Integrating Firepower and Cisco Security Analytics and Logging (SaaS)

If you require additional space to store Firepower events, you can send Firepower events to the Stealthwatch Cloud for storage using Cisco Security Analytics and Logging (SaaS), and optionally make your Firepower event data available for security analytics using Stealthwatch Cloud.

This integration is specifically for Firepower Threat Defense (FTD) devices managed by Firepower Management Center (FMC). This document does not apply to devices that are not running Firepower software, to devices managed by Firepower Device Manager (FDM), or to non-FTD devices managed by FMC.

For more information about Cisco Security Analytics and Logging (SaaS), see https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html.

Comparison of Cisco Security Analytics and Logging Remote Event Storage Options

Similar but different options for storing event data externally to your Firepower Management Center:

On Premises

SaaS

You purchase, license, and set up the storage system behind your firewall.

You purchase licenses and a data storage plan and send your data to the Cisco cloud.

Supported event types:

  • Connection

  • Security Intelligence

  • Intrusion

  • File and Malware

  • LINA

Supported event types:

  • Connection

  • Security Intelligence

  • Intrusion

  • File and Malware

Supports both syslog and direct integration.

Supports both syslog and direct integration. See Comparison of Methods for Sending Events to the Cloud.

  • View all events on the Stealthwatch Management Console.

  • Cross-launch from FMC event viewer to view events on the Stealthwatch Management Console.

  • View remotely stored connection and Security Intelligence events in FMC

View events in CDO or Stealthwatch, depending on your license. Cross-launch from FMC event viewer.

For more information, see links in the Data Storage chapter in the Firepower Management Center Configuration Guide or online help.

Comparison of Methods for Sending Events to the Cloud

Sending via Syslog

Sending Directly

  • Requires Secure Event Connector (SEC)

  • Beneficial for high log emission rates from firewalls as each SEC can support up to 100,000 events per second

  • SEC can be set up for CDO or non-CDO-managed devices.

  • Reduces the event processing strain on the firewall, thereby freeing its resources for the firewall function.

  • Centralization is not always possible or desirable, especially for geographically distributed environments.

  • Requires a separate installation

  • Ideal for branch offices as it supports geographically distributed environments.

  • Requires Smart Licensing.

    Not supported if you are using a Cisco Smart Software Manager On-Prem server (formerly known as Smart Software Satellite Server)or air-gapped deployment.

  • No separate installation or service is needed.

  • The strain on the firewall resources is relatively higher.

Requirements and Prerequisites for SAL (SaaS) Integration

The following requirements apply to both methods of sending events to SAL (SaaS).

Requirement or Prerequisite Type

Requirement

Firepower

Firepower Management Center managing Firepower Threat Defense devices

To send via syslog: Firepower release 6.4 or later

To send directly: Firepower release 7.0

The required version applies to the FMC and all managed FTD devices.

Your Firepower system must be deployed and successfully generating events.

Regional cloud

Determine which regional cloud you will send events to.

Events cannot be viewed from or moved between different regional clouds.

If you use a direct connection to send events to the cloud for integration with SecureX or Cisco SecureX threat response, you must use the same regional CDO cloud for this integration.

If you send events directly, the regional cloud you specify in FMC must match the region of your CDO tenant.

Data plan

Determine the amount of cloud storage your system will require:

See Calculate Storage Requirements and Purchase a Data Plan.

Licensing

  • Cisco Security Analytics and Logging licenses: Any

    For licensing options and descriptions, see SAL (SaaS) Licenses.

  • CDO licenses: No additional CDO licensing is required.

  • Stealthwatch Cloud licenses: No additional licensing is required.

  • Firepower licenses: No additional Firepower licensing is required.

Accounts

When you purchase a license for this integration, you will be provided with a CDO tenant account to support this functionality.

Supported Firepower event types

Intrusion, connection, Security Intelligence, file, and malware events

User roles

In FMC:

  • Admin

  • Access Admin

  • Network Admin

  • Security Approver

Additional requirements when sending events directly

See Prerequisites for Direct Integration.

