

29 Viewing and Managing Incidents To view the date and time an incident was last updated by TID, hover the cursor over the value in the Last Updated column. To view more information about the indicator associated with the incident, click the text in the Indicator Name column; see Viewing and Managing Indicators, on page 21. To view incident details, click the name in the Incident ID column; see Incident Details, on page 30. Step 3 Step 4 Manage custom incident fields by clicking the Incident ID value for an incident: To assign an optional, custom name to the incident, add or edit text in the Name field. To assign an optional, custom description for the incident, add or edit text in the field. To indicate the relative importance of the incident, assign a rating in the Confidence field. To assign an optional custom tag or keyword to the incident, add or edit text in the Category field. To indicate the status of your investigation into the incident, choose a value from the drop-down list in the Status field. To view all indicator details, click the indicator link immediately under the Indicator heading in the lower section of the window. To expand the indicator summary fields, click the arrow next to the indicator link immediately under the Indicator heading. Manage TID configurations within an incident; see Manage TID Configurations within an Incident, on page 34. Incident Summary Information Table 7: Sources Summary Information The Incidents page displays summary information for all TID incidents. Field Last Updated The number of days since either the system or a user last updated the incident. To view the date and time of the update, hover the cursor over the value in this column. 29

30 Viewing and Managing Incidents Field Incident ID The unique identifier for the incident. This ID has the following format: <type>-<date>-<number> <type> The type of indicator or observable involved in the incident. For simple indicators, this value indicates the observable type: IP (IPv4 or IPv6), URL (URL), DOM (domain), or SHA (SHA-256). For complex indicators, this value is COM. <date> The date (yyyymmdd) on which the incident was created. <number> The daily incident number, that is, a number specifying where the incident occurs in the daily sequence of incidents. Note that this sequence starts at 0. For example, DOM is the 11th incident created on that day. Next to the identifier, the system displays an icon that indicates whether the incident is partially realized ( ) or fully realized ( ). For more information, see Observation and Incident Generation, on page 27. Indicator Name Type Action Taken Status The name of the indicator involved in the incident. To view additional information about the indicator, click the value in this column; see Viewing and Managing Indicators, on page 21. The type of indicator involved in the incident. For more information, see Observable Summary Information, on page 25. The action taken by the system in relation to the incident. For more information, see Incident Details, on page 30. The status of your investigation into the incident. For more information, see Incident Details, on page 30. Clicking this icon permanently deletes the incident. Incident Details The Incident Details window displays information about a single TID incident. This window is divided into two sections: Incident Details: Basic Information, on page 30 Incident Details: Indicator and Observations, on page 31 Incident Details: Basic Information The upper section of the Incident Details window provides the information described below. 30

31 Viewing and Managing Incidents Table 8: Basic Incident Information Fields Field IncidentID or IncidentID Opened Name Observations Confidence Action Taken Category Status An icon indicating the incident's status (partially-realized or fully-realized), as well as the unique identifier for the incident. Note TID ignores unsupported, invalid, or whitelisted observables when determining an incident's status. The date and time the incident was last updated. A custom, optional incident name. A custom, optional incident description. The number of observations within the incident. A custom, optional value that indicates the relative importance of the incident. The action taken by the system: Monitored, Blocked, or Partially Blocked. Partially Blocked indicates that the incident contained both Monitored and Blocked observations. Note The Action Taken indicates the action taken by the system, not necessarily the action selected in TID. For more information, see TID-Firepower Management Center Action Prioritization, on page 42. A custom, optional tag or keyword that you add to the incident. A value indicating the current stage of your analysis of the incident. All incidents are New until you change the Status for the first time. This field is optional. Depending on the needs of your organization, consider using the status values as follows: New The incident requires investigation, but you have not started investigating. Open You are currently investigating the incident. Closed You investigated the incident and took action. Rejected You investigated the incident and determined there was no action to take. Clicking this icon permanently deletes this incident. Incident Details: Indicator and Observations The lower section of the Incident Details window provides an in-depth view of the indicator and observation information. This information is organized as Indicator fields, the indicator pattern, and Observations fields. 31

