Use Cisco Secure Cloud Analytics Portal

Provision a Cisco Secure Cloud Analytics Portal

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

If you purchase a Logging Analytics and Detection or Total Network Analytics and Monitoring license, after you deploy and configure the Secure Event Connector (SEC), you must associate a Secure Cloud Analytics portal with your Security Cloud Control portal to view Secure Cloud Analytics alerts. When you purchase the license, if you have an existing Secure Cloud Analytics portal, you can provide the Secure Cloud Analytics portal name and immediately link it to your Security Cloud Control portal.

Otherwise, you can request a new Secure Cloud Analytics portal from the Security Cloud Control UI. The first time you access Secure Cloud Analytics alerts, the system takes you to a page to request the Secure Cloud Analytics portal. The user that requests this portal is granted administrator permission in the portal.

Procedure

Step 1

In the left pane, click Analytics > Secure Cloud Analytics to open the Secure Cloud Analytics UI in a new window.

Step 2

Click Start Free Trial to provision a Secure Cloud Analytics portal and associate it with your Security Cloud Control portal.

Note

 

After you request the portal, the provisioning may take up to several hours.

Ensure that your portal is provisioned before moving on to the next step.

  1. In the left pane, click Analytics > Secure Cloud Analytics to open the Secure Cloud Analytis UI in a new window.

  2. You have the following options:

    • If you requested a Secure Cloud Analytics portal, and the system states it is still provisioning the portal, wait and try to access the alerts later.

    • If the Secure Cloud Analytics portal is provisioned, enter your Username and Password, then click Sign in.


Note

The administrator user can invite other users to create accounts within the Secure Cloud Analytis portal. See Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control for more information.

What to do next

Review Sensor Health and Security Cloud Control Integration Status in Secure Cloud Analytics

Sensor Status

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

In the Secure Cloud Analytis web UI, you can view your Security Cloud Control integration status and your configured sensors from the Sensor List page. The Security Cloud Control integration is the read-only connection-events sensor. Stelathwatch Cloud provides an overall health of your sensors in the main menu:

  • green cloud icon () - connectivity established with all sensors, and Security Cloud Control if configured

  • yellow cloud icon () - connectivity established with some sensors, or Security Cloud Control if configured, and one or more sensors is not configured properly

  • red cloud icon () - connectivity lost with all configured sensors, and Security Cloud Control if configured

Per sensor or Security Cloud Control integration, a green icon signifies connectivity established, and a red icon signifies connectivity lost.

Procedure

Step 1

1. In the Secure Cloud Analytis portal UI, select Settings () > Sensors.

Step 2

Select Sensor List.

Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting

Secure Cloud Analytics Sensor Overview and Deployment

Required License: Total Network Analytics and Monitoring

If you obtain a Total Network Analytics and Monitoring license, after you provision a Secure Cloud Analytics portal, you can:

  • Deploy and configure a Secure Cloud Analytics sensor within your on-premises network to pass network flow data to the cloud for analysis.

  • Configure your cloud-based deployment to pass network flow log data to Secure Cloud Analytics for analysis.

Firewalls at your network perimeter gather information about traffic between your internal network and external networks, while Secure Cloud Analytics sensors gather information about traffic within your internal network.


Note

FDM-managedSecure Firewall Threat Defense devices may be configured to pass NetFlow data. When you deploy a sensor, do not configure it to pass NetFlow data from any of your FDM-managedSecure Firewall Threat Defense devices which you also configured to pass event information to Security Cloud Control.

See the Secure Cloud Analytics Sensor Installation Guide for sensor deployment instructions and recommendations.

See the Secure Cloud Analytics Public Cloud Monitoring Guides for cloud-based deployment configuration instructions and recommendations.


Note

You can also review instructions in the Secure Cloud Analytics portal UI to configure sensors and your cloud-based deployment.

See the Secure Cloud Analytics Free Trial Guide for more information about Secure Cloud Analytics.

Next Steps

Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

While you can review your firewall events on the Events logging page, you cannot review Cisco Secure Cloud Analytics alerts from the Security Cloud Control portal UI. You can cross-launch from Security Cloud Control to the Secure Cloud Analytics portal using the Security Analytics menu option, and view alerts generated from firewall event data (and from network flow data if you enabled Total Network Analytics and Monitoring). The Security Analytics menu option displays a badge with the number of Secure Cloud Analytics alerts in an open workflow status, if 1 or more are open.

