One of the great features in Cisco’s Firepower Management Center 6.2.2 is the addition of ingestion of threat intel via STIX or TAXII feeds. One such free feed is Hail A Taxii http://hailataxii.com/ where you can ingest a ton of threat data out there.
The first step if using a VMWare based FMC is to make sure it had 16G minimum of RAM. Otherwise you’ll get an error trying to access the intelligence panel to configure the feed. That panel is the far right menu item that’s new after you install 6.2.2 patch.
A quick adjustment to RAM and a reboot and you’re in business. One note, on trying to configure the feed it’s going to time out several times. So just try a few times until it gives you the option to select the feeds you want and then click save. Let it run a few hours so that it can SYNC up as the feed is pretty hammered on a good day.
After a few days we started seeing indicators from some of the sources in our live environment so we knew it was working. By default everything is set to monitor, if something is triggering you can set it to block later. I’m still trying to determine if/how you can set these IOC’s to block for ip/dns based protection. A lot of the feed is a list of compromised ISP ip’s around the world. Not surprising, and if you’re using GEO blocking you can eliminate a lot of your issues quickly.