Implementing Cisco Security Analytics and Logging (SaaS) for ASA Devices

Before you Begin

• You have reviewed Cisco Security Analytics and Logging for ASA devices to learn about:
  • How events are sent to the Cisco cloud
  • Applications in the solution
  • Licenses you need
  • Data plan you need 
• You have contacted your managed service provider or CDO Sales representative and you have a CDO tenant.  
• Your tenant must have a Secure Device Connector (SDC) installed. It can be a cloud-based SDC installed by CDO support, or an on-premises SDC that you install on a virtual machine and maintain within your enterprise's network.
• If you choose an on-premises SDC, you can use one of these methods to install it: 
  • Use Deploy an On-Premises Secure Device Connector Using CDO's VM Image to install an on-premises SDC using CDO's prepared VM image. This is the preferred and easiest way to deploy an on-premises SDC.
  • Use Deploy an On-Premises Secure Device Connector on your own VM.
• You can install more than one SEC for your tenant and you can send events from any ASA to any SEC onboarded to your tenant. 
• You have established two-factor authentication for users of your account.

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Sending Events through the Secure Event Connector to the Cisco Cloud

1. Be sure to review "Before you Begin" above to make sure your environment is properly configured.
2. Onboard an ASA Device using username and password.
3. Send ASA Syslog Events to the Cisco Cloud.
4. Configuring NSEL for ASA Devices Using a CDO Macro.
5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
6. If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Analyzing Events in Stealthwatch Cloud

If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

1. Request a Stealthwatch Cloud Portal.
2. Deploy one or more SWC sensors to your internal network if you purchased a Total Network Analytics and Monitoring license. See Stealthwatch Cloud Sensor Deployment for Total Network Analytics and Reporting.
3. Invite users to create SWC user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.
4. Cross-launch from CDO to SWC to monitor the SWC alerts generated from FTD events. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.

Reviewing Stealthwatch Cloud Alerts by Cross-launching from CDO

With a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, you can cross-launch from CDO to SWC to review the alerts generated by Stealthwatch Cloud, based on FTD events.

Review these articles for more information:

• Signing in to CDO
• Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events
• Stealthwatch Cloud and Dynamic Entity Modeling
• Working with Alerts Based on Firepower Threat Defense Events

Troubleshooting Secure Event Connector Issues

Use these troubleshooting topics to gather status and logging information about 

• Troubleshooting Secure Event Connector Onboarding Failures
• Event Logging Troubleshooting Log Files
• Use Health Check to Learn the State of your Secure Event Connector

Workflows

Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Cisco Security Analytics and Logging to determine why a user can't access a network resource.

See also Working with Alerts Based on Firepower Threat Defense Events.