If you use a Security Analytics and Logging license to generate Secure Cloud Analytics alerts, and you provisioned a new Secure Cloud Analytics portal, log into Security Cloud Control, then cross-launch to Secure Cloud Analytics using Cisco Security Cloud Sign On. You can also directly access your Secure Cloud Analytics portal through its URL.

See Cisco Security Cloud Sign On for more information.

Inviting Users to Join Your Secure Cloud Analytics Portal

The initial user to request the Secure Cloud Analytics portal provision has administrator privileges in the Secure Cloud Analytics portal. That user can invite other users by email to join the portal. If these users do not have Cisco Security Cloud Sign On credentials, they can create them using the link in the invite email. Users can then use Cisco Security Cloud Sign On credentials to log in during the cross-launch from Security Cloud Control to Secure Cloud Analytics.

To invite other users to your Secure Cloud Analytics portal by email:

Procedure

Step 1

Log into your Secure Cloud Analytics portal as an administrator.

Step 2

Select Settings > Account Management > User Management.

Step 3

Enter an Email address.

Step 4

Click Invite.

Cross-Launching from Security Cloud Control to Secure Cloud Analytics

To view security alerts from Security Cloud Control:

Procedure

Step 1

Log into the Security Cloud Control portal.

Step 2

In the left pane, choose Analytics > Secure Cloud Analytics.

Step 3

In the Secure Cloud Analytics interface, select Monitor > Alerts.

Cisco Secure Cloud Analytics and Dynamic Entity Modeling

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

Secure Cloud Analytics is a software as a service (SaaS) solution that monitors your on-premises and cloud-based network deployments. By gathering information about your network traffic from sources including firewall events and network flow data, it creates observations about the traffic and automatically identifies roles for network entities based on their traffic patterns. Using this information combined with other sources of threat intelligence, such as Talos, Secure Cloud Analytics generates alerts, which constitute a warning that there is behavior that may be malicious in nature. Along with the alerts, Secure Cloud Analytics provides network and host visibility, and contextual information it has gathered to provide you with a better basis to research the alert and locate sources of malicious behavior.

Dynamic Entity Modeling

Dynamic entity modeling tracks the state of your network by performing a behavioral analysis on firewall events and network flow data. In the context of Secure Cloud Analytics, an entity is something that can be tracked over time, such as a host or endpoint on your network. Dynamic entity modeling gathers information about entities based on the traffic they transmit and activities they take on your network. Secure Cloud Analytics, integrated with a Logging Analytics and Detection license, can draw from firewall events and other traffic information in order to determine the types of traffic the entity usually transmits. If you purchase a Total Network Analytics and Monitoring license, Secure Cloud Analytics can also include NetFlow and other traffic information in modeling entity traffic. Secure Cloud Analytics updates these models over time, as the entities continue to send traffic, and potentially send different traffic, to keep an up-to-date model of each entity. From this information, Secure Cloud Analytics identifies:

  • Roles for the entity, which are a descriptor of what the entity usually does. For example, if an entity sends traffic that is generally associated with email servers, Secure Cloud Analytics assigns the entity an Email Server role. The role/entity relationship can be many-to-one, as entities may perform multiple roles.

  • Observations for the entity, which are facts about the entity's behavior on the network, such as a heartbeat connection with an external IP address, or a remote access session established with another entity. If you integrate with Security Cloud Control, these facts can be obtained from firewall events. If you also purchase a Total Network Analytics and Monitoring, license, the system can also obtain facts from NetFlow, and generate observations from both firewall events and NetFlow. Observations on their own do not carry meaning beyond the fact of what they represent. A typical customer may have many thousands of observations and a few alerts.

Alerts and Analysis

Based on the combination of roles, observations, and other threat intelligence, Secure Cloud Analytics generates alerts, which are actionable items that represent possible malicious behavior as identified by the system. Note that one alert may represent multiple observations. If a firewall logs multiple connection events related to the same connection and entities, this may result in only one alert.

For example, a New Internal Device observation on its own does not constitute possible malicious behavior. However, over time, if the entity transmits traffic consistent with a Domain Controller, then the system assigns a Domain Controller role to the entity. If the entity subsequently establishes a connection to an external server that it has not established a connection with previously, using unusual ports, and transfers large amounts of data, the system would log a New Large Connection (External) observation and an Exceptional Domain Controller observation. If that external server is identified as on a Talos watchlist, then the combination of all this information would lead Secure Cloud Analytics to generate an alert for this entity's behavior, prompting you to take further action to research, and remediate malicious behavior.