Additional prerequisites

See the Before You Begin or Prerequisites section of each procedure.

SAL (SaaS) Licenses

License

Details

Free trial

To get a 30 day free trial license, visit https://info.securexanalytics.com/sal-trial.html.

Logging and Troubleshooting

Store events in the Cisco cloud, and view and filter stored events using the CDO web interface.

(Optional) Logging Analytics and Detection

The system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. You can cross-launch from CDO to a Stealthwatch Cloud portal provisioned for you, using Cisco Single Sign-On.

When you purchase a license for SAL, you will be provided access to a CDO tenant for log viewing and a SWC instance for threat detections. Users of SAL do not need a separate CDO or SWC license to access these two portals for the outcomes that SAL provides.

(Optional) Total Network Analytics and Detection

The system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a Stealthwatch Cloud portal provisioned for you, using Cisco Single Sign-On.

When you purchase a license for SAL, you will be provided access to a CDO tenant for log viewing and a SWC instance for threat detections. Users of SAL do not need a separate CDO or SWC license to access these two portals for the outcomes that SAL provides.

For details about SAL (SaaS) licensing options, see the Cisco Security Analytics and Logging Ordering Guide at https://www.cisco.com/c/en/us/products/collateral/security/security-analytics-logging/guide-c07-742707.html.

SAL (SaaS) licenses provide the right to use a Cisco Defense Orchestrator tenant to view firewall logs and a Stealthwatch Cloud (SWC) instance for analytics, without holding separate licenses for either of these products.

To purchase SAL (SaaS) licenses, contact your authorized Cisco sales representative, or see the ordering guide (link above) and look for PIDs starting with SAL-SUB.

Additional information about this product is here: https://apps.cisco.com/Commerce/guest.

Calculate Storage Requirements and Purchase a Data Plan

You need to buy a data plan that reflects the number of events the Cisco cloud receives from your FTDs on a daily basis. This is called your "daily ingest rate."

To estimate your data storage requirements:

Data plans are available in various daily volumes, and in various yearly terms. See the Cisco Security Analytics and Logging Ordering Guide at https://www.cisco.com/c/en/us/products/collateral/security/security-analytics-logging/guide-c07-742707.html for information about data plans.


Note

If you have a SAL (SaaS) license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different SAL (SaaS) license.


How to Set Up Event Data Storage in SAL (SaaS) Using Syslog

Do This

More Information

Step

Review requirements and prerequisites

See Requirements and Prerequisites for SAL (SaaS) Integration

Step

Obtain required licenses, accounts, and a data storage plan

Contact your authorized Cisco sales representative.

Step

Set up CDO access using multi-factor authentication

See instructions in the CDO online help for Signing in to CDO.

.

Step

Set up an on-premises Secure Device Connector (SDC) on a VMWare virtual machine

This component is required solely to enable installation of the SEC, which is the component to which your Firepower devices will send events.

Use one of the following, as described in the CDO online help:

Important! Don't skip the procedure prerequisites. However, ignore any information about onboarding, which does not apply to this integration.

Step

Install the Secure Event Connector (SEC) on the SDC virtual machine you just created.

This is the component to which your Firepower devices will send events.

See the CDO online help for instructions to Install the Secure Event Connector.

Important! Don't skip the procedure prerequisites. However, ignore any information about onboarding, which does not apply to this integration.

Step

Configure your FMC to have managed devices send syslog events to the SEC.

Send Security Event Syslog Messages from FTD Devices

Step

Verify that your events are being sent successfully

See View and Work with Events.

Step

(Optional) If you are sending connection events to the cloud and you don't want to store them on the FMC, disable that storage on the FMC.

In the FMC online help, see information about connection events in the Database Event Limits topics.

Step

(Optional) Configure cross-launches from FMC to CDO so you can easily pivot from events displayed in FMC to related events in the cloud.