32 Viewing and Managing Incidents Indicator Section When you first view indicator details, this section displays only the indicator name. Click the indicator name to view the indicator on the Indicators page. Click the down arrow next to the indicator name to view more indicator details without leaving the incident. Detail fields include: Table 9: Indicator Fields Field Source Expires Action Publish Download STIX The indicator description provided by the source. The source that contained the indicator. Click this link to access full source details. The date and time the incident will expire, based on the source's TTL value. The action associated with the indicator. For more information, see Editing TID Actions at the Source, Indicator, or Observable Level, on page 37. The publish setting for the indicator. For more information, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. If the source type is STIX, click this button to download the STIX file. Indicator Pattern The indicator pattern is a graphical representation of the observables and operators that comprise the indicator. Operators link the observables within the indicator. AND relationships are indicated with the AND operator. OR relationships are indicated with the OR operator or by a close grouping of several observables. If an observable in the pattern has already been seen, the observable box is white. If an observable has not already been seen, the observable box is grey. In the indicator pattern: Click the Whitelist icon ( ) to whitelist the observable. This icon is present in both white and grey observable boxes. For more information, see Whitelisting TID Observables, on page 38. If you hover the cursor over a white observable box, the system highlights the related observation in the Observations section. If you click on a white observable box, the system highlights the related observation in the Observations section, scrolls that observation into view (if multiple observations are present), and expands that observation's detailed display. If you hover the cursor over or click grey observable box in the indicator pattern, there is no change in the Observations section. Because the observable is unseen, there are no observation details to display yet. 32

33 Viewing and Managing Incidents Observations Section By default, the Observations section displays summary information, which includes: The type of observable that triggered the observation (for example, Domain) The data that comprises the observable Whether the observation is the first observation or a subsequent observation (for example, 1st or 3rd) Note If a single observable has been seen three or more times, TID displays the first and last observation details. The details for intermediary observations are not available. The date and time of the observation The action configured for the observable If you hover the cursor over an observation in the Observations section, the system highlights the related observable in the indicator pattern. If you click an observation in the Observations section, the system highlights the related observable(s) in the indicator pattern and scrolls the first related observable into view (if multiple observables are present). Clicking an observation also expands the details of the observation in the Observations section. Observation details include the following fields: Table 10: Observation Detail Fields Field SOURCE DESTINATION ADDITIONAL INFORMATION Events The source IP address and port for the traffic that triggered the observation. The destination IP address and port for the traffic that triggered the observation. DNS and authentication information related to the traffic that triggered the observation. This clickable link displays if the observation generated connection, security intelligence, file, or malware events. Click the link to view the events in the Firepower Management Center event table; see About Connection Events. 33

34 Manage TID Configurations within an Incident Manage TID Configurations within an Incident Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User The Incident Details window displays information about a TID incident; see Incident Details, on page 30. Procedure Step 1 Step 2 Step 3 Choose Intelligence > Incidents. Click the Incident ID value for the incident to display the Incident Details window. Manage configurations under the Indicator heading: Configure all indicator settings Click the indicator link immediately under the Indicator heading to edit the full indicator configuration; see Viewing and Managing Indicators, on page 21. Configure all source settings Expand the indicator summary fields under the Indicator heading, then click the Source link to edit the full source configuration; see Viewing and Managing Sources, on page 18. Configure indicator publication Expand the indicator summary fields, then modify the Publish setting for the indicator. For more information about this setting, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Download STIX file If the source was a STIX file, expand the indicator summary fields, then click Download STIX to download the original STIX file. Whitelist an observable Locate an observable box in the indicator pattern, and click the Whitelist icon ( ) in that box. For more information, see Whitelisting TID Observables, on page 38. Common TID Tasks Publishing TID Data at the Source, Indicator, or Observable Level, on page 35 Publishing or Purging TID Data at the Feature Level, on page 36 Editing TID Actions at the Source, Indicator, or Observable Level, on page 37 Whitelisting TID Observables, on page 38 Filtering TID Data in Table Views, on page 38 Sorting TID Data in Table Views, on page 39 Viewing Elements, on page 39 34