When you open an alert in the Secure Cloud Analytics web portal UI, you can view the supporting observations that led the system to generate the alert. From these observations, you can also view additional context about the entities involved, including the traffic that they transmitted, and external threat intelligence if it is available. You can also see other observations and alerts that entities were involved with, and determine if this behavior is tied to other potentially malicious behavior.

Note that when you view and close alerts in Secure Cloud Analytics, you cannot allow or block traffic from the Secure Cloud Analytics UI. You must update your firewall access control rules to allow or block traffic, if you deployed your devices in active mode, or your firewall access control rules if your firewalls are deployed in passive mode.

Working with Alerts Based on Firewall Events

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

Alerts Workflow

An alert's workflow is based around its status. When the system generates an alert, the default status is Open, and no user is assigned. When you view the Alerts summary, all open alerts are displayed by default, as these are of immediate concern.

Note: If you have a Total Network Analytics and Monitoring license, your alerts can be based on observations generated from NetFlow, observations generated from firewall events, or observations from both data sources.

As you review the Alerts summary, you can assign, tag, and update status on alerts as an initial triage. You can use the filters and search functionality to locate specific alerts, or display alerts of different statuses, or associated with different tags or assignees. You can set an alert's status to Snoozed, in which case it does not reappear in the list of open alerts until the snooze period elapses. You can also remove Snoozed status from an alert, to display it as an open alert again. As you review alerts, you can assign them to yourself or another user in the system. Users can search for all alerts assigned to their username.

From the Alerts summary, you can view an alert detail page. This page allows you to review additional context about the supporting observations that resulted in this alert, and additional context about the entities involved in this alert. This information can help you pinpoint the actual issue, in order to further research the issue on your network, and potentially resolve malicious behavior.

As you research within the Secure Cloud Analytics web portal UI, in Security Cloud Control, and on your network, you can leave comments with the alert that describe your findings. This helps create a record for your research that you can reference in the future.

If you complete your analysis, you can update the status to Closed, and have it no longer appear by default as an open alert. You can also re-open a closed alert in the future if circumstances change.

The following presents general guidelines and suggestions for how to investigate a given alert. Because Secure Cloud Analytics provides additional context when it logs an alert, you can use this context to help guide your investigation.

These steps are meant to be neither comprehensive, nor all-inclusive. They merely offer a general framework with which to start investigating an alert.

In general, you can take the following steps when you review an alert:

  1. Triage open alerts

  2. Snooze alerts for later analysis

  3. Update the alert for further investigation

  4. Review the alert and start your investigation

  5. Examine the entity and users

  6. Remediate issues using Secure Cloud Analytics

  7. Update and close the alert

Triage open alerts

Triage the open alerts, especially if more than one have yet to be investigated:

Ask the following questions:

  • Have you configured this alert type as high priority?

  • Did you set a high sensitivity for the affected subnet?

  • Is this unusual behavior from a new entity on your network?

  • What is the entity's normal role, and how does the behavior in this alert fit that role?

  • Is this an exceptional deviation from normal behavior for this entity?

  • If a user is involved, is this expected behavior from the user, or exceptional?

  • Is protected or sensitive data at risk of being compromised?

  • How severe is the impact to your network if this behavior is allowed to continue?

  • If there is communication with external entities, have these entities established connections with other entities on your network in the past?

If this is a high priority alert, consider quarantining the entity from the internet, or otherwise closing its connections, before continuing your investigation.

Snooze alerts for later analysis

Snooze alerts when they are of lesser priority, as compared to other alerts. For example, if your organization is repurposing an email server as an FTP server, and the system generates an Emergent Profile alert (indicating that an entity's current traffic matches a behavior profile that it did not previously match), you can snooze this alert as it is intended behavior, and revisit it at a later date. A snoozed alert does not show up with the open alerts; you must specifically filter to review these snoozed alerts.

Snooze an alert:

Procedure

Step 1

Click Close Alert.

Step 2

In the Snooze this alert pane, select a snooze period from the drop-down.

Step 3

Click Save.

What to do next

When you are ready to review these alerts, you can unsnooze them. This sets the status to Open, and displays the alert alongside the other Open alerts.

