Integrating the Appliance with Cisco Threat Response
You can integrate your appliance with Cisco Threat Response, and perform the following actions in Cisco Threat Response:
-
View the web tracking data from multiple appliances in your organization.
-
Identify, investigate and remediate threats observed in web tracking.
-
Resolve the identified threats rapidly and provide recommended actions to take against the identified threats.
-
Document the threats in the portal to save the investigation, and enable collaboration of information among other devices on the portal.
To integrate your appliance with Cisco Threat Response, you need to register your appliance with Cisco Threat Response.
You can access Cisco Threat Response using the following URLs:
-
https://visibility.amp.cisco.com (North Americas)
-
https://visibility.eu.amp.cisco.com (Europe)
Note |
If you have enabled and registered for CTR on your appliances, then the appliances automatically start sending the Cisco Success Network (CSN) telemetry data to Cisco. See Improving User Experience of Cisco Web Security Appliance using Cisco Success Network. |
Before you begin
-
Access the CLI and enable the reportingconfig > CTROBSERVABLE command. When you enable the CTR observable indexing using this command, you can index the URLs accessed by the users. It also provides granularity to search any URLs in the appliance tracking database.
-
You require a Cisco Security user account to access Cisco Threat Response. If any user in your organization already has a Cisco Security account, contact your system administrator. If you do not have a Cisco Security user account, you can create one at the Cisco Threat Response login page. Make sure that you create a user account in Cisco Threat Response with admin access rights. To create a new user account, go to the Cisco Threat Response login page using the following URL - https://visibility.amp.cisco.com (North Americas) or https://visibility.eu.amp.cisco.com (Europe) and click Create a Cisco Security account in the login page. If you are unable to create a new user account, contact Cisco TAC for assistance.
-
Make sure that you enable Cisco Threat Response integration on the Cisco Security Services Exchange (SSE) portal. For more information, see the Cisco Threat Response documentation at https://visibility.amp.cisco.com/help/module-wsa (North Americas) or https://visibility.eu.amp.cisco.com/help/module-wsa (Europe).
-
Make sure that you open HTTPS (Outbound) 443 port on the firewall for the following FQDNs to register your appliance with Cisco Threat Response:
-
api-sse.cisco.com (applicable for Americas users only)
-
api.eu.sse.itd.cisco.com (applicable for European Union (EU) users only)
-
api.apj.sse.itd.cisco.com (applicable for APJC users only)
-
est.sco.cisco.com (applicable for Americas, EU, and APJC users)
-
-
Ensure that your DNS server can resolve the hostname configured on the management (M1) interface.
Procedure
Step 1 |
Log in to your appliance. |
Step 2 |
Select Networks > Cloud Service Settings. |
Step 3 |
Click Edit Settings. |
Step 4 |
Check Enable. |
Step 5 |
Submit and commit your changes. |
Step 6 |
Navigate back to the Cloud Service Settings page after few minutes to register your appliance with the Cisco Threat Response. |
Step 7 |
Choose your preferred server from the Threat Response Server drop-down list. |
Step 8 |
Obtain a registration token from Cisco Threat Response to register your appliance with the Cisco Threat Response. For more information, see the Cisco Threat Response documentation at https://visibility.amp.cisco.com/help/module-wsa (North Americas) or https://visibility.eu.amp.cisco.com/help/module-wsa (Europe). |
Step 9 |
Enter the registration token obtained from Cisco Threat Response and click Register. |
Step 10 |
Add your appliance as an integration module to Cisco Threat Response. For more information, see the Cisco Threat Response documentation at https://visibility.amp.cisco.com/help/module-wsa (North Americas) or https://visibility.eu.amp.cisco.com/help/module-wsa (Europe). |
What to do next
After you add your appliance as an integration module in Cisco Threat Response, you can view the web tracking information from your appliance in Cisco Threat Response. For more information, see the Cisco Threat Response documentation at https://visibility.amp.cisco.com/help/module-wsa (North Americas) or https://visibility.eu.amp.cisco.com/help/module-wsa (Europe).
Note |
To deregister your appliance connection from Cisco Threat Response, click Deregister in the Cloud Services Settings page in your appliance. |