Integrating Firepower and Cisco Security Analytics and Logging (SaaS)

Overview of the Firepower Integration with Cisco Security Analytics and Logging (SaaS)

This integration is specifically for Firepower Threat Defense (FTD) devices managed by Firepower Management Center (FMC). This document does not apply to devices that are not running Firepower software, to devices managed by Firepower Device Manager (FDM), or to non-FTD devices managed by FMC.

You can send Firepower events to the Stealthwatch Cloud for storage, and optionally make your Firepower event data available for security analytics using Stealthwatch Cloud.

Using Cisco Security Analytics and Logging (SaaS), also known as SAL (SaaS), your Firepower devices send events as syslog messages to a Security Events Connector (SEC) installed on a virtual machine on your network, and this SEC forwards the events to the Stealthwatch cloud for storage. You view and work with your events using the web-based Cisco Defense Orchestrator (CDO) portal. Depending on the license you purchase, you can also use the Stealthwatch portal to access that product's analytics features.


Note

Most features in the CDO portal are not applicable to this integration. For example, CDO does not manage your devices, so your devices are not onboarded to CDO.


For more information about Cisco Security Analytics and Logging (SaaS), see https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html.

Requirements and Prerequisites for SAL (SaaS) Integration

Requirement or Prerequisite Type

Requirement

Firepower

Firepower Management Center managing Firepower Threat Defense devices

FMC and device version: 6.4 or later

Your Firepower system must be deployed and successfully generating events.

Regional cloud

Determine which regional cloud you will send events to.

Events cannot be viewed from or moved between different regional clouds.

Data plan

Determine the amount of storage your system will require:

See Calculate Storage Requirements and Purchase a Data Plan.

Licensing

  • Cisco Security Analytics and Logging licenses: Any

    For licensing options and descriptions, see SAL (SaaS) Licenses.

  • CDO licenses: No additional CDO licensing is required.

  • Stealthwatch Cloud licenses: No additional licensing is required.

  • Firepower licenses: No additional Firepower licensing is required.

Accounts

When you purchase a license for this integration, you will be provided with a CDO tenant account to support this functionality.

Supported Firepower event types

Intrusion, connection, Security Intelligence, file, and malware events

Additional prerequisites

See the Before You Begin or Prerequisites section of each procedure.

SAL (SaaS) Licenses

License

Details

Free trial

To get a 30 day free trial license, visit https://info.securexanalytics.com/sal-trial.html.

Logging and Troubleshooting

Store events in the Cisco cloud, and view and filter stored events using the CDO web interface.

(Optional) Logging Analytics and Detection

The system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. You can cross-launch from CDO to a Stealthwatch Cloud portal provisioned for you, using Cisco Single Sign-On.

When you purchase a license for SAL, you will be provided access to a CDO tenant for log viewing and a SWC instance for threat detections. Users of SAL do not need a separate CDO or SWC license to access these two portals for the outcomes that SAL provides.

(Optional) Total Network Analytics and Detection

The system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a Stealthwatch Cloud portal provisioned for you, using Cisco Single Sign-On.

When you purchase a license for SAL, you will be provided access to a CDO tenant for log viewing and a SWC instance for threat detections. Users of SAL do not need a separate CDO or SWC license to access these two portals for the outcomes that SAL provides.

For details about SAL (SaaS) licensing options, see the Cisco Security Analytics and Logging Ordering Guide at https://www.cisco.com/c/en/us/products/collateral/security/security-analytics-logging/guide-c07-742707.html.

SAL (SaaS) licenses provide the right to use a Cisco Defense Orchestrator tenant to view firewall logs and a Stealthwatch Cloud (SWC) instance for analytics, without holding separate licenses for either of these products.

To purchase SAL (SaaS) licenses, contact your authorized Cisco sales representative, or visit https://apps.cisco.com/Commerce/guest and look for PIDs starting with SAL-SUB.

Calculate Storage Requirements and Purchase a Data Plan

You need to buy a data plan that reflects the number of events the Cisco cloud receives from your FTDs on a daily basis. This is called your "daily ingest rate."

To estimate your data storage requirements:

Data plans are available in various daily volumes, and in various yearly terms. See the Cisco Security Analytics and Logging Ordering Guide at https://www.cisco.com/c/en/us/products/collateral/security/security-analytics-logging/guide-c07-742707.html for information about data plans.


Note

If you have a SAL (SaaS) license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different SAL (SaaS) license.


How to Set Up Event Data Storage in SAL (SaaS)

Do This

More Information

Review requirements and prerequisites

See Requirements and Prerequisites for SAL (SaaS) Integration

Obtain required licenses, accounts, and a data storage plan

Contact your authorized Cisco sales representative.

Set up CDO access using multi-factor authentication

See instructions in the CDO online help for Signing in to CDO.

.

Set up an on-premises Secure Device Connector (SDC) on a VMWare virtual machine

This component is required solely to enable installation of the SEC, which is the component to which your Firepower devices will send events.

Use one of the following, as described in the CDO online help:

Important! Don't skip the procedure prerequisites. However, ignore any information about onboarding, which does not apply to this integration.