Unsnooze a snoozed alert:

  • From a snoozed alert, click Unsnooze Alert.

Update the alert for further investigation

Open the alert detail:

Procedure

Step 1

Select Monitor > Alerts.

Step 2

Click an alert type name.

What to do next

Based on your initial triage and prioritization, assign the alert and tag it:

  1. Select a user from the Assignee drop-down to assign the alert, so a user can start investigating.

  2. Select one or more Tags from the drop-down to add tags to the alert, to better categorize your alert's for future identification, as well as to try and establish long-term patterns in your alerts.

  3. Enter a Comment on this alert, then click Comment to leave comments as necessary to track your initial findings, and assist the person assigned to the alert. The alert tracks both system comments and user comments.

Review the alert and start your investigation

If you are reviewing an assigned alert, review the alert detail to understand why Secure Cloud Analytics generated an alert. Review the supporting observations to understand what these observations mean for the source entity.

Note that if the alert was generated based on firewall events, the system does not note that your firewall deployment was the source of this alert.

View all of the supporting observations for this source entity to understand its general behavior and patterns, and see if this activity may be part of a longer trend:

SUMMARY STEPS

  1. From the alert detail, click the arrow icon () next to an observation type to view all logged observations of that type.
  2. Click the arrow icon () next to All Observations for Network to view all logged observations for this alert's source entity.

DETAILED STEPS

Step 1

From the alert detail, click the arrow icon () next to an observation type to view all logged observations of that type.

Step 2

Click the arrow icon () next to All Observations for Network to view all logged observations for this alert's source entity.

Download the supporting observations in a comma-separated value file, if you want to perform additional analysis on these observations:

  • From the alert detail, in the Supporting Observations pane, click CSV.

From the observations, determine if the source entity behavior is indicative of malicious behavior. If the source entity established connections with multiple external entities, determine if the external entities are somehow related, such as if they all have similar geolocation information, or their IP addresses are from the same subnet.

View additional context surrounding the source entity from a source entity IP address or hostname, including other alerts and observations it may be involved in, information about the device itself, and what type of session traffic it is transmitting:

  • Select Alerts from the IP address or hostname drop-down to view all alerts related to the entity.

  • Select Observations from the IP address or hostname drop-down to view all observations related to the entity.

  • Select Device from the IP address or hostname drop-down to view information about the device.

  • Select Session Traffic from the IP address or hostname drop-down to view session traffic related to this entity.

  • Select Copy from the IP address or hostname drop-down to copy the IP address or hostname.

Note that the source entity in Secure Cloud Analytics is always internal to your network. Contrast this with the Initiator IP in a firewall event, which indicates the entity that initiated a connection, and may be internal or external to your network.

From the observations, examine information about other external entities. Examine the geolocation information, and determine if any of the geolocation data or Umbrella data identifies a malicious entity. View the traffic generated by these entities. Check whether Talos, AbuseIPDB, or Google have any information on these entities. Find the IP address on multiple days and see what other types of connections the external entity established with entities on your network. If necessary, locate those internal entities and determine if there is any evidence of compromise or unintended behavior.

Review the context for an external entity IP address or hostname with which the source entity established a connection:

  • Select IP Traffic from the IP address or hostname drop-down to view recent traffic information for this entity.

  • Select Session Traffic from the IP address or hostname drop-down to view recent session traffic information for this entity.

  • Select AbuseIPDB from the IP address or hostname drop-down to view information about this entity on AbuseIPDB's website.

  • Select Cisco Umbrella from the IP address or hostname drop-down to view information about this entity on Cisco Umbrella's website.

  • Select Google Search from the IP address or hostname drop-down to search for this IP address on Google.

  • Select Talos Intelligence from the IP address or hostname drop-down to view information about this information on Talos's website.

  • Select Add IP to watchlist from the IP address or hostname drop-down to add this entity to the watchlist.

  • Select Find IP on multiple days from the IP address or hostname drop-down to search for this entity's traffic from the past month.

  • Select Copy from the IP address or hostname drop-down to copy the IP address or hostname.

Note that connected entities in Secure Cloud Analytics are always external to your network. Contrast this with the Responder IP in a firewall event, which indicates the entity that responded to a connection request, and may be internal or external to your network.

Leave comments as to your findings.

  • From the alert detail, enter a Comment on this alert, then click Comment.

