Skip to main content

 

 

Cisco Defense Orchestrator

Cisco Security Analytics and Logging (SaaS) for Secure Firewall Cloud Native Devices

About Cisco Security Analytics and Logging for the Secure Firewall Cloud Native

Cisco Security Analytics and Logging (SaaS) allows you to capture all syslog events and Netflow Secure Event Logging (NSEL) from your Secure Firewall Cloud Native and view them in one place in Cisco Defense Orchestrator (CDO). 

The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Logging Analytics and Detection package (formerly Firewall Analytics and Logging package), the system can apply Cisco Secure Cloud Analytics, formerly Stealthwatch Cloud, dynamic entity modeling to your Secure Firewall Cloud Native events, and use behavioral modeling analytics to generate Cisco Secure Cloud Analytics observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your Secure Firewall Cloud Native events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to the Cisco Secure Cloud Analytics portal provisioned for you, using Cisco Single Sign-On.

How Secure Firewall Cloud Native Events are Displayed on the CDO Events Viewer   

Syslog events and NSEL events are generated when logging is enabled on the Secure Firewall Cloud Native, and network traffic matches access control rule criteria. After the events are stored in the Cisco cloud, you can view them in CDO.

You can install multiple Secure Event Connectors (SECs) and send events generated by a rule, on any device, to any of the SECs as if it were a syslog server. The SEC then forwards the event to the Cisco cloud. Do not forward the same events to all of your SECs. You will be duplicating the events sent to the Cisco cloud and needlessly inflate your daily ingest rate.

How Syslog and NSEL Events are Sent from a Secure Firewall Cloud Native to the Cisco Cloud by way of the Secure Event Connector  

With the basic Logging and Troubleshooting license, this is how the Secure Firewall Cloud Native event reaches the Cisco cloud:

  1. You onboard your Secure Firewall Cloud Native to CDO using cluster endpoint, namespace, and token.   
  2. You configure the Secure Firewall Cloud Native to forward syslog and NSEL events to any one of your SECs as if they were syslog servers and enable logging on the device.
  3. The SEC forwards the events to the Cisco cloud where the events are stored.
  4. CDO displays events from the Cisco cloud in its Events Viewer based on the filters you set. 

With the Logging Analytics and Detection or Total Network Analytics and Monitoring license, the following also occurs:

  1. Cisco Secure Cloud Analytics applies analytics to the Secure Firewall Cloud Native syslog events stored in the Cisco cloud.
  2. Generated observations and alerts are accessible from the Cisco Secure Cloud Analytics portal associated with your CDO portal.
  3. From the CDO portal, you can cross-launch your Cisco Secure Cloud Analytics portal to review these observations and alerts.

Components in the Solution 

Cisco Security Analytics and Logging (SaaS) uses these components to deliver events to CDO:

Secure Device Connector (SDC) - The SDC connects CDO to your Secure Firewall Cloud Native. The login credentials for the Secure Firewall Cloud Native are stored on the SDC. See Secure Device Connector (SDC) for more information.

Secure Event Connector (SEC)-The SEC is an application that receives events from your Secure Firewall Cloud Native and forwards them to the Cisco cloud. Once in the Cisco cloud, you can view the events on CDO's Event Logging page or analyze them with Cisco Secure Cloud Analytics. Depending on your environment, the SEC is installed on a Secure Device Connector, if you have one; or on its own CDO Connector virtual machine that you maintain in your network. See Secure Event Connectors for more information.

Secure Firewall Cloud Native - The Cisco Secure Firewall Cloud Native seamlessly extends Cisco's industry-leading security to a cloud-native form factor (CNFW) using Kubernetes (K8s) orchestration to achieve scalability and manageability. Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud. Amazon EKS helps you provide highly-available and secure clusters and automates key tasks such as patching, node provisioning, and updates.