See the online help in FMC.

Step

(Optional) Configure general settings in CDO

For example, you can make your data unavailable to Cisco support staff.

In the CDO online help, see General Settings.

Step

(Optional) Create CDO user accounts for colleagues to view and work with your events.

In the CDO online help, see Create a New CDO User.

Overview of Sending Firepower Events to SAL (SaaS) Using Syslog

The FMC-managed devices generate events.

The FTD devices send supported events as syslog messages to a Secure Event Connector (SEC) installed on a virtual machine on your network.

The SEC forwards the events to Security Services Exchange (SSE), a secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.

The SSE forwards the events to the Cisco Security Analytics and Logging (SAL) Cloud Data Store.

The CDO Event Viewer queries SAL Cloud Data Store for events and provides the SOC analyst with additional context.

(Only with Analytics License) Cisco Secure Cloud Analytics (formerly SWC) receives the events from the SAL Cloud Data Store and provides the SOC analyst access to the analytics features of the product.


Note

Most features in the CDO portal are not applicable to this integration. For example, CDO does not manage your devices, so your devices are not onboarded to CDO.


Send Security Event Syslog Messages from FTD Devices

This procedure documents the best practice configuration for sending syslog messages for security events (connection, Security Intelligence, intrusion, file, and malware events) from FTD devices managed by Firepower Management Center.


Note

Many FTD syslog settings are not applicable to security events. Configure only the options described in this procedure.


Before you begin

  • In Firepower Management Center, configure policies to generate security events and verify that the events you expect to see appear in the applicable tables under the Analysis menu.

  • Gather the syslog server IP address, port, and protocol (UDP or TCP):

    Sign in to CDO. Then, from the user menu at the top right side of the CDO browser window, select Secure Connectors. Click Secure Event Connector and you will see the required information at the right side.

  • Ensure that your devices can reach the syslog server(s).

  • See additional information in the "Connection Logging" chapter in the FMC online help.

Procedure


Step 1

Sign in to your Firepower Management Center web interface.

Step 2

Configure syslog settings for your FTD device:

  1. Click Devices > Platform Settings.

  2. Edit the platform settings policy associated with your FTD device.

  3. In the left navigation pane, click Syslog.

  4. Click Syslog Servers and click Add to enter server, protocol, interface, and related information.

    Use the IP address, port, and protocol that you gathered from CDO above.

    EMBLEM format and secure syslog are not supported for this integration.

    If you have questions about options on this page, see the "Configure a Syslog Server" topic in the FMC online help.

  5. Click Syslog Settings and configure the following settings:

    • Enable Timestamp on Syslog Messages

    • Timestamp Format

    • Enable Syslog Device ID

  6. Click Logging Setup.

  7. Make sure Send syslogs in EMBLEM format is NOT selected.

  8. Save your settings.

Step 3

Configure general logging settings for the access control policy (including file and malware logging):

  1. Click Policies > Access Control.

  2. Edit the applicable access control policy.

  3. Click Logging.

  4. Select FTD 6.3 and later: Use the syslog settings configured in the FTD Platform Settings policy deployed on the device.

  5. (Optional) Select a Syslog Severity.

  6. If you will send file and malware events, select Send Syslog messages for File and Malware events.

  7. Click Save.

Step 4

Enable logging for Security Intelligence events for the access control policy:

  1. In the same access control policy, click the Security Intelligence tab.

  2. In each of the following locations, click Logging (logging icon) and enable beginning and end of connections and Syslog Server:

    • Beside DNS Policy.

    • In the Block List box, for Networks and for URLs.

  3. Click Save.

Step 5

Enable syslog logging for each rule in the access control policy:

  1. In the same access control policy, click the Rules tab.

  2. Click a rule to edit.

  3. Click the Logging tab in the rule.

  4. Enable both beginning and end of connections.

  5. If you will log file events, select Log Files.

  6. Enable Syslog Server.

  7. Verify that the rule is "Using default syslog configuration in Access Control Logging."

    Do NOT configure overrides.

