Best Practices for Security Intelligence

Configure your access control policies to block threats detected by Cisco-provided Security Intelligence feeds. See Configuration Example: Security Intelligence Blocking.

If you want to supplement the Cisco-provided Security Intelligence feeds with custom threat data, or manually block emerging threats:

• For IP addresses, use custom Security Intelligence lists and feeds, or Network objects or groups. To create these, see Security Intelligence and Network, and their subtopics. To use them for Security Intelligence, see Configure Security Intelligence. Network objects used in Security Intelligence policy require an IPS license.

• For URLs and domains, use custom Security Intelligence lists and feeds, not objects or groups. See details at Manual URL Filtering Options.

• You can also add entries to a Block list from events. See Global and Domain Security Intelligence Lists.

To test new feeds, or for passive deployments, set the action from block to monitor only. See Security Intelligence Monitoring.

If you need to exclude specific sites or addresses from Security Intelligence blocking, see Override Security Intelligence Blocking.

If your Firepower deployment is integrated with Cisco XDR and you use custom Security Intelligence lists and feeds, be sure to update Security Services Exchange with these lists and feeds. For details, see instructions for configuring auto-promotion of events in the Security Services Exchange online help.

System-provided Security Intelligence categories may change over time and without notification; you should plan to check periodically for changes, and modify your policies accordingly.

You should also configure URL filtering, a separate feature with separate licensing requirements, for further protection against malicious sites. See URL Filtering.