Before you Begin
- Review Cisco Security Analytics and Logging for Secure Firewall Cloud Native devices to learn about:
- How events are sent to the Cisco cloud
- Applications in the solution
- Licenses you need
- Data plan you need
- Contact your managed service provider or CDO Sales representative and you have a CDO tenant.
- Review Secure Device Connector (SDC). Connecting CDO to your Secure Firewall Cloud Native using an SDC is considered a "best practice" but it is not required.
- If you deploy an SDC in your network, you can use one of these methods to install it:
- Use Deploy a Secure Device Connector Using CDO's VM Image to install an SDC using CDO's prepared VM image. This is the preferred and easiest way to deploy an SDC.
- Use Deploy a Secure Device Connector on your own VM to install an SDC using your own VM image.
- You have installed one or more SECs for your tenant and you can send events from any Secure Firewall Cloud Native to any SEC onboarded to your tenant.
- You have established two-factor authentication for users of your account.
Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events through the Secure Event Connector to the Cisco Cloud
- Be sure to review "Before you Begin" above to make sure your environment is properly configured.
- Onboard a Secure Firewall Cloud Native Device using cluster endpoint, namespace, and token.
- Send Secure Firewall Cloud Native Syslog Events to the Cisco Cloud.
- Configure NSEL for Secure Firewall Cloud Native Devices.
- Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events.
- If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, continue with Analyzing Events in Secure Cloud Analytics.
Analyzing Events in Cisco Secure Cloud Analytics
If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:
- Request a Secure Cloud Analytics Portal.
- Deploy one or more Secure Cloud Analytics sensors to your internal network if you purchased a Total Network Analytics and Monitoring license. See Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting.
- Invite users to create Secure Cloud Analytics user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Secure Cloud Analytics Alerts Generated from Firewall Events.
- Cross-launch from CDO to Secure Cloud Analytics to monitor the Secure Cloud Analytics alerts generated from Secure Firewall Cloud Native events. See Monitoring Secure Cloud Analytics Alerts Generated from Firewall Events.
Reviewing Cisco Secure Cloud Analytics Alerts by Cross-launching from CDO
With a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, you can cross-launch from CDO to Cisco Secure Cloud Analytics to review the alerts generated by Cisco Secure Cloud Analytics, based on Secure Firewall Cloud Native events.
Review these articles for more information:
- Signing in to CDO
- Monitoring Secure Cloud Analytics Alerts Generated from Firewall Events
- Secure Cloud Analytics and Dynamic Entity Modeling
- Working with Alerts Based on Firewall Events
Troubleshooting Secure Event Connector Issues
Use these troubleshooting topics to gather status and logging information about
Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Cisco Security Analytics and Logging to determine why a user can't access a network resource.