  8. Click Add.

  9. Repeat for each rule in the policy.

Step 6

If you will send intrusion events:

  1. Navigate to the intrusion policy associated with your access control policy.

  2. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.

    Verify that the policy is using the default settings configured for access control logging.

  3. Click Back.

  4. Click Policy Information in the left navigation pane.

  5. Click Commit Changes.


What to do next

  • If you are done making changes, deploy your changes to managed devices.

How to Set Up Event Data Storage in SAL (SaaS) Using a Direct Connection

This section describes how to set up event data storage in SAL (SaaS) using a direct connection.

How Does It Work

The following diagram shows how the direct integration works.

The FMC-managed devices generate events.

The FTD devices send supported events to Security Services Exchange (SSE), a secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.

The SSE forwards the events to the Cisco Security Analytics and Logging (SAL) Cloud Data Store.

The CDO Event Viewer queries SAL Cloud Data Store for events and provides the SOC analyst with additional context.

(Only with Analytics License) Cisco Secure Cloud Analytics (formerly SWC) receives the events from the SAL Cloud Data Store and provides the SOC analyst access to the analytics features of the product.

Key Components of This Integration

Component

Description

Firepower Threat Defense (FTD)

A next generation firewall with capabilities such as protection from malware and application-layer attacks, integrated intrusion prevention, and cloud-delivered threat intelligence.

Firepower Management Center (FMC)

An administrative nerve center for select Cisco security products running on multiple platforms. It provides unified management of Cisco Secure Firewalls with Firewall Threat Defense (FTD) software for port and protocol control, application control, IPS, URL filtering, and malware protection functions.

Security Services Exchange (SSE)

A secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.

Cisco Defense Orchestrator (CDO)

A cloud-based multidevice manager you can use to manage security policy changes across various security products. This platform enables the efficient management of policies in branch offices and other highly distributed environments to achieve a consistent security implementation.

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud)

A cloud platform that applies dynamic entity modeling to FTD events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic.

SecureX

A simplified platform experience, connecting Cisco's integrated security portfolio with your existing infrastructure. It helps you unify visibility, enable automation, and strengthen security across your network, endpoints, cloud, and applications.

Cisco SecureX threat response A cloud platform that helps you detect, investigate, analyze, and respond to threats using data aggregated from multiple products and sources.

Prerequisites for Direct Integration

Prerequisite Type

Requirement

General requirements for sending events to SAL (SaaS)

In addition to the requirements in this table, you must satisfy the items in Requirements and Prerequisites for SAL (SaaS) Integration and subtopics.

Licensing

Register your FMC with the Cisco Smart Software Manager.

In the FMC web interface, click System () > Smart Licenses, and verify that:

  • The Usage Authorization status is Authorized.

  • The Product Registration status is Registered.

Keep in mind that:

  • This integration is not supported under a Firepower evaluation license.

  • Your environment cannot be using a Cisco Smart Software Manager On-Prem server (formerly known as Smart Software Satellite Server) or be deployed in an air-gapped environment.

Account

  • You must have administrator privileges for the Cisco Smart Account from which your Firepower products are licensed.

    To determine your Smart Account user role:

    1. Go to https://software.cisco.com.

    2. Click Manage Smart Account.

    3. Select a Smart Account in the top-right area (above the Help link) of the page.

    4. Click the Users tab.

    5. Search for your User ID.

  • Your Firepower account must have one of the following user roles:

    • Admin

    • Access Admin

    • Network Admin

    • Security Approver

    To determine your Firepower user role, click System () > Users in the FMC web interface.

  • Your CDO account must have one of the following user roles:

    • Admin

    • Super Admin

  • Your SecureX account must have one of the following user roles:

    • Admin

Connectivity

The FMC and managed devices must be able to connect outbound on port 443 to the Cisco cloud at the following addresses:

Set Up Event Data Storage in SAL (SaaS) Using a Direct Connection

Perform the following tasks to set up event data storage in SAL (SaaS) using a direct integration.

