Skip to main content

 

 

Cisco Defense Orchestrator

Implementing Cisco Security Analytics and Logging (SaaS) for FTD Devices

Before you Begin

  • Review Cisco Security Analytics and Logging to learn about:
    • How events are sent to the Cisco cloud
    • Applications in the solution
    • Licenses you need
    • Data plan you need 
  • Contact your managed service provider or CDO Sales representative and you have a CDO tenant. 
  • Your tenant may or may not use an Secure Device Connector (SDC) for CDO to connect with your FTDs. Your tenant should have an SDC installed for those FTDs that you onboard with device credentials, it is considered a best practice. If you onboard your FTDs with registration key or serial number you do not need an SDC. 
  • If you have installed an SDC for your tenant, ensure your SDC status is Active and has recorded a recent heartbeat.
  • If you are installing an SDC, you use one of these methods for the installation:
  • You can install more than one SEC for your tenant and you can send events from any FTD to any one SEC onboarded to your tenant. 
  • If you are sending events directly to the Cisco cloud from the FTD, you have opened up outbound access on port 443 on the management interface. 
  • You have established two-factor authentication for users of your account.

Setup Scenarios for CDO and Secure Event Connector 

There are two separate scenarios described below:

New CDO Customers Implementing Cisco Security Analytics and Logging (SaaS)

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can onboard the device with the admin username and password or with a registration token. 
  2. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  3. Configure the FTD Policy to log connection events.
  4. Configure your FTD to send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Csico Secure Cloud Analytics

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events Directly to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can only use a registration token. 
  2. Configure the FTD Policy to log connection events.
  3. Configure your FTD to send events directly to the Cisco cloud.
  4. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Csico Secure Cloud Analytics

Existing CDO Customers Implementing Cisco Security Analytics and Logging (SaaS)

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can onboard the device with the admin username and password or with a registration token. 
  2. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  3. Configure the FTD Policy to log connection events.
  4. Send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Csico Secure Cloud Analytics

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events Directly to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can only use a registration token. 
  2. Configure the FTD Policy to log connection events.
  3. Configure your FTD to send events directly to the Cisco cloud.
  4. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Csico Secure Cloud Analytics

Analyzing Events in Cisco Secure Analytics

If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

  1. Provision a Secure Cloud Analytics Portal.
  2. Deploy one or more SWC sensors to your internal network if you purchased a Total Network and Monitoring license. See Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting.
  3. Invite users to create SWC user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.
  4. Cross-launch from CDO to SWC to monitor the SWC alerts generated from FTD events. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.

Reviewing Stealthwatch Cloud Alerts by Cross-launching from CDO

With a Logging Analytics and Detection or Total Network Analytics and Monitoring license, you can cross-launch from CDO to SWC to review the alerts generated by Stealthwatch Cloud, based on FTD events.

Review these articles for more information:

Troubleshooting Secure Event Connector Issues

Use these troubleshooting topics to gather status and logging information about 

Workflows

Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Cisco Security Analytics and Logging (SaaS) to determine why a user can't access a network resource.

See also Working with Alerts Based on Firepower Threat Defense Events.