Cisco Security Analytics and Logging
Cisco Security Analytics and Logging (SAL) allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and all your syslog events and Netflow Secure Event Logging (NSEL) events from your ASA, and view them in one place in Cisco Defense Orchestrator (CDO). The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO, where you can filter and review them to gain a clear understanding of what security rules are triggering in your network.
With additional licensing, after you capture these events, you can cross-launch from CDO to a Stealthwatch Cloud portal provisioned for you. Stealthwatch Cloud is a software as a service (SaaS) solution that tracks the state of your network by performing a behavioral analysis on events and network flow data. By gathering information about your network traffic from sources including firewall events and network flow data, it creates observations about the traffic and automatically identifies roles for network entities based on their traffic patterns. Using this information combined with other sources of threat intelligence, such as Talos, Stealthwatch Cloud generates alerts, which constitute a warning that there is behavior that may be malicious in nature. Along with the alerts, Stealthwatch Cloud provides network and host visibility, and contextual information it has gathered to provide you with a better basis to research the alert and locate sources of malicious behavior.
Terminology Note: In this documentation, when Cisco Security Analytics and Logging is used with the Stealthwatch Cloud portal (a software as a service product) you will see this integration referred to as Cisco Security Analytics and Logging (SaaS) or SAL (SaaS).
Related Articles
- Cisco Security Analytics and Logging (SaaS) for ASA Devices
- Cisco Security Analytics and Logging (SaaS) for FTD Devices
- Installing Secure Event Connectors
- Install a Secure Event Connector on an On-Premises SDC Virtual Machine
- Installing SECs, Using CDO Images, on Tenants with Cloud SDCs
- Installing SECs, Using Your VM Image, on Tenants with Cloud SDCs
- Installing Multiple SECs, Using CDO Images, on Tenants with On-Premises SDCs
- Install Multiple SECs Using Your VM Image
- Additional Configuration for SDCs and CDO Connectors Installed on Your VM Image
- Deprovisioning Cisco Security Analytics and Logging (SaaS)
- Remove the Secure Event Connector
- Request a Stealthwatch Cloud Portal
- Monitoring Stealthwatch Cloud Alerts Generated from Firewall Events
- Viewing Live and Historical Events in CDO
- Security Analytics and Logging Event Storage
- Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics (SaaS) and Logging
- Troubleshooting Secure Event Connector
- Troubleshooting Network Problems Using Security and Analytics Logging Events