Cisco Secure Cloud Analytics - Cisco Secure Cloud Analytics applies dynamic entity modeling to Secure Firewall Cloud Native events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic. You would make use of this service if you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license.

Licensing 

To configure this solution you need the following accounts and licenses:

  • Cisco Defense Orchestrator. You must have a CDO tenant. 
  • Secure Device Connector or CDO Connector. There is no separate license for either component. 
  • Secure Event Connector. There is no separate license for a Secure Event Connector.
  • Cisco Security Analytics and Logging (SaaS). See the Security Analytics and Logging License table
  • Secure Firewall Cloud Native. Base license or higher. 

Security Analytics and Logging Licensing 

In order to benefit from Cisco Security Analytics and Logging (SaaS), you need to purchase one of these licenses:

License Name Provided Functionality Available License Durations Functionality Prerequisites
Logging and Troubleshooting
  • View Secure Firewall Cloud Native events and event detail within CDO, both as a live feed and as a historical view
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • An on-premises Secure Firewall Cloud Native deployment running version 9.6 or greater
  • Deployment of one or more SECs to pass Secure Firewall Cloud Native events to the Cisco cloud. 
Logging Analytics and Detection (formerly Firewall Analytics and Monitoring)

Logging and Troubleshooting functionality, plus:

  • Apply dynamic entity modeling and behavioral analytics to your Secure Firewall Cloud Native events
  • Open alerts in Cisco Secure Cloud Analytics on Secure Firewall Cloud Native event data, cross-launching from the CDO event viewer
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • An on-premises Secure Firewall Cloud Native deployment running firmware version 9.6 or greater
  • Deployment of one or more SECs to pass Secure Firewall Cloud Native events to the Cisco cloud. 
  • A Cisco Secure Cloud Analytics portal
    • You can associate an existing Cisco Secure Cloud Analytics portal, or later provision a new Cisco Secure Cloud Analytics portal
Total Network Analytics and Monitoring

Logging Analytics and Detection, plus:

  • Apply dynamic entity modeling and behavioral analytics to Secure Firewall Cloud Native events, on-premises network traffic, and cloud-based network traffic
  • Open alerts in Cisco Secure Cloud Analytics based on the combination of Secure Firewall Cloud Native event data, on-premises network traffic flow data collected by Cisco Secure Cloud Analytics sensors, and cloud-based network traffic passed to Cisco Secure Cloud Analytics, cross-launching from the CDO event viewer
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • An on-premises Secure Firewall Cloud Native deployment running firmware version 9.6 or greater
  • Deployment of one or more SECs to pass Secure Firewall Cloud Native events to the Cisco cloud. 
  • Deployment of at least one Cisco Secure Cloud Analytics sensor version 4.1 or greater to pass network traffic flow data to the cloud OR integrating Cisco Secure Cloud Analytics with a cloud-based deployment, to pass network traffic flow data to Cisco Secure Cloud Analytics
  • A Cisco Secure Cloud Analytics portal
    • You can associate an existing Cisco Secure Cloud Analytics portal, or later provision a new Cisco Secure Cloud Analytics portal

Data Plans 

You need to buy a data plan that reflects the number of events the Cisco cloud receives from your on-boarded Secure Firewall Cloud Native on a daily basis. This is called your "daily ingest rate." You can use the Logging Volume Estimator Tool to estimate your daily ingest rate and as that rate changes you can update your data plan. 

Data plans are available in 1 GB daily volumes increments, and in 1, 3, or 5 year terms. See the Cisco Security Analytics and Logging Ordering Guide for information about data plans.

Note: If you have a Security Analytics and Logging license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different Security Analytics and Logging license.

30-day Free Trial 

You can request a 30-day risk-free trial by logging in to CDO and navigating Monitoring > Event Logging tab. On completion of the 30-day trial, you can order the desired event data volume to continue the service from Cisco Commerce Workspace (CCW), by following the instructions in the Cisco Security Analytics and Logging ordering guide.

  • Was this article helpful?