35 Publishing TID Data at the Source, Indicator, or Observable Level Publishing TID Data at the Source, Indicator, or Observable Level Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Use any of the following pages to toggle TID data publishing for sources, indicators, or observables. If you pause publishing from these pages, the system no longer sends related TID observables to your elements. Note: Pausing publication for a parent pauses all children. If you pause publishing at the source level, you pause publishing for all its indicators. If you pause publishing at the indicator level, you pause publishing for all of its observables. Pausing publication for a child interrupts inheritance. If you pause publishing at the indicator level, and subsequently publish at the source level, publishing for the indicator remains paused until you change the individual setting for the indicator. If you pause publishing at the observable level, and subsequently publish at the indicator level, publishing for the observable remains paused until you change the individual setting for the observable. At the observable level, you can revert automatically to the parent indicator's publishing status. For more information about inheritance, see Inheritance in TID Configurations, on page 12. Publishing for flat file Upload sources can be only be paused at the indicator level. Note To purge all TID observables stored on your elements, see Publishing or Purging TID Data at the Feature Level, on page 36. Procedure Step 1 Choose any of the following: Intelligence > Sources Intelligence > Sources > Indicators Intelligence > Sources > Observables Step 2 Locate the Publish slider ( ) and use it to toggle publishing to elements. Step 3 (Observables only) If you want to resume inheriting the publication setting from the parent indicator, click the revert icon ( ) next to the Publish setting for the observable. 35

36 Setting the Observable Publication Frequency What to Do Next Set the publication frequency for TID data at the observable level; see Setting the Observable Publication Frequency, on page 36. Setting the Observable Publication Frequency Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User By default, the system publishes observables to TID elements every 5 minutes. Use this procedure to set this interval to a different value. Before You Begin Enable publication of TID data at the observable level; see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Procedure Step 1 Step 2 Step 3 Step 4 Choose Objects > Object Management. Choose Security Intelligence > Network Feeds and Lists. Click the edit icon next to the Cisco-TID-Feed. Choose a value from the Update Frequency drop-down list: Choose Disable to stop publication of observable data to elements. Choose any other value to set the interval for observable publication. Step 5 Click Save. Publishing or Purging TID Data at the Feature Level Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Use the Settings page to toggle TID data publishing for the entire feature. 36

37 Editing TID Actions at the Source, Indicator, or Observable Level If you pause publishing at the feature level, the system purges all TID observables stored on your elements. You must manually Resume publishing if you want to resume sending TID data to your elements and generating observations. To toggle TID data publishing without purging TID data, see Publishing TID Data at the Source, Indicator, or Observable Level, on page 35. Procedure Step 1 Step 2 Choose Intelligence > Settings. Click Pause or Resume. Editing TID Actions at the Source, Indicator, or Observable Level Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Note: Editing the action for a parent sets the action for all children. If you edit the action at the source level, you set the action for all its indicators. If you edit the action at the indicator level, you set the action for all of its observables. Editing the action for a child interrupts inheritance. If you edit the action at the indicator level, and subsequently edit it at the source level, the indicator's action is retained until you edit the action for the individual indicator. If you edit the action at the observable level, and subsequently edit it at the indicator level, the observable's action is retained until you edit the action for the individual observable. At the observable level, you can revert automatically to the parent indicator's action. For more information about inheritance, see Inheritance in TID Configurations, on page 12. For information about action prioritization in the Firepower System, see TID-Firepower Management Center Action Prioritization, on page 42. Procedure Step 1 Choose any of the following: Intelligence > Sources Note TID does not support blocking TAXII sources at the source level. If the TAXII source contains a simple indicator, you can block at the indicator or observable level. Intelligence > Sources > Indicators Note TID does not support blocking complex indicators. Instead, block individual observables within the complex indicator. 37

38 Whitelisting TID Observables Intelligence > Sources > Observables Step 2 Step 3 Use the Action dropdown to choose Monitor ( ) or Block ( ). (Observables only) If you want to resume inheriting the action setting from the parent indicator, click the revert icon ( ) next to the Action setting for the observable. Whitelisting TID Observables If you want to exempt an observable from the specified Action (let the traffic pass without monitoring or blocking), you can whitelist the observable. The Whitelist icon ( ) appears on the indicator details page and the observables page. If you want to whitelist an observable, click the icon. If you whitelist an observable, TID ignores the observable when evaluating for partially or fully realized incidents. For example, if Observable 1 and Observable 2 are linked by the AND operator and you whitelist Observable 1, TID generates a fully realized incident when Observable 2 is seen. Filtering TID Data in Table Views Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Procedure Step 1 Choose one of the following TID table views: Intelligence > Incidents Intelligence > Sources Intelligence > Sources > Indicators Intelligence > Sources > Observables 38

