Cisco Cloud Event Settings
Sending firewall events to the cloud allows you to use external tools to investigate the firewall incidents. The devices send firewall events to the Security Services Exchange (SSE), from where they can be forwarded to various cloud services to unify visibility and enhance your threat investigations.
To allow your devices to send firewall events to Cisco Security Cloud, you must either register the Firewall Management
Center with the smart license (System ()) or enable SecureX integration. Cisco Security Cloud integration associates the Firewall Management
Center with your Security Cloud Control account and brings your secure firewall deployment onboard to the Cisco cloud tenancy, allowing it to connect to Cisco's
integrated security cloud services.
For more information about integrating the Firewall Management Center with Cisco Security Cloud, see Enable SecureX Integration.
Security Services Exchange Event Consolidation
The Security Services Exchange does not display the complete list of events from the Firewall Management Center. Instead, it correlates and consolidates events, presenting only unique events. This approach reduces redundancy of events and enhances clarity. The current categorization parameters used for this consolidation are detailed as follows:
-
For identifying duplication of intrusion events, the following elements are considered: Initiator IP, Initiator IP, SID, and GID.
-
For identifying duplication of connection events and security-related connection events, the following elements are considered: Initiator IP, Initiator IP, and Security Intelligence Category.
-
For identifying duplication of file and malware events, all elements except Event Second are considered.
Enable Sending Events to the Cisco Security Cloud
Configure your Firewall Management Center to enable the managed Firewall Threat Defense devices send events directly to Cisco Security Cloud. The cloud region and event types that you configure in the SecureX Integration page can be used for multiple integrations when applicable and enabled.
Before you begin
-
Ensure that you register the management center with Smart License (System (
)) or enable Cisco Security Cloud integration to allow your devices to send firewall events to Cisco cloud.
-
In the Firewall Management Center:
-
Go to the System (
) page and give your Firewall Management Center a unique name to clearly identify it in the Devices list in the cloud.
-
Add your Firewall Threat Defense devices to the Firewall Management Center, assign licenses to them, and ensure that the system is working correctly. Ensure that you have created the necessary policies and that the generated events are displayed as expected in the Firewall Management Center UI under the Analysis menu.
-
-
Ensure that you have your Security Cloud Sign-On credentials and can sign in to the regional cloud in which your account was created.
For more information on regional cloud URLs and supported device versions, see Regional Clouds.
-
If you are currently sending events to the cloud using syslog, disable it to avoid duplication.
Procedure
Step 1 |
Determine the regional cloud that you want to use for sending firewall events. For more information about choosing a regional cloud, refer to Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide.
|
|||||||||||||||
Step 2 |
In your Firewall Management Center, choose . |
|||||||||||||||
Step 3 |
Choose a regional cloud from the Current Region drop-down list. |
|||||||||||||||
Step 4 |
Check the Send events to the cloud check box to enable the cloud event configuration. |
|||||||||||||||
Step 5 |
Select the event types that you want to send to the cloud.
|
|||||||||||||||
Step 6 |
Click Save. |
Analyze Events Using Cisco XDR
Cisco Extended Detection and Response (Cisco XDR) is a cloud-based solution that unifies visibility by correlating detections across multiple telemetry sources, and enables security teams to detect, prioritize, and respond to the most sophisticated threats. Integrate Firewall Threat Defense with Cisco XDR to connect Cisco's integrated security portfolio and your firewall deployment for a consistent experience that unifies visibility, enables automation, and strengthens your security across network.
For more information about Cisco XDR, see Cisco XDR Help Center.
![]() Important |
|
To integrate Firewall Threat Defense with Cisco XDR, see the Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide.
![]() Note |
As of July 31, 2024, Cisco SecureX is phased out and no longer available. Cisco SecureX cannot be provisioned for users, and access to Cisco SecureX is not provided alongside Cisco Secure Firewall product purchases. Additionally, all existing Cisco SecureX environments are disabled, and all capabilities are made unavailable. If you are using Firefox, you should remove Cisco SecureX Ribbon browser extension. For more information, see the Frequently Asked Questions. |