Workspace

Firepower Management Center Configure the Firepower Management Center to Send Events to Security Services Exchange
SecureX Launch Security Services Exchange
Security Services Exchange Link Smart or Virtual Accounts on Security Services Exchange
Security Services Exchange Link CDO Accounts on Security Services Exchange
Security Services Exchange Configure Cloud Services on Security Services Exchange
Cisco Defense Orchestrator View and Work with Events
Cisco Defense Orchestrator View and Work with Events in Cisco Secure Cloud Analytics: Cross-launch into Secure Cloud Analytics
Cisco Secure Cloud Analytics View and Work with Events in Cisco Secure Cloud Analytics

Configure the Firepower Management Center to Send Events to Security Services Exchange

Configure your FMC to have the managed FTD devices send events directly to SSE.

Before you begin

In the FMC web interface, do the following:

  • Click System () > Configuration, and assign your FMC a unique name so it is clearly identified in the Devices list in the cloud.

  • Add your FTD devices to the FMC, assign licenses to them, and ensure that the system is working correctly. (That is, you have created the necessary policies, and events are being generated and display as expected in the FMC web interface under the Analysis tab.)

Procedure

Step 1

In the FMC web interface, click System () > Integration.

Step 2

In the Cisco Cloud Region widget, from the Region drop-down list, choose a regional cloud, and click Save.

Before choosing a regional cloud, consider these important points:
  • When possible, use the regional cloud nearest to your Firepower deployment.

  • Data in different clouds cannot be aggregated or merged.

  • If you need to aggregate data from multiple regions, devices in all regions must send data to the same regional cloud.

  • You can create an account on each regional cloud. Data on each cloud will be separate.

Note 

If the FMC is already registered to the selected regional cloud, the Save button will be inactive.

The region that you select in this step is also used for the Cisco Support Diagnostics and Cisco Support Network features, if applicable and enabled. For more information about these features, see the online help for your Firepower product.

Step 3

In the Cisco Cloud Event Configuration widget, configure the FMC to send events to SSE.

  1. Click the Cisco Cloud Event Configuration slider () to enable the configuration.

  2. Enable or disable the types of events to send to SSE.

    Starting in Firepower release 7.0, events you send to the cloud can be used for multiple integrations:

    Integration

    Supported Event Options

    Notes

    Cisco Security Analytics and Logging (SaaS)

    (Starting in Firepower version 7.0)

    All

    High priority connection events include:

    • Security Intelligence connection events

    • Connection events related to file and malware events

    • Connection events related to intrusion events

    Cisco SecureX and Cisco SecureX threat response

    Depending on your Firepower version:

    • Some connection events*

    • Intrusion

    • File and malware events

    * If you send connection events, Cisco SecureX and Cisco SecureX threat response support only Security Intelligence events.

  3. Click Save.

Note 

If you enable connection events, only the Security Intelligence connection events are sent to the Cisco cloud.


What to do next

Launch Security Services Exchange

Launch Security Services Exchange

Procedure

Step 1

Go to https://sign-on.security.cisco.com.

Step 2

Sign in using your SecureX Sign-On account.

Step 3

If prompted, authenticate using Duo Security.

Step 4

Choose your region to launch SecureX.

Step 5

From the Applications & Integrations pane, click Launch under Applications > Security Services Exchange.

The Security Services Exchange portal opens in a new tab.


What to do next

Link Smart or Virtual Accounts on Security Services Exchange

Link Smart or Virtual Accounts on Security Services Exchange

To integrate products registered under different licensing Smart Accounts (or Virtual Accounts) into a single view in the cloud, you must link those licensing accounts to the account that you use to access SSE.

Before you begin
  • To link licensing accounts, you must have administrator-level Smart Account or Virtual Account privileges for all of the licensing accounts (from which your Firepower products are licensed) and for the account you use to access SecureX/SSE.