39 Sorting TID Data in Table Views Step 2 Click the Filter icon ( ) and choose a filter attribute. Step 3 Choose or enter a value for that filter attribute. Step 4 (Optional) To filter by multiple attributes, click the Filter icon ( ) and repeat Step 2 and Step 3. Step 5 To cancel the changes you have made since you last applied the filter, click Cancel. Step 6 Click Apply to refresh the table with the filter applied. Step 7 To remove a filter attribute individually, click the Remove icon ( ) next to the filter attribute and click Apply to refresh the table. Sorting TID Data in Table Views Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Procedure Step 1 Step 2 Choose one of the following TID table views: Intelligence > Incidents Intelligence > Sources Intelligence > Sources > Indicators Intelligence > Sources > Observables To sort the table by the data in a column, click the Sort icon ( ). To reverse the sort order, click the icon again. Viewing Elements Smart License Classic License Supported Devices Supported Domains Access Global Admin/Threat Intelligence Director (TID) User Use the Elements page to view your connected elements. 39

Cisco Threat Intelligence Director (TID)

Cisco Threat Intelligence Director (TID) The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The

More information

Getting Started with Access Control Policies

Getting Started with Access Control Policies Getting Started with Control Policies The following topics describe how to start using access control policies: Introduction to Control, page 1 Managing Control Policies, page 6 Creating a Basic Control

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,

More information

User Accounts for Management Access

User Accounts for Management Access The Firepower Management Center and managed devices include a default admin account for management access. This chapter discusses how to create custom user accounts for supported models. See Logging into

More information

Backup and Restore Introduction

Backup and Restore Introduction The ability to recover from a disaster is an essential part of any system maintenance plan. As part of your disaster recovery plan, Cisco recommends that you back up the Firepower Management Center and

More information

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices. DNS Policy Overview, page 1 DNS Policy Components, page 2 DNS Rules, page 6 DNS Policy Deploy, page

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,

More information

Configuration Import and Export

Configuration Import and Export The following topics explain how to use the Import/Export feature: About Configuration Import/Export, page 1 Exporting Configurations, page 3 Importing Configurations, page 4 About Configuration Import/Export

More information

Configuration Import and Export

Configuration Import and Export The following topics explain how to use the Import/Export feature: About Configuration Import/Export, page 1 Exporting Configurations, page 3 Importing Configurations, page 4 About Configuration Import/Export

More information

Firepower Management Center High Availability

Firepower Management Center High Availability The following topics describe how to configure Active/Standby high availability of Cisco Firepower Management Centers: About, on page 1 Establishing, on page 7 Viewing Status, on page 8 Configurations

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 15 Create an Identity Rule, page 15 Manage a Realm, page 20 Manage an Identity

More information

The following topics describe how to manage various policies on the Firepower Management Center:

The following topics describe how to manage various policies on the Firepower Management Center: The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page

More information

System Administration

System Administration Most of SocialMiner system administration is performed using the panel. This section describes the parts of the panel as well as other administrative procedures including backup and restore, managing certificates,

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management

More information

Monitoring the Device

Monitoring the Device The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: Introduction:, page 1 Creating a Realm, page 5 Creating an Identity Policy, page 11 Creating an Identity Rule, page 15 Managing Realms, page

More information

The following topics describe how to use dashboards in the Firepower System:

The following topics describe how to use dashboards in the Firepower System: The following topics describe how to use dashboards in the Firepower System: About, page 1 Firepower System Dashboard Widgets, page 2 Managing, page 14 About Firepower System dashboards provide you with

More information

The following topics describe how to configure correlation policies and rules.

