Cisco Firepower Out-of-the-box Response Integration

Cisco Firepower Out-of-the-box Response Integration

To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.
In this article, you will find out how to configure Cisco Firepower to receive and block adversaries detected by Lumu and improve the detection & response capabilities of your organization.

Requirements

  1. Valid License for Cisco Firepower appliance
    1. Threat license to use Security Intelligence. To learn how to enable this optional license, refer to Cisco Firepower’s official documentation.  
  2. Firewall Management Center, FMC, Software version
    1. 7.0.0 (build 94) or greater
    2. SSL Inspection feature enabled
    3. Lumu may provide https URLs in its list, which requires the use of this feature, for more information, refer to Cisco’s official documentation.
  3. Lumu Defender Active subscription

Add Integration

1. Log in to your Lumu account through the  Lumu Portal and navigate to the Integrations screen. 

Integrations Screen

2. Locate the Firepower integration in the available apps area and add the integration using the corresponding option to view more details. Familiarize yourself with the integration details available in the app description. Activate the integration using the corresponding option.





3. To generate the integration URL, add a description and select the threat types you want to include in the list.

Configure the integration

4. Once you create the integration, you will be provided with the Integration URL:


To integrate Lumu with Cisco Firepower you may need an MD5 URL. To obtain it, just replace the .txt extension with .md5 in the provided URL. This is an example of an MD5 URL: https://defender.lumu.io/static/<integration_uuid>.md5  
You will only need this type of URL if you plan on setting the feed’s refresh rate to 30 minutes or less . 

Configure your FMC

Add a new Security Intelligence URL feed by following the instructions in the Firepower Management Center Configuration Guide.   
The recommended update frequency for this type of integration is 60 minutes . This interval should be evaluated keeping in mind your environment’s particular needs. If after this evaluation you decide to set the refresh rate to a value equal to or lower than 30 minutes, the FMC will request an MD5 checksum file . You can find instructions to generate this URL at the end of the previous section.
Once the new URL feed object has been added, you may use it in your blocking rules/policies by following the configuration workflow provided by Cisco in their documentation
If you delete your integration from Lumu, the integration URL feed will not be valid any longer; however, the FMC will still block the adversaries obtained from the last available version of the feed. If you wish to unblock the adversaries from this previous version, you will need to delete the created URL feed object.

Additional Procedure: Integration without Firepower Management Center

If by any chance you don’t have Firepower Management Center available to complete the Cisco Firepower OOTB response integration, it is possible to carry out this procedure using a tool provided by Lumu. In the links below, you can find different repositories where the required code and instructions are provided. You can choose the one that best fits your needs and run the code using the tool that you prefer. 
  1. Source Code repository
  2. Dockerhub repository

        • Related Articles

        • Cisco Umbrella Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Requirements A Cisco Umbrella DNS Security Essentials subscription package or above Lumu Defender Subscription Setup Cisco Umbrella Rest API Client To ...
        • Lumu Out-of-the-box Integrations

          For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...
        • Cisco Umbrella Out-of-the-Box Data Collection Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Requirements A Cisco Umbrella DNS Security Essentials subscription or above An active Lumu Defender Subscription Setup Cisco Umbrella Rest API Client To ...
        • Cisco Secure Endpoint Out-of-the-Box Response Integration

          Requirements A Cisco Secure Endpoint Essentials or above subscription An active Lumu Defender subscription Create API key 1. Log in on the Cisco Secure Endpoint Portal. Click on the Administration option on the left navigation bar, then click on the ...
        • Cisco Meraki Out-of-the-Box Response Integration

          Requirements Cisco Meraki A Cisco deployment with MX devices is needed to work with Firewall rules. To get more information about licensing options, you can consult the documentation on Meraki MX Security and SD-WAN Licensing. An active Lumu Defender ...