Secure Logging Analytics for FDM-Managed Devices

Cisco Security Analytics and Logging (SaaS) allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your FDM-managed devices and view them in one place in Cisco Defense Orchestrator.

The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Logging Analytics and Detection package (formerly Firewall Analytics and Logging package), the system can apply Secure Cloud Analytics dynamic entity modeling to your FDM-managed device events, and use behavioral modeling analytics to generate Secure Cloud Analytics observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FDM-managed device events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a Cisco Secure Cloud Analytics portal provisioned for you, using Cisco Single Sign-On.

How FDM Events are Displayed in the CDO Events Viewer

Connection, intrusion, file, malware, and Security Intelligence events are generated when an individual rule is configured to log events and network traffic matches the rule criteria. After the events are stored in the Cisco cloud, you can view them in CDO. There are two methods of configuring your FDM-managed device to send events to the Cisco cloud:

You can install multiple Secure Event Connectors (SECs) and send events generated by a rule, on any device, to any of the SECs as if it were a syslog server. The SEC then forwards the event to the Cisco cloud.
If your FDM-managed device was onboarded to CDO using a registration key, you can send events directly to the Cisco cloud using a control in the Secure Firewall device manager.

How an Event is Sent to the Cisco Cloud Using the Secure Event Connector

With the basic Logging and Troubleshooting license, this is how a Secure Firewall device manager event reaches the Cisco cloud:

You onboard your FDM-managed device to CDO using username and password or by using a registration key.
You configure individual rules, such as access control rules, Security Intelligence rules, and SSL decryption rules, to forward events to any one of your SECs as if it were a syslog server. In access control rules, you can also enable file and malware policies, and intrusion policies, and forward events generated by those polices to the SEC.
You configure File/Malware logging in System Settings > Logging for file events.
You configure Intrusion Logging in System Settings > Logging for intrusion events.
The SEC forwards the events to the Cisco cloud where the events are stored.
CDO displays events from the Cisco cloud in its Events Logging page based on the filters you set.

With the Logging Analytics and Detection or Total Network Analytics and Monitoring license, the following also occur:

Cisco Secure Cloud Analytics applies analytics to the Secure Firewall device manager connection events stored in the Cisco cloud.
Generated observations and alerts are accessible from the Secure Cloud Analytics portal associated with your CDO portal.
From the CDO portal, you can cross-launch your Secure Cloud Analytics portal to review these observations and alerts.

How Events are Sent Directly from an Secure Firewall device manager to the Cisco Cloud

With the basic Logging and Troubleshooting license, this is how Secure Firewall device manager events reach the Cisco cloud:

You onboard your FDM-managed device to CDO using a registration token.
You configure individual rules, such as access control rules, Security Intelligence rules, and SSL decryption rules, to log events but you don't specify a syslog server for them to be sent to. In access control rules, you can also enable file and malware policies and intrusion policies, and forward events generated by those polices to the Cisco cloud.
File events and Intrusion events are sent to the Cisco cloud if file and malware policies and intrusion policies are configured in the access control rules to log connection events.
You activate Cloud Logging on the Secure Firewall device manager and the events logged in the various rules are sent to the Cisco cloud.
CDO pulls events from the Cisco cloud based on the filters you set and displays them in its Events viewer.

With the Logging Analytics and Detection or Total Network Analytics and Monitoring license, the following also occur:

Cisco Secure Cloud Analytics applies analytics to the Secure Firewall device manager connection events stored in the Cisco cloud.
Generated observations and alerts are accessible from the Secure Cloud Analytics portal associated with your CDO portal.
From the CDO portal, you can cross-launch your Secure Cloud Analytics portal to review these observations and alerts.

Configuration Comparison

Here is a summary of the CDO configuration differences between sending events to the Cisco cloud through an SEC and sending events directly to the Cisco cloud.


FDM-Managed Device Configuration	When Sending Events through a Secure Event Connector (SEC)	When Sending Events Directly to Cisco Cloud
CDO onboarding method for FDM-Managed Device	Credentials (Username and password) Registration token	Registration token Serial Number
Version Support	Version 6.4+	Registration Token - Version 6.5+ Serial Number - Version 6.7+
Cisco Security Analytics and Logging (SaaS) Licenses	Logging and Troubleshooting Logging Analytics and Detection (optional) Total Network Analytics and Monitoring (optional)	Logging and Troubleshooting Logging Analytics and Detection (optional) Total Network Analytics and Monitoring (optional)
Licenses	license -If you want to collect connection events from intrusion rules, file control rules, or security intelligence filtering. Malware-If you want to collect connection events from file control rules.	license -If you want to collect connection events from intrusion rules, file control rules, or security intelligence filtering. Malware-If you want to collect connection events from file control rules.
Secure Event Connector	Required	N/A
Data Compression*	Events are compressed*	Events are not compressed*
Data Plan	Required	Required

Note	Data subscriptions and your Historical Monthly Usage are based on the amount uncompressed data you use.

Components in the Solution

Cisco Security Analytics and Logging (SaaS) uses these components to deliver events to CDO:

Secure Device Connector (SDC)-The SDC connects CDO to your FDM-managed devices. The login credentials for the FDM-managed devices are stored on the SDC. See Secure Device Connector for more information.

Secure Event Connector (SEC)-The SEC is an application that receives events from your FDM-managed devices and forwards them to the Cisco cloud. Once in the Cisco cloud, you can view the events on CDO's Event Logging page or analyze them with Cisco Secure Cloud Analytics. You may have one or more SECs associated with your tenant. Depending on your environment, you install the Secure Event Connector on a Secure Device Connector or a CDO Connector VM.