The following topics describe how to configure correlation policies and rules. The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response

More information

The following topics describe how to use backup and restore features in the Firepower System:

The following topics describe how to use backup and restore features in the Firepower System: The following topics describe how to use backup and restore features in the Firepower System: Introduction, page 1 Limitations, page 1 Backup Files, page 2 Backing up a Firepower Management Center, page

More information

Connection Logging. Introduction to Connection Logging

Connection Logging. Introduction to Connection Logging The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections

More information

Platform Settings for Classic Devices

Platform Settings for Classic Devices The following topics explain Firepower platform settings and how to configure them on Classic devices: Introduction to Firepower Platform Settings, page 1 Configuring Firepower Platform Settings, page

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 14 Create an Identity Rule, page 15 Manage a Realm, page 17 Manage an Identity

More information

File Reputation Filtering and File Analysis

File Reputation Filtering and File Analysis This chapter contains the following sections: Overview of, page 1 Configuring File Reputation and Analysis Features, page 5 File Reputation and File Analysis Reporting and Tracking, page 14 Taking Action

More information

Features and Functionality

Features and Functionality Features and functionality introduced in previous versions may be superseded by new features and functionality in later versions. New or Changed Functionality in Version 6.2.2.x, page 1 Features Introduced

More information

System Software Updates

System Software Updates The following topics explain how to update Firepower deployments: About Firepower Updates, on page 1 Guidelines and Limitations for Firepower Updates, on page 2 Upgrade Firepower System Software, on page

More information

Access Control. Access Control Overview. Access Control Rules and the Default Action

Access Control. Access Control Overview. Access Control Rules and the Default Action The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,

More information

Getting Started with Network Analysis Policies

Getting Started with Network Analysis Policies The following topics describe how to get started with network analysis policies: Network Analysis Policy Basics, page 1 Managing Network Analysis Policies, page 2 Network Analysis Policy Basics Network

More information

File Policies and Advanced Malware Protection

File Policies and Advanced Malware Protection The following topics provide an overview of file control, file policies, file rules, AMP cloud connections, and dynamic analysis connections. About, on page 1 File Control and Cisco AMP Basics, on page

More information

Access Control Using Intrusion and File Policies

Access Control Using Intrusion and File Policies The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File

More information

KYOCERA Net Admin User Guide

KYOCERA Net Admin User Guide KYOCERA Net Admin User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable

More information

Security Management System Release Notes

Security Management System Release Notes Security Management System Release Notes Version 5.1 Important notes You can upgrade the SMS to v5.1 directly from SMS v4.4 or later. If you are upgrading from a release earlier than v4.4 you must first

More information

Use Cases for Firepower Threat Defense

Use Cases for Firepower Threat Defense The following topics explain some common tasks you might want to accomplish with Firepower Threat Defense using Firepower Device Manager. These use cases assume that you completed the device configuration

More information

Logging into the Firepower System

Logging into the Firepower System The following topics describe how to log into the Firepower System: Firepower System User Accounts, on page 1 User Interfaces in Firepower Management Center Deployments, on page 3 Logging Into the Firepower

More information

Managing CX Devices in Multiple Device Mode

Managing CX Devices in Multiple Device Mode Tip Device inventory management applies to PRSM in Multiple Device mode only. If you are configuring a CX device through a direct connection to the device, you do not need to add the device to the inventory

More information

Prefiltering and Prefilter Policies

Prefiltering and Prefilter Policies The following topics describe how to configure prefiltering: Introduction to Prefiltering, on page 1 Prefiltering vs Access Control, on page 2 About Prefilter Policies, on page 4 Configuring Prefiltering,

More information

File Policies and AMP for Firepower

File Policies and AMP for Firepower The following topics provide an overview of file control, file policies, file rules, AMP cloud connections, and dynamic analysis connections. About, page 1 File Control and Cisco AMP Basics, page 2 File

More information

Access Control. Access Control Overview. Access Control Rules and the Default Action

Access Control. Access Control Overview. Access Control Rules and the Default Action The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,

More information

Managing Certificates

Managing Certificates CHAPTER 12 The Cisco Identity Services Engine (Cisco ISE) relies on public key infrastructure (PKI) to provide secure communication for the following: Client and server authentication for Transport Layer

