Skip to main content

 

 

Cisco Defense Orchestrator

Implementing Cisco Security Analytics and Logging (SaaS) for FTD Devices

Before you Begin

  • You have reviewed Cisco Security Analytics and Logging to learn about:
    • How events are sent to the Cisco cloud
    • Applications in the solution
    • Licenses you need
    • Data plan you need 
  • You have contacted your managed service provider or CDO Sales representative and you have a CDO tenant. 
  • Your tenant must have a Secure Device Connector (SDC) installed. It can be a cloud-based SDC installed by CDO support, or an on-premises SDC that you install on a virtual machine and maintain within your enterprise's network.
  • You have installed a Secure Device Connector (SDC) for your tenant:
    • Ensure your SDC status is Active and has recorded a recent heartbeat.
    • If you are going to send events through a Secure Event Connector (SEC) to the Cisco cloud, you need an on-premises SDC.
    • If you are going to send events directly to the Cisco cloud, and you are going to onboard your FTDs using the token registration method, you can have either a cloud SDC or an on-premises SDC. 
  • If you are installing an on-premises SDC, you use one of these methods for the installation:
  • You can install more than one SEC for your tenant and you can send events from any FTD to any one SEC onboarded to your tenant. 
  • If you are sending events directly to the Cisco cloud from the FTD, you have opened up outbound access on port 443 on the management interface. 
  • You have established two-factor authentication for users of your account.

Setup Scenarios for CDO and Secure Event Connector 

There are two separate scenarios described below:

New CDO Customers Implementing Cisco Security Analytics and Logging (SaaS)

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can onboard the device with the admin username and password or with a registration token. 
  2. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  3. Configure the FTD Policy to log connection events.
  4. Configure your FTD to send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events Directly to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can only use a registration token. 
  2. Configure the FTD Policy to log connection events.
  3. Configure your FTD to send events directly to the Cisco cloud.
  4. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Existing CDO Customers Implementing Cisco Security Analytics and Logging (SaaS)

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can onboard the device with the admin username and password or with a registration token. 
  2. Create a Syslog Server Object for Cisco Security Analytics and Logging.
  3. Configure the FTD Policy to log connection events.
  4. Send events generated by rules and policies to the Secure Event Connector.
  5. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Workflow to Implement Cisco Security Analytics and Logging (SaaS) and Send Events Directly to the Cisco Cloud

  1. Onboard your Firepower Threat Defense Devices. You can only use a registration token. 
  2. Configure the FTD Policy to log connection events.
  3. Configure your FTD to send events directly to the Cisco cloud.
  4. Confirm events are visible in CDO. From the navigation bar, select Monitoring > Event Logging. Click the Live tab to view live events. 
  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Stealthwatch Cloud.

Analyzing Events in Stealthwatch Cloud

If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

  1. Request a Stealthwatch Cloud Portal.
  2. Deploy one or more SWC sensors to your internal network if you purchased a Total Network and Monitoring license. See Stealthwatch Cloud Sensor Deployment for Total Network Analytics and Reporting.
  3. Invite users to create SWC user accounts, tied to their Cisco Single Sign-On credentials. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.
  4. Cross-launch from CDO to SWC to monitor the SWC alerts generated from FTD events. See Monitoring Stealthwatch Cloud Alerts Generated from Firepower Threat Defense Events.

Reviewing Stealthwatch Cloud Alerts by Cross-launching from CDO

With a Logging Analytics and Detection or Total Network Analytics and Monitoring license, you can cross-launch from CDO to SWC to review the alerts generated by Stealthwatch Cloud, based on FTD events.

Review these articles for more information:

Troubleshooting Secure Event Connector Issues

Use these troubleshooting topics to gather status and logging information about 

Workflows

Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Cisco Security Analytics and Logging (SaaS) to determine why a user can't access a network resource.

See also Working with Alerts Based on Firepower Threat Defense Events.