  • If you have linked accounts already for use with Cisco SecureX threat response, you do not need to link them again for SAL (SaaS) and conversely.

  • You will need your Cisco.com credentials to complete this procedure.

Procedure

Step 1

Launch Security Services Exchange.

Step 2

In the top-right corner, click the Tools () button, and choose Link Smart/Virtual Accounts.

Step 3

Click Link more accounts.

Step 4

If prompted, sign in using your Cisco.com credentials.

Step 5

Select the accounts to integrate with this cloud account.

Step 6

Click Link Smart/Virtual Accounts.

Step 7

Click OK to continue.

Step 8

Verify that your FMC and its managed devices appear under the Devices tab.


What to do next

Link CDO Accounts on Security Services Exchange

Link CDO Accounts on Security Services Exchange

You must merge your CDO account with the account that is associated with the device in SSE.

Keep in mind that:

  • Only one CDO tenant can be merged with one SecureX/Cisco SecureX threat response account.

  • If you have accounts on more than one regional cloud, you must merge accounts separately for each regional cloud.

  • If you merge accounts for a SecureX cloud, you do not need to do it again for Cisco SecureX threat response on the same cloud, and conversely.

Before you begin
  • Ensure that your CDO user account has admin or super admin privileges.

  • Ensure that your SecureX or Cisco SecureX threat response account that you use for accessing SSE must have admin privileges.

  • In CDO, generate a new API token for your account:

    1. Sign in to the appropriate regional CDO portal using the credentials for the account to be merged. For example, the US cloud is https://defenseorchestrator.com and the EU cloud is https://defenseorchestrator.eu.

    2. Choose the tenant account to merge.

    3. From the user menu in the top-right corner of the window, select Settings.

    4. In the My Tokens section, click Generate API Token or Refresh.

    5. Copy the token.

      For more information about API tokens, see the online help in CDO at https://docs.defenseorchestrator.com/Configuration_Guides/Devices_and_Services/API_Tokens.

Procedure

Step 1

Launch Security Services Exchange.

Step 2

In the top-right corner, click the Tools () button, and choose Link CDO Account.

Step 3

Paste the token that you copied from CDO.

Step 4

Verify that you are linking the accounts that you intended to link, and click Link CDO Account.


What to do next

Configure Cloud Services on Security Services Exchange

View and Work with Events

To view and search your events in the cloud:

Procedure


Step 1

Use your browser to go to the regional CDO cloud to which you sent your events:

Step 2

Sign in to CDO.

Step 3

From the navigation bar, select Monitoring > Event Logging.

Step 4

Use the Historical tab to view historical events data. By default, the viewer displays this tab.

Step 5

To view the live events, click the Live tab.

For more information about what you can do on this page, see the CDO online help for instructions on viewing events.


What to do next

If you have a Logging Analytics and Detection or Total Network Analytics and Detection license, see instructions in the CDO online help to cross-launch into the Stealthwatch Cloud portal.

View and Work with Events in Cisco Secure Cloud Analytics

To view and search your events in Cisco Secure Cloud Analytics:

Procedure


Step 1

Sign in to the appropriate regional CDO site using the credentials for the account to be merged. For example, the US cloud is https://defenseorchestrator.com and the EU cloud is https://defenseorchestrator.eu.

Step 2

From the navigation bar, click Monitoring > Security Analytics.

The Stealthwatch Cloud portal opens in a new browser tab.

Step 3

(One-time Activity) To ensure seamless flow of events, before using the Event Viewer, do the following in the Stealthwatch Cloud portal:

  1. Verify whether Secure Cloud Analytics is integrated with the correct CDO tenant. To view the CDO tenant, click Settings > Sensors.

  2. Add the subnets that you want monitor to Secure Cloud Analytics. To add subnets, click Settings > Subnets.

For more information, see the Secure Cloud Analytics online help.

Step 4

To view events, click Investigate > Event Viewer.

For more information, see the Secure Cloud Analytics online help.