Skip to main content

 

 

Cisco Defense Orchestrator

Cisco Security Analytics and Logging for ASA Devices

About Cisco Security Analytics and Logging for the ASA

Cisco Security Analytics and Logging allows you to capture all syslog events and Netflow Secure Event Logging (NSEL) from your ASA and view them in one place in Cisco Defense Orchestrator (CDO). The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network.

How ASA Events are Displayed on the CDO Events Viewer  

Syslog events are generated when logging is enabled on the ASA and network traffic matches access control rule criteria. After the events are stored in the Cisco cloud, you can view them in CDO. 

ASA events can be sent to the Cisco cloud if your tenant is configured with an on-premises Secure Device Connector (SDC) and a Secure Event Connector (SEC), the events are sent to the SEC as if it were a syslog server. 

How Syslog and NSEL Events are Sent from an ASA to the Cisco Cloud by way of the Secure Event Connector 

With the basic Logging and Troubleshooting license, this is how an ASA event reaches the Cisco cloud:

  1. You onboard your ASA to CDO using username and password.  
  2. You configure the ASA to forward syslog and NSEL events to the SEC as if it were a syslog server and enable logging on the device.
  3. The SEC forwards the events to the Cisco cloud where the events are stored.
  4. CDO displays events from the Cisco cloud in its Events Viewer based on the filters you set. 

With the Logging Analytics and Detection or Total Network Analytics and Monitoring license, the following also occur:

  1. Stealthwatch Cloud applies analytics to the ASA syslog events stored in the Cisco cloud.
  2. Generated observations and alerts are accessible from the Stealthwatch Cloud portal associated with your CDO portal.
  3. From the CDO portal, you can cross-launch your Stealthwatch Cloud portal to review these observations and alerts.

Components in the Solution

Cisco Security Analytics and Logging uses these components to deliver events to CDO:

On-Premises Secure Device Connector (SDC)-The "on-prem" SDC is the proxy between CDO and your ASA devices. This SDC variant is a virtual machine installed by you on a hypervisor you manage within your enterprise. Device credentials are stored on the on-prem SDC and the Secure Event Connector is installed on this same virtual machine.  

Secure Event Connector (SEC)-The SEC is a container that you install on an on-premises Secure Device Connector (SDC) virtual machine that receives events from your ASAs and forwards them to the Cisco cloud. CDO pulls events from the cloud and displays them on the Event Logging page so that administrators can analyze them.

Adaptive Security Appliance (ASA)-The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality as well as integrated services with add-on modules. The ASA includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features.

Stealthwatch Cloud (SWC)-SWC applies dynamic entity modeling to ASA events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic. You would make use of this service if you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license.

Licensing

To configure this solution you need the following accounts and licenses:

  • Cisco Defense Orchestrator. You must have a CDO tenant. Your CDO tenant must connected to ASA devices through an on-premises Secure Device Connector. 
  • Secure Device Connector. There is no separate license for a Secure Device Connector.
  • Secure Event Connector. There is no separate license for a Secure Event Connector.
  • Cisco Security Analytics and Logging. See the Security Analytics and Logging License table
  • Adaptive Security Appliance (ASA). Base license or higher. 

Security Analytics and Logging Licensing

In order to benefit from Cisco Security Analytics and Logging, you need to purchase one of these licenses:

License Name Provided Functionality Available License Durations Functionality Prerequisites
Logging and Troubleshooting
  • View ASA events and event detail within CDO, both as a live feed and as a historical view
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises ASA deployment running version 9.6 or greater
  • deployment of an SEC to pass ASA events to the cloud, and subsequently to CDO
Logging Analytics and Detection (formerly Firewall Analytics and Monitoring)

Logging and Troubleshooting functionality, plus:

  • Apply dynamic entity modeling and behavioral analytics to your ASA events
  • Open alerts in Stealthwatch Cloud based on ASA event data, cross-launching from the CDO event viewer
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises ASA deployment running firmware version 9.6 or greater
  • deployment of an SEC to pass ASA events to the cloud, and subsequently to CDO
  • a Stealthwatch Cloud portal
    • you can associate an existing Stealthwatch Cloud portal, or later provision a new Stealthwatch Cloud portal
Total Network Analytics and Monitoring

Logging Analytics and Detection, plus:

  • Apply dynamic entity modeling and behavioral analytics to ASA events, on-premises network traffic, and cloud-based network traffic
  • Open alerts in Stealthwatch Cloud based on the combination of ASA event data, on-premises network traffic flow data collected by Stealthwatch Cloud sensors, and cloud-based network traffic passed to Stealthwatch Cloud, cross-launching from the CDO event viewer
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises ASA deployment running firmware version 9.6 or greater
  • deployment of an SEC to pass ASA events to the cloud, and subsequently to CDO
  • deployment of at least one Stealthwatch Cloud sensor version 4.1 or greater to pass network traffic flow data to the cloud OR integrating Stealthwatch Cloud with a cloud-based deployment, to pass network traffic flow data to Stealthwatch Cloud
  • a Stealthwatch Cloud portal
    • you can associate an existing Stealthwatch Cloud portal, or later provision a new Stealthwatch Cloud portal

Data Plans

You need to buy a data plan that reflects the number of events the Cisco cloud receives from your on-boarded ASAs on a daily basis. This is called your "daily ingest rate." You can use the Logging Volume Estimator Tool to estimate your daily ingest rate and as that rate changes you can update your data plan. 

Data plans are available in 1 GB daily volumes increments, and in 1, 3 or 5 year terms. See the Cisco Security Analytics and Logging Ordering Guide for information about data plans.

Note: If you have a Security Analytics and Logging license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different Security Analytics and Logging license.

30-day Free Trial

You can request a 30-day risk-free trial by logging in to CDO and navigating Monitoring > Event Logging tab. On completion of the 30-day trial, you can order the desired event data volume to continue the service from Cisco Commerce Workspace (CCW), by following the instructions in the Cisco Security Analytics and Logging ordering guide.