More information

<Partner Name> RSA NETWITNESS Security Operations Implementation Guide. Swimlane 2.x. <Partner Product>

<Partner Name> RSA NETWITNESS Security Operations Implementation Guide. Swimlane 2.x. <Partner Product> RSA NETWITNESS Security Operations Implementation Guide Jeffrey Carlson, RSA Partner Engineering Last Modified: 05/01/2017 Solution Summary The RSA NetWitness integration

More information

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task The following topics explain how to schedule tasks: Introduction to, on page 1 Configuring a Recurring Task, on page 1 Scheduled Task Review, on page 17 Introduction to You can schedule many different

More information

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8 Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.8 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

Network Discovery Policies

Network Discovery Policies The following topics describe how to create, configure, and manage network discovery policies: Overview:, page 1 Network Discovery Customization, page 2 Network Discovery Rules, page 3 Configuring Advanced

More information

Connection Logging. About Connection Logging

Connection Logging. About Connection Logging The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL

More information

Intrusion Prevention Performance Tuning

Intrusion Prevention Performance Tuning The following topics describe how to refine intrusion prevention performance: About, page 1 Limiting Pattern Matching for Intrusions, page 2 Regular Expression Limits Overrides for Intrusion Rules, page

More information

Configuring the Cisco APIC-EM Settings

Configuring the Cisco APIC-EM Settings Logging into the Cisco APIC-EM, page 1 Quick Tour of the APIC-EM Graphical User Interface (GUI), page 2 Configuring the Prime Infrastructure Settings, page 3 Discovery Credentials, page 4 Security, page

More information

Licensing the System

Licensing the System The following topics explain how to license the Firepower Threat Defense device. Smart Licensing for the Firepower System, page 1 Managing Smart Licenses, page 3 Smart Licensing for the Firepower System

More information

Connection and Security Intelligence Events

Connection and Security Intelligence Events and Security Intelligence Events The following topics describe how to use connection and security events tables. Event Basics, page 1 Using and Security Intelligence Event Tables, page 22 Viewing the Summary

More information

Setting Up Resources in VMware Identity Manager

Setting Up Resources in VMware Identity Manager Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced

More information

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide Enforced Client Policy & Reporting Server (EPRS) 2.3 Copyright 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell, the

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Administrative Training Mura CMS Version 5.6

Administrative Training Mura CMS Version 5.6 Administrative Training Mura CMS Version 5.6 Published: March 9, 2012 Table of Contents Mura CMS Overview! 6 Dashboard!... 6 Site Manager!... 6 Drafts!... 6 Components!... 6 Categories!... 6 Content Collections:

More information

Use Cases for Firepower Threat Defense

Use Cases for Firepower Threat Defense The following topics explain some common tasks you might want to accomplish with Firepower Threat Defense using Firepower Device Manager. These use cases assume that you completed the device configuration

More information

Using ANM With Virtual Data Centers

Using ANM With Virtual Data Centers APPENDIXB Date: 3/8/10 This appendix describes how to integrate ANM with VMware vcenter Server, which is a third-party product for creating and managing virtual data centers. Using VMware vsphere Client,

More information

The following topics describe how to work with reports in the Firepower System:

The following topics describe how to work with reports in the Firepower System: The following topics describe how to work with reports in the Firepower System: Introduction to Reports Introduction to Reports, on page 1 Risk Reports, on page 1 Standard Reports, on page 2 About Working

More information

Working with Reports

Working with Reports The following topics describe how to work with reports in the Firepower System: Introduction to Reports, page 1 Risk Reports, page 1 Standard Reports, page 2 About Working with Generated Reports, page

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,

More information

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration.