Install the Secure Event Connector (SEC) on the SDC virtual machine you just created.

This is the component to which your Firepower devices will send events.

See the CDO online help for instructions to Install the Secure Event Connector.

Important! Don't skip the procedure prerequisites. However, ignore any information about onboarding, which does not apply to this integration.

Configure your FMC to have managed devices send syslog events to the SEC.

Send Security Event Syslog Messages from FTD Devices

Verify that your events are being sent successfully

See View and Work with Events.

(Optional) Configure general settings in CDO

For example, you can make your data unavailable to Cisco support staff.

In the CDO online help, see General Settings.

(Optional) Create CDO user accounts for colleagues to view and work with your events.

In the CDO online help, see Create a New CDO User.

Send Security Event Syslog Messages from FTD Devices

This procedure documents the best practice configuration for sending syslog messages for security events (connection, Security Intelligence, intrusion, file, and malware events) from FTD devices managed by Firepower Management Center.


Note

Many FTD syslog settings are not applicable to security events. Configure only the options described in this procedure.


Before you begin

  • In Firepower Management Center, configure policies to generate security events and verify that the events you expect to see appear in the applicable tables under the Analysis menu.

  • Gather the syslog server IP address, port, and protocol (UDP or TCP):

    Sign in to CDO. Then, from the user menu at the top right side of the CDO browser window, select Secure Connectors. Click Secure Event Connector and you will see the required information at the right side.

  • Ensure that your devices can reach the syslog server(s).

  • See additional information in the "Connection Logging" chapter in the FMC online help.

Procedure


Step 1

Sign in to your Firepower Management Center web interface.

Step 2

Configure syslog settings for your FTD device:

  1. Click Devices > Platform Settings.

  2. Edit the platform settings policy associated with your FTD device.

  3. In the left navigation pane, click Syslog.

  4. Click Syslog Servers and click Add to enter server, protocol, interface, and related information.

    Use the IP address, port, and protocol that you gathered from CDO above.

    EMBLEM format and secure syslog are not supported for this integration.

    If you have questions about options on this page, see the "Configure a Syslog Server" topic in the FMC online help.

  5. Click Syslog Settings and configure the following settings:

    • Enable Timestamp on Syslog Messages

    • Timestamp Format

    • Enable Syslog Device ID

  6. Click Logging Setup.

  7. Make sure Send syslogs in EMBLEM format is NOT selected.

  8. Save your settings.

Step 3

Configure general logging settings for the access control policy (including file and malware logging):

  1. Click Policies > Access Control.

  2. Edit the applicable access control policy.

  3. Click Logging.

  4. Select FTD 6.3 and later: Use the syslog settings configured in the FTD Platform Settings policy deployed on the device.

  5. (Optional) Select a Syslog Severity.

  6. If you will send file and malware events, select Send Syslog messages for File and Malware events.

  7. Click Save.

Step 4

Enable logging for Security Intelligence events for the access control policy:

  1. In the same access control policy, click the Security Intelligence tab.

  2. In each of the following locations, click Logging (logging icon) and enable beginning and end of connections and Syslog Server:

    • Beside DNS Policy.

    • In the Block List box, for Networks and for URLs.

  3. Click Save.

Step 5

Enable syslog logging for each rule in the access control policy:

  1. In the same access control policy, click the Rules tab.

  2. Click a rule to edit.

  3. Click the Logging tab in the rule.

  4. Enable both beginning and end of connections.

  5. If you will log file events, select Log Files.

  6. Enable Syslog Server.

  7. Verify that the rule is "Using default syslog configuration in Access Control Logging."

    Do NOT configure overrides.

  8. Click Add.

  9. Repeat for each rule in the policy.

Step 6

If you will send intrusion events:

  1. Navigate to the intrusion policy associated with your access control policy.

  2. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.

    Verify that the policy is using the default settings configured for access control logging.

  3. Click Back.

  4. Click Policy Information in the left navigation pane.

  5. Click Commit Changes.


What to do next

  • If you are done making changes, deploy your changes to managed devices.

View and Work with Events

To view and search your events in the cloud:

Procedure


Step 1

Use your browser to go to the regional CDO cloud to which you sent your events:

Step 2

Sign in to CDO.

Step 3

From the navigation bar, select Monitoring > Event Logging.

Step 4

Use the Historical tab to view historical events data. By default, the viewer displays this tab.

Step 5

To view the live events, click the Live tab.

For more information about what you can do on this page, see the CDO online help for instructions on viewing events. .


What to do next

If you have a Logging Analytics and Detection or Total Network Analytics and Detection license, see instructions in the CDO online help to cross-launch into the Stealthwatch Cloud portal.

FAQs

Where can I find more information about SAL?

See also the SAL Getting Started and Frequently Asked Questions.

Do I need to onboard my Firepower devices to CDO?

No. Do NOT onboard your devices to CDO.

If I use SecureX or Cisco Threat Response, do I need to merge my CDO account?

No. Do NOT merge your CDO account with the account you use for SecureX and Cisco Threat Response.