Security Intelligence

Security Intelligence functionality requires the IPS license (for threat defense devices) or the Protection license (all other device types).

Security Intelligence lists and feeds are collections of IP addresses, domain names, and URLs that you can use to quickly filter traffic that matches an entry on a list or feed.

  • A list is a static collection that you manage manually.

  • A feed is a dynamic collection that updates on an interval over HTTP or HTTPS.

Security Intelligence lists/feeds are grouped into:

  • DNS (Domain names )

  • Network (IP addresses)

  • URLs

System-Provided Feeds

Cisco provides the following feeds as Security Intelligence objects:

  • Security Intelligence feeds updated regularly with the latest threat intelligence from Talos:

    • Cisco-DNS-and-URL-Intelligence-Feed (under DNS Lists and Feeds)

    • Cisco-Intelligence-Feed (for IP addresses, under Network Lists and Feeds)

    You cannot delete the system-provided feeds, but you can change the frequency of (or disable) their updates.

  • Cisco-TID-Feed (under Network Lists and Feeds)

    This feed is not used in the Security Intelligence tab of the access control policy.

    Instead, you must enable and configure Secure Firewall threat intelligence director to use this feed, which is a collection of TID observables data.

    Use this object to set how frequently this data is published to TID elements.

Predefined Lists: Global Block Lists and Global Do Not Block Lists

The system ships with predefined global Block lists and Do Not Block lists for domains (DNS), IP addresses (Networks), and URLs.

These lists are empty until you populate them. To build these lists, see Global and Domain Security Intelligence Lists.

By default, access control and DNS policies use these lists as part of Security Intelligence.

Custom Feeds

You can use third-party feeds, or use a custom internal feed to easily maintain an enterprise-wide Block list in a large deployment with multiple Secure Firewall Management Center appliances.

See Custom Security Intelligence Feeds.

Custom Lists

Custom lists can augment and fine-tune feeds and the Global lists.

See Custom Security Intelligence Lists.

Where Security Intelligence Lists and Feeds Are Used

  • IP address and address blocks—Use Block and Do Not Block lists in access control policies, as part of Security Intelligence.

  • Domain Names—Use Block and Do Not Block lists in DNS policies, as part of Security Intelligence.

  • URLs—Use Block and Do Not Block lists in access control policies, as part of Security Intelligence. You can also use URL lists in access control and QoS rules, whose analysis and traffic handling phases occur after Security Intelligence.