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration. Administrator Guide Find out how to set up and use MyKerio to centralize and unify your Kerio software administration. The information and content in this document is provided for informational purposes

More information

MITEL. Live Content Suite. Mitel Live Content Suite Installation and Administrator Guide Release 1.1

MITEL. Live Content Suite. Mitel Live Content Suite Installation and Administrator Guide Release 1.1 MITEL Live Content Suite Mitel Live Content Suite Installation and Administrator Guide Release 1.1 NOTICE The information contained in this document is believed to be accurate in all respects but is not

More information

Access Control Rules: Network-Based

Access Control Rules: Network-Based The following topics describe how to configure network traffic logging and handling: Introduction to Network-Based Access Control Rules, page 1 Access Control Rules: Security Zone Conditions, page 2 Access

More information

Administration Guide. Lavastorm Analytics Engine 6.1.1

Administration Guide. Lavastorm Analytics Engine 6.1.1 Administration Guide Lavastorm Analytics Engine 6.1.1 Lavastorm Analytics Engine 6.1.1: Administration Guide Legal notice Copyright THE CONTENTS OF THIS DOCUMENT ARE THE COPYRIGHT OF LIMITED. ALL RIGHTS

More information

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers

More information

External Alerting with Alert Responses

External Alerting with Alert Responses The following topics describe how to send external event alerts from the Firepower Management Center using alert responses: Firepower Management Center Alert Responses, page 1 Creating an SNMP Alert Response,

More information

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user

More information

Managing External Identity Sources

Managing External Identity Sources CHAPTER 5 The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other

More information

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user

More information

Access Control Using Intrusion and File Policies

Access Control Using Intrusion and File Policies The following topics describe how to configure access control policies to use intrusion and file policies: About Deep Inspection, page 1 Access Control Traffic Handling, page 2 File and Intrusion Inspection

More information

Create Decryption Policies to Control HTTPS Traffic

Create Decryption Policies to Control HTTPS Traffic Create Decryption Policies to Control HTTPS Traffic This chapter contains the following sections: Overview of Create Decryption Policies to Control HTTPS Traffic, page 1 Managing HTTPS Traffic through

More information

Administering isupport

Administering isupport Administering isupport Tracking and Monitoring isupport Usage Agents perform tasks in the background that are an integral part of isupport functionality. See Enabling and Scheduling Agents on page 2 for

More information

Sensitive Data Detection

Sensitive Data Detection The following topics explain sensitive data detection and how to configure it: Basics, page 1 Global Options, page 2 Individual Sensitive Data Type Options, page 3 System-Provided Sensitive Data Types,

More information

Using the SSM Administration Console

Using the SSM Administration Console CHAPTER 6 Your user role controls whether you can access the SSM Administration Console. The following information is included in this section: SSM Administration Console Overview, page 6-1 Launching the

More information

Access Control Using Intelligent Application Bypass

Access Control Using Intelligent Application Bypass Access Control Using Intelligent Application Bypass The following topics describe how to configure access control policies to use Intelligent Application Bypass: Introducing Intelligent Application Bypass,

More information

System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices:

System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices: The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices: Introduction to, page 2 Appliance Information, page 5 Custom HTTPS Certificates,

More information

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1. Horizon Cloud with On-Premises Infrastructure Administration Guide VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.3 Horizon Cloud with On-Premises Infrastructure Administration

More information

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Google Sync Integration Guide. VMware Workspace ONE UEM 1902 Google Sync Integration Guide VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation,

More information

Administering the CAM

Administering the CAM 14 CHAPTER This chapter discusses the Administration pages for the Clean Access Manager. Topics include: Overview, page 14-1 Network, page 14-2 Failover, page 14-4 Set System Time, page 14-5 Manage CAM

More information

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1 Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1 Setting Up Resources in VMware Identity Manager (On Premises) You can find the most up-to-date

More information

Identity Firewall. About the Identity Firewall

Identity Firewall. About the Identity Firewall This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History

More information

Managing Video Feeds. About Video Feeds CHAPTER

Managing Video Feeds. About Video Feeds CHAPTER CHAPTER 5 This chapter describes how to use the VSOM Video Feeds area to set up and manage camera groups and feeds, import camera configurations into VSOM using batch administration, and set up archives

More information

ACS 5.x: LDAP Server Configuration Example

ACS 5.x: LDAP Server Configuration Example ACS 5.x: LDAP Server Configuration Example Document ID: 113473 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Directory Service Authentication Using

More information

Add and Organize Devices

Add and Organize Devices This chapter contains the following topics: Add Devices to Prime Infrastructure, on page 1 Import Devices from Another Source, on page 7 Create Device Import CSV Files, on page 7 Add Devices Manually (New