Secure Firewall device manager-The FDM-managed device is Cisco's next generation firewall. Beyond stateful inspection of network traffic and access control, the FDM-managed device provides capabilities such as protection from malware and application-layer attacks, integrated intrusion prevention, and cloud-delivered threat intelligence.

If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, Cisco Security Analytics and Logging (SaaS) uses Cisco Secure Cloud Analytics to further analyze events delivered to CDO.

Cisco Secure Cloud Analytics-Secure Cloud Analytics applies dynamic entity modeling to events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic.

Licensing

To configure this solution you need the following accounts and licenses:

Cisco Defense Orchestrator. You must have a CDO tenant.

Secure Device Connector. There is no separate license for a SDC.

Secure Event Connector. There is no separate license for a SEC.

Secure Logging Analytics (SaaS). You need to buy the Logging and Troubleshooting license. The goal of this package is to provide network operations teams with real-time and historical events derived from their on-boarded FDM-managed devices for the purposes of troubleshooting and analyzing traffic in their network.

You can also buy a Logging Analytics and Detection or Total Network Analytics and Monitoring license to apply Cisco Secure Cloud Analytics. The goal of these packages is to provide network operations teams additional insight into the events (and network traffic with the Total Network Analytics and Monitoring license) to better identify possible anomalous behavior and respond to it.


License Name	Provided Functionality	Available License Durations	Functionality Prerequisites
Logging and Troubleshooting	View events and event detail within CDO, both as a live feed and as a historical view	1 year 3 years 5 years	CDO An on-premises deployment running version 6.4 or later . Deployment of one or more SECs to pass events to the cloud
Logging Analytics and Detection (formerly Firewall Analytics and Monitoring)	Logging and Troubleshootingfunctionality, plus: Apply dynamic entity modeling and behavioral analytics to your FDM-managed device events Open alerts in Secure Cloud Analytics based on event data, cross-launching from the CDO event viewer	1 year 3 years 5 years	CDO An on-premises deployment running version 6.4 or later. Deployment of one or more SECs to pass events to the cloud. A newly provisioned or existing Secure Cloud Analytics portal.
Total Network Analytics and Monitoring	Logging Analytics and Detection, plus: Apply dynamic entity modeling and behavioral analytics to events, on-premises network traffic, and cloud-based network traffic. Open alerts in Secure Cloud Analytics based on the combination of event data, on-premises network traffic flow data collected by Secure Cloud Analytics sensors, and cloud-based network traffic passed to Secure Cloud Analytics, cross-launching from the CDO event viewer.	1 year 3 years 5 years	CDO An on-premises deployment running version 6.4 or later . Deployment of one or more SECs to pass events to the cloud . Deployment of at least one Secure Cloud Analytics sensor version 4.1 or later to pass network traffic flow data to the cloud OR integrating Secure Cloud Analytics with a cloud-based deployment, to pass network traffic flow data to Secure Cloud Analytics. A newly provisioned or existing Secure Cloud Analytics portal.

FDM-Managed Device. You need to have the following licenses to run the FDM-managed device and create rules that generate security events:


License	Duration	Granted Capabilities
Essentials(automatically included)	Perpetual	All features not covered by the optional term licenses. You must also specify whether to Allow export-controlled functionality on the products registered with this token. You can select this option only if your country meets export-control standards. This option controls your use of advanced encryption and the features that require advanced encryption.
	Term-based	Intrusion detection and prevention-Intrusion policies analyze network traffic for intrusions and exploits and, optionally, drop offending packets. File control-File policies detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types. AMP for Firepower, which requires a Malware license, allows you to inspect and block files that contain malware. You must have the Threat license to use any type of File policy. Security Intelligence filtering-Drop selected traffic before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately drop connections based on the latest intelligence.
Malware	Term-based	File policies that check for malware, which use Cisco Advanced Malware Protection (AMP) with AMP for Firepower (network-based Advanced Malware Protection) and Cisco Threat Grid. File policies can detect and block malware in files transmitted over your network.

Data Plans

You need to buy a data storage plan that reflects the number of events the Cisco cloud receives from your on-boarded FDM-managed devices on a daily basis. The best way to determine your ingest rate is to participate in a free trial of Secure Logging Analytics (SaaS) (SaaS) before you buy it. This will give you a good estimate of your event volume. In addition, you can use the Logging Volume Estimator Tool.

Caution

It is possible to configure your FDM-managed device to send events to the Cisco cloud directly and by way of the SEC simultaneously. If you do this, the same event will be "ingested" twice and counted against your data plan twice, though it will only be stored in the Cisco cloud once. Be careful to send events to the Cisco cloud using one method or the other to avoid incurring unnecessary fees.

Data plans are available in 1 GB daily volumes increments, and in 1, 3 or 5 year terms. See the Secure Logging Analytics (SaaS) Ordering Guide for information about data plans.

Note

If you have a Security Analytics and Logging license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different Security Analytics and Logging license.

30-day Free Trial

You can request a 30-day risk-free trial by logging in to CDO and navigating to Analytics > Event Logging. On completion of the 30-day trial, you can order the desired event data volume to continue the service from Cisco Commerce Workspace (CCW), by following the instructions in the Secure Logging Analytics (SaaS) ordering guide.

What to do next?

Continue with Implementing Secure Logging Analytics (SaaS) for FDM-Managed Devices.