Skip to main content

 

 

Cisco Defense Orchestrator

Implementing Cisco Security Analytics and Logging

About the Cisco Security Analytics and Logging Packages

Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and view them in one place in Cisco Defense Orchestrator (CDO).

The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Firewall Analytics and Monitoring package, the system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a SWC portal provisioned for you, using Cisco Single Sign-On.

How FTD Events are Displayed on the CDO Events Viewer 

This is the path of an event from an onboarded Firepower Threat Defense device to the CDO Event Logging:

  1. You configure individual rules, such as access control rules, Security Intelligence rules, and SSL decryption rules, to forward events to the Secure Event Connector (SEC). You can also enable access control rule options, such as file protection, malware detection, or intrusion detection, and configure event forwarding to the SEC for those options. 

To forward events to the SEC, you create a syslog server object with the SEC's IP address and port number and then specify that syslog server object as the destination for all logged events. 

  1. The SEC forwards the events to the Cisco cloud where the events are stored.
  2. CDO pulls events from the Cisco cloud based on the filters you set and displays them in its Events viewer.

With the Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, the following also occur:

  1. Stealthwatch Cloud applies analytics to the FTD connection events stored in the Cisco cloud.
  2. Generated observations and alerts are accessible from the Stealthwatch Cloud portal associated with your CDO portal.
  3. From the CDO portal, you can cross-launch your Stealthwatch Cloud portal to review these observations and alerts.

Applications in the Solution

Cisco Security Analytics and Logging uses these applications to deliver events to CDO:

On-Premises Secure Device Connector (SDC)-The "on-prem" SDC is the proxy between CDO and your FTD devices. This SDC variant is a virtual machine installed by you on a hypervisor you manage within your enterprise. Device credentials are stored on the on-prem SDC and the Secure Event Connector is installed on this same virtual machine.  

Secure Event Connector-The Secure Event Connector (SEC) is a container that you install on an on-premises Secure Device Connector (SDC) virtual machine that receives events from your FTDs and forwards them to the Cisco cloud. CDO pulls events from the cloud and displays them on the Event Logging page so that administrators can analyze them.

Firepower Threat Defense (FTD)-The FTD is Cisco's next generation firewall software image. Beyond stateful inspection of network traffic and access control, the FTD provides capabilities such as protection from malware and application-layer attacks, integrated intrusion prevention, and cloud-delivered threat intelligence. 

If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, Cisco Security Analytics and Logging uses the following to further analyze events delivered to CDO:

Stealthwatch Cloud (SWC)-SWC applies dynamic entity modeling to FTD events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic.

Licensing

To configure this solution you need the following accounts and licenses:

Cisco Defense Orchestrator. You must have a CDO tenant. Your CDO tenant must connected to FTD devices through an on-premises Secure Device Connector. 

Secure Device Connector. There is no separate license for a Secure Device Connector.

Secure Event Connector. There is no separate license for a Secure Event Connector.

Cisco Security Analytics and Logging. You need to buy the Logging and Troubleshooting license. The goal of this package is to provide network operations teams with real-time and historical events derived from their on-boarded Firepower Threat Defense devices for the purposes of troubleshooting and analyzing traffic in their network. 

You can also buy a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license to apply SWC analytics. The goal of these packages is to provide network operations teams additional insight into the FTD events (and network traffic with the Total Network Analytics and Monitoring license) to better identify possible anomalous behavior and respond to it.

License Name Provided Functionality Available License Durations Functionality Prerequisites
Logging and Troubleshooting
  • View FTD events and event detail within CDO, both as a live feed and as a historical view
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises FTD deployment running version 6.4 or greater
  • deployment of an SEC to pass FTD events to the cloud, and subsequently to CDO
Firewall Analytics and Monitoring

Logging and Troubleshooting functionality, plus:

  • Apply dynamic entity modeling and behavioral analytics to your FTD events
  • Open alerts in Stealthwatch Cloud based on FTD event data, cross-launching from the CDO event viewer
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises FTD deployment running version 6.4 or greater
  • deployment of an SEC to pass FTD events to the cloud, and subsequently to CDO
  • a Stealthwatch Cloud portal
    • you can associate an existing Stealthwatch Cloud portal, or later provision a new Stealthwatch Cloud portal
Total Network Analytics and Monitoring

Firewall Analytics and Monitoring, plus:

  • Apply dynamic entity modeling and behavioral analytics to both FTD events and on-premises network traffic
  • Open alerts in Stealthwatch Cloud based on the combination of FTD event data and network traffic flow data collected by Stealthwatch Cloud sensors, cross-launching from the CDO event viewer
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises FTDdeployment running version 6.4 or greater
  • deployment of an SEC to pass FTD events to the cloud, and subsequently to CDO
  • deployment of at least one Stealthwatch Cloud sensor version 4.1 or greater to pass network traffic flow data to the cloud
  • a Stealthwatch Cloud portal
    • you can associate an existing Stealthwatch Cloud portal, or later provision a new Stealthwatch Cloud portal

Firepower Threat Defense. You need to have the following licenses to run the FTD and create rules that generate security events:

License

Duration

Granted Capabilities

Base (automatically included)

Perpetual

All features not covered by the optional term licenses.

