Skip to main content

 

 

Cisco Defense Orchestrator

Implementing Cisco Security Analytics and Logging for FTD Devices

Before you Begin

Setup Scenarios for CDO and Secure Event Connector 

There are two separate scenarios described below:

New CDO Customers Implementing Cisco Security Analytics and Logging

Workflow to Implement Cisco Security Analytics and Logging and Sending Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can onboard the device with the admin username and password or with a registration token. 
  2. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  3. Configure the FTD Policy to log connection events.
  4. Configure your FTD to send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Workflow to Implement Cisco Security Analytics and Logging and Sending Events Directly to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can only use a registration token. 
  2. Configure the FTD Policy to log connection events.
  3. Configure your FTD to send events directly to the Cisco cloud.
  4. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Existing CDO Customers Implementing Cisco Security Analytics and Logging

Workflow to Implement Cisco Security Analytics and Logging and Sending Events through the Secure Event Connector to the Cisco Cloud

  1. Ensure you have an on-premises Secure Device Connector.
  1. Install the Secure Event Connector on the on-premises SDC's VM. 
  2. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  3. Configure the FTD Policy to log connection events.
  4. Send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Workflow to Implement Cisco Security Analytics and Logging and Sending Events Directly to the Cisco Cloud

  1. Ensure your SDC status is Active. You can have either a cloud SDC or an on-premises SDC. 
  2. Configure the FTD Policy to log connection events.
  3. Configure your FTD to send events directly to the Cisco cloud.
  4. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Analyzing Events in Stealthwatch Cloud

If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

  1. Request a Stealthwatch Cloud Portal.
  2. Deploy one or more SWC sensors to your internal network if you purchased a Total Network and Monitoring license. See Stealthwatch Cloud Sensor Deployment for Total Network Analytics and Reporting.
  3. Invite users to create SWC user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.
  4. Cross-launch from CDO to SWC to monitor the SWC alerts generated from FTD events. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.

Reviewing Stealthwatch Cloud Alerts by Cross-launching from CDO

With a Logging Analytics and Detection or Total Network Analytics and Monitoring license, you can cross-launch from CDO to SWC to review the alerts generated by Stealthwatch Cloud, based on FTD events.

Review these articles for more information:

Troubleshooting Secure Event Connector Issues

Use these troubleshooting topics to gather status and logging information about 

Workflows

Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Cisco Security Analytics and Logging to determine why a user can't access a network resource.

See also Working with Alerts Based on Firepower Threat Defense Events.