How to Send Events Directly to the Cisco Cloud and Integrate with SecureX
Note | If your devices are already sending events to the cloud, you do not need to configure sending them again. SecureX and Cisco SecureX threat response use the same set of event data. |
|
Do This |
More Information |
|||
|---|---|---|---|---|
| Step | Make decisions about the events to send, the method of sending those events, the regional cloud to use, etc. | See the topics under Important Information About Integrating Firepower Threat Defense (FTD) and Cisco SecureX Threat ResponseSecureX | ||
|
Step |
Meet requirements |
Requirements for Direct Integration and its subtopics. |
||
|
Step |
In your browser, access Security Services Exchange, the cloud portal for Cisco SecureX threat responseSecureX that you will use for managing devices and filtering events. |
|||
|
Step |
(FDM Only) If you are using Cisco Defense Orchestrator (CDO) to manage configurations on your Firepower Threat Defense device, you must merge your CDO account with the account you use for the services described in this document. |
See Link Your Cisco Defense Orchestrator and Cisco XDR Tenant Accounts. |
||
|
Step |
In Security Services Exchange, link your licensing accounts so that you can view and work with event data from devices registered to different accounts in your organization. |
|||
|
Step |
In Security Services Exchange, enable the eventing service. |
Click Cloud Services and enable these options:
|
||
|
Step |
In your product, enable integration with the Cisco cloud. |
Tip: Don't skip the prerequisites in these topics!
|
||
|
Step |
Allow time for your system to generate events. |
-- |
||
|
Step |
Verify that your integration is set up correctly. If necessary, troubleshoot issues. |
See: |
||
|
Step |
In Security Services Exchange, configure the system to automatically promote significant events. |
See information in the online help in Security Services Exchange about promoting events. To access SSE, see Access Security Services Exchange. |
||
|
Step |
(Optional) In Security Services Exchange, configure automatic deletion of certain non-significant events. |
See information in the online help in Security Services Exchange about filtering events. To access SSE, see Access Security Services Exchange. |
||
|
Step |
In SecureX, add a module. With this module configured, CTR will return sightings from intrusion events in SSE even if they have not been promoted. |
In SecureX, navigate to Integration Modules > Available Integration Modules and add a module. For more information about this module, see the online help in SecureX. |
||
|
Step |
In Cisco SecureX threat response, verify that promoted events appear as expected in the Incident Manager. |
In Cisco SecureX threat response, click Incidents. |