You must also specify whether to Allow export-controlled functionality on the products registered with this token. You can select this option only if your country meets export-control standards. This option controls your use of advanced encryption and the features that require advanced encryption.

Threat

Term-based

Intrusion detection and prevention—Intrusion policies analyze network traffic for intrusions and exploits and, optionally, drop offending packets.

File control—File policies detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types. AMP for Firepower, which requires a Malware license, allows you to inspect and block files that contain malware. You must have the Threat license to use any type of File policy.

Security Intelligence filtering—Drop selected traffic before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately drop connections based on the latest intelligence.

Malware

Term-based

File policies that check for malware, which use Cisco Advanced Malware Protection (AMP) with AMP for Firepower (network-based Advanced Malware Protection) and Cisco Threat Grid.

File policies can detect and block malware in files transmitted over your network.

Data storage. You need to buy a data plan that reflects the amount of event storage you think you will consume on a daily basis. The events from your on-boarded FTD devices are stored in the Cisco cloud. As your data needs change, you can update your data plan. You can use the Logging Volume Estimator Tool to estimate your traffic and purchase a data plan based on that level of traffic.

Data plans are available in 1, 5, 10, 15 or 25 GB daily volumes, and in 1, 3 or 5 year terms. See the Cisco Security Analytics and Logging Ordering Guide for information about data storage plans.

Note: If you have a Security Analytics and Logging license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different Security Analytics and Logging license.

Setup Scenarios for CDO and Secure Event Connector 

30-day Free Trial

You can request a 30-day risk-free trial by logging in to CDO and navigating Monitoring > Event Logging tab. On completion of the 30-day trial, you can order the desired event data volume to continue the service from Cisco Commerce Workspace (CCW), by following the instructions in the Cisco Security Analytics and Logging ordering guide.

New CDO Customers Implementing Cisco Security Analytics and Logging

Prerequisite

You have already contacted your managed service provider or CDO sales and you have a CDO tenant. 

Workflow to Implement Cisco Security Analytics and Logging

  1. Establish two-factor authentication for users of your account and sign in. 
  2. Install an on-premises Secure Device Connector using one of these methods:
  1. Install the Secure Event Connector on the on-premises SDC's VM. 
  2. Install your desired licenses on the FTD. See Licensing above to determine what licenses you need installed on your FTD device.
  3. Onboard your Firepower Threat Defense Devices.
  4. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  5. Send events from generated by rules and policies to the Secure Event Connector.
  6. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 

If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

  1. Request a Stealthwatch Cloud Portal.
  2. Deploy one or more SWC sensors to your internal network if you purchased a Total Network and Monitoring license. See Stealthwatch Cloud Sensor Deployment for Total Network Analytics and Reporting.
  3. Invite users to create SWC user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.
  4. Cross-launch from CDO to SWC to monitor the SWC alerts generated from FTD events. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.

Existing CDO Customers Implementing Cisco Security Analytics and Logging

  1. Ensure you have an on-premises Secure Device Connector.
  1. Install the Secure Event Connector on the on-premises SDC's VM. 
  2. See Licensing above to determine what licenses you need installed on your device. Upgrade licensing if necessary.
  3. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  4. Send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigaton bar, select Monitoring > Event Logging. Click the Live tab to view live events. 

If you have a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

  1. Request a Stealthwatch Cloud Portal.
  2. Deploy one or more SWC sensors to your internal network if you purchased a Total Network and Monitoring license. See Stealthwatch Cloud Sensor Deployment for Total Network Analytics and Reporting.
  3. Invite users to create SWC user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.
  4. Cross-launch from CDO to SWC to monitor the SWC alerts generated from FTD events. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.

Viewing and Filtering Events

After CDO retrieves the events from the Cisco Security Analytics and Logging cloud, it displays them in the Event Logging page. To open the Event Logging page, navigate Monitoring > Event Logging on the main navigation bar. To filter events, click the filter button filter_icon.png.  

Review these articles to learn how to work with events:

Reviewing Stealthwatch Cloud Alerts by Cross-launching from CDO

With a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, you can cross-launch from CDO to SWC to review the alerts generated by Stealthwatch Cloud, based on FTD events.

Review these articles for more information:

Working with Data

Use the Logging Volume Estimator tool to determine how much data you think you will use on a monthly basis and work with your managed service provider or Cisco account manager to subscribe to the correct data storage plan. 

See Security Analytics and Logging Event Storage for information about your data allotment, data retention, how CDO "counts" data, and what to do when you run out of storage. 

Troubleshooting

Not everything always goes to plan. Use these troubleshooting topics to gather status and logging information.

Workflows

Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Cisco Security Analytics and Logging to determine why a user can't access a network resource.

See also Working with Alerts Based on Firepower Threat Defense Events.

Related Information

Learn more about Cisco Security and Logging at https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html