Security intelligence

Security Intelligence is a traffic filtering mechanism that

  • uses collections of IP addresses, domain names, and URLs to quickly filter traffic that matches entries

  • requires the IPS license (for Firewall Threat Defense devices) or the Protection license (all other device types), and

  • operates through lists and feeds that are grouped into DNS, Network, and URL categories.

Security intelligence components

Security Intelligence lists and feeds are collections of IP addresses, domain names. You can use these to quickly filter traffic that matches an entry on a list or feed.

  • A list is a static collection that you manage manually.

  • A feed is a dynamic collection that updates on an interval over HTTP or HTTPS.

Security Intelligence lists/feeds are grouped into:

  • DNS (Domain names )

  • Network (IP addresses)

  • URLs

System-provided feeds:

Cisco provides these feeds as Security Intelligence objects:

  • Security Intelligence feeds updated regularly with the latest threat intelligence from Talos:

    • Cisco-DNS-and-URL-Intelligence-Feed (under DNS Lists and Feeds)

    • Cisco-Intelligence-Feed (for IP addresses, under Network Lists and Feeds)

    You cannot delete the system-provided feeds, but you can change the frequency of (or disable) their updates.

  • Cisco-TID-Feed (under Network Lists and Feeds)

    This feed is not used in the Security Intelligence tab of the access control policy.

    Instead, you must enable and configure Secure Firewall Threat Intelligence Director to use this feed. The feed is a collection of TID observables data.

    Use this object to configure the frequency of data publication to TID elements.

Predefined global Block and Do Not Block lists:

The system includes predefined global Block lists and Do Not Block lists for domains (DNS), IP addresses (Networks), and URLs.

These lists are empty until you populate them. To build these lists, see Global and Domain Security Intelligence Lists.

By default, access control and DNS policies use these lists as part of Security Intelligence.

Custom feeds:

You can use third-party feeds or use a custom internal feed to easily maintain an enterprise-wide Block list in a large deployment with multiple Cloud-Delivered Firewall Management Center appliances.

See Custom Security Intelligence Feeds.

Custom lists:

Custom lists can augment and fine-tune feeds and the global lists.

See Custom Security Intelligence Lists.

Security Intelligence lists and feeds usage locations:

  • IP address and address blocks—Use Block and Do Not Block lists in access control policies, as part of Security Intelligence.

  • Domain Names—Use Block and Do Not Block lists in DNS policies, as part of Security Intelligence.

  • URLs—Use Block and Do Not Block lists in access control policies, as part of Security Intelligence. You can also use URL lists in access control and QoS rules, whose analysis and traffic handling phases occur after Security Intelligence.