Examine the entity and users

After you review the alert in the Secure Cloud Analytics portal UI, you can perform an additional examination on a source entity directly, any users that may have been involved with this alert, and other related entities.

  • Determine where the source entity is on your network, physically or in the cloud, and access it directly. Locate the log files for this entity. If it is a physical entity on your network, access the device to review the log information, and see if there is any information as to what caused this behavior. If it is a virtual entity, or stored in the cloud, access the logs and search for entries related to this entity. Examine the logs for further information on unauthorized logins, unapproved configuration changes, and the like.

  • Examine the entity. Determine if you can identify malware or a vulnerability on the entity itself. See if there has been some malicious change, including if there are physical changes to a device, such as a USB stick that is not approved by your organization.

  • Determine if a user on your network, or from outside your network, was involved. Ask the user what they were doing if possible. If the user is unavailable, determine if they were supposed to have access, and if a situation occurred that prompted this behavior, such as a terminated employee uploading files to an external server before leaving the company.

Leave comments as to your findings:

  • From the alert detail, enter a Comment on this alert, then click Comment.

Remediate issues using Secure Cloud Analytics

If malicious behavior caused the alert, remediate the malicious behavior. For example:

  • If a malicious entity or user attempted to log in from outside your network, update your firewall rules and firewall configuration to prevent the entity or user from accessing your network.

  • If an entity attempted to access an unauthorized or malicious domain, examine the affected entity to determine if malware is the cause. If there are malicious DNS redirects, determine if other entities on your network are affected, or part of a botnet. If this is intended by a user, determine if there is a legitimate reason for this, such as testing firewall settings. Update your firewall rules and firewall configuration to prevent further access to the domain.

  • If an entity is exhibiting behavior that is different from the historical entity model behavior, determine if the behavior change is intended. If it is unintended, examine whether an otherwise authorized user on your network is responsible for the change. Update your firewall rules and firewall configuration to address unintended behavior if it involves connections with entities that are external to your network.

  • If you identify a vulnerability or exploit, update or patch the affected entity to remove the vulnerability, or update your firewall configuration to prevent unauthorized access. Determine if other entities on your network may similarly be affected, and apply the same update or patch to those entities. If the vulnerability or exploit currently does not have a fix, contact the appropriate vendor to let them know.

  • If you identify malware, quarantine the entity and remove the malware. Review the firewall file and malware events to determine if other entities on your network are at risk, and quarantine and update the entities to prevent this malware from spreading. Update your security intelligence with information about this malware, or the entities that caused this malware. Update your firewall access control and file and malware rules to prevent this malware from infecting your network in the future. Alert vendors as necessary.

  • If malicious behavior resulted in data exfiltration, determine the nature of the data sent to an unauthorized source. Follow your organization's protocols for unauthorized data exfiltration. Update your firewall configuration to prevent future data exfiltration attempts by this source.

Update and close the alert

Add additional tags based on your findings:

Procedure

Step 1

In the Secure Cloud Analytics portal UI, select Monitor > Alerts.

Step 2

Select one or more Tags from the drop-down.

Add final comments describing the results of your investigation, and any remediation steps taken:

  • From an alert's detail, enter a Comment on this alert, then click Comment.

Close the alert, and mark it as helpful or not helpful:

  1. From an alert's detail, click Close Alert.

  2. Select Yes if the alert was helpful, or No if the alert was unhelpful. Note that this does not necessarily mean that the alert resulted from malicious behavior, just that the alert was helpful to your organization.

  3. Click Save.

What to do next

Reopen a closed alert

If you discover additional information related to a closed alert, or want to add more comments related to that alert, you can reopen it, changing the status to Open. You can then make changes as necessary to the alert, then close it again when your additional investigation is complete.

Reopen a closed alert:

  • From a closed alert's detail, click Reopen Alert.

Modifying Alert Priorities

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

Alert types come with default priorities, which affect how sensitive the system is to generating alerts of this type. Alerts default to low or normal priority, based on Cisco intelligence and other factors. Based on your network environment, you may want to reprioritize alert types, to emphasize certain alerts that you are concerned with. You can configure any alert type to be low, normal, or high priority.

  • Select Monitor > Alerts.

  • Click the settings drop-down icon (), then select Alert Types and Priorities.

  • Click the edit icon () next to an alert type and select low, medium, or high to change the priority.