More information

F5 BIG-IQ Centralized Management: Device. Version 5.3

F5 BIG-IQ Centralized Management: Device. Version 5.3 F5 BIG-IQ Centralized Management: Device Version 5.3 Table of Contents Table of Contents BIG-IQ Centralized Management Overview... 5 About BIG-IQ Centralized Management... 5 Device Discovery and Basic

More information

Accessing Data from the Web Interface

Accessing Data from the Web Interface 5 CHAPTER This chapter provides information about accessing Prime Performance Manager data from Prime Performance Manager web interface. This chapter contains: Supported Browsers, page 5-1 Accessing Prime

More information

Configuring the Management Access List

Configuring the Management Access List The following topics explain how to configure the various system settings that are grouped together on the page. The settings cover overall system function. Configuring the Management Access List, page

More information

Configuring Cisco TelePresence Manager

Configuring Cisco TelePresence Manager CHAPTER 3 Revised: November 27, 2006, First Published: November 27, 2006 Contents Introduction, page 3-1 System Configuration Tasks, page 3-2 Security Settings, page 3-3 Database, page 3-4 Room Phone UI,

More information

Infoblox Authenticated DHCP

Infoblox Authenticated DHCP Infoblox Authenticated DHCP Unified Visitor Management amigopod Technical Note Revision 1.1 5 July 2010 United States of America +1 (888) 590-0882 Europe, Middle East & Asia +34 91 766 57 22 Australia

More information

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

VMware Horizon Cloud Service on Microsoft Azure Administration Guide VMware Horizon Cloud Service on Microsoft Azure Administration Guide VMware Horizon Cloud Service VMware Horizon Cloud Service on Microsoft Azure 1.4 You can find the most up-to-date technical documentation

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure Workspace ONE UEM v9.5 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard

More information

F5 BIG-IQ Centralized Management: Local Traffic & Network. Version 5.2

F5 BIG-IQ Centralized Management: Local Traffic & Network. Version 5.2 F5 BIG-IQ Centralized Management: Local Traffic & Network Version 5.2 Table of Contents Table of Contents BIG-IQ Local Traffic & Network: Overview... 5 What is Local Traffic & Network?... 5 Understanding

More information

Using SSL to Secure Client/Server Connections

Using SSL to Secure Client/Server Connections Using SSL to Secure Client/Server Connections Using SSL to Secure Client/Server Connections, page 1 Using SSL to Secure Client/Server Connections Introduction This chapter contains information on creating

More information

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810 Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016 F5 Azure Cloud Try User Guide F5 Networks, Inc. Rev. September 2016 Azureinfo@f5.com Table of Contents Introduction... 3 F5 Web Application Firewall Solution, (WAF) Review... 3 Configuring SSO/Pre-authentication

More information

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from

More information

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources Workspace ONE UEM v9.6 Have documentation feedback? Submit a Documentation Feedback

More information

Searching for Events. Event Searches. The following topics describe how to search for events within a workflow:

Searching for Events. Event Searches. The following topics describe how to search for events within a workflow: The following topics describe how to search for events within a workflow: Event Searches, page 1 Query Overrides Via the Shell, page 9 Event Searches The Firepower System generates information that is

More information

F5 BIG-IQ Centralized Management: Device. Version 5.2

F5 BIG-IQ Centralized Management: Device. Version 5.2 F5 BIG-IQ Centralized Management: Device Version 5.2 Table of Contents Table of Contents BIG-IQ Centralized Management Overview... 5 About BIG-IQ Centralized Management... 5 Device Discovery and Basic

More information

Rule Management: Common Characteristics

Rule Management: Common Characteristics The following topics describe how to manage common characteristics of rules in various policies on the Firepower Management Center: Introduction to Rules, page 1 Rule Condition Types, page 2 Searching

More information

Mozy User Guide Document Revision Date: Sept. 18, 2013

Mozy User Guide Document Revision Date: Sept. 18, 2013 Mozy User Guide Document Revision Date: Sept. 18, 2013 Mozy User Guide i Contents Overview... 1 Installing Mozy... 2 Using the Settings Window... 3 Select Files to Back Up with the File System Tab... 10

More information