Implementing Secure Logging Analytics (SaaS) for FDM-Managed Devices

Before you Begin

  • Review Secure Logging Analytics for FDM-Managed Devices to learn about:

    • How events are sent to the Cisco cloud

    • Applications in the solution

    • Licenses you need

    • Data plan you need

  • You have contacted your managed service provider or Cisco Defense Orchestrator Sales representative and you have a CDO tenant.

  • Your tenant may or may not use an Secure Device Connector (SDC) for CDO to connect with your FDM-managed devices. Your tenant should have an SDC installed for those FDM-managed devices that you onboard with device credentials, it is considered a best practice. If you onboard your FDM-managed devices with registration key or serial number you do not need an SDC.

  • If you have installed an SDC for your tenant, ensure your SDC status is Active and has recorded a recent heartbeat.

  • If you are installing an SDC, you use one of these methods for the installation:

  • You can install more than one SEC for your tenant and you can send events from any Firewall device manager to any one SEC onboarded to your tenant.

  • If you are sending events directly to the Cisco cloud from the firewall device manager, you have opened up outbound access on port 443 on the management interface.

  • You have established two-factor authentication for users of your account.

New CDO Customer Workflow to Implement Secure Logging Analytics (Saas) and Send Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your FDM-Managed Devices. You can onboard the device with the admin username and password or with a registration token.

  2. Create a Syslog Server Object for Secure Logging Analytics (SaaS).

  3. Configure the FDM-Managed Device Policy to log connection events.

  4. Configure your FDM-managed device to Send events generated by rules and policies to the Secure Event Connector.

  5. Confirm events are visible in CDO. From the navigation bar, select Analytics > Event Logging. Click the Live tab to view live events.

  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Cisco Secure Cloud Analytics.

New CDO Customer Workflow to Implement Secure Logging Analytics (SaaS) and Send Events Directly to the Cisco Cloud

  1. Onboard your FDM-Managed Devices. You can only use a registration key.

  2. Configure the FDM-Managed Device Policy to log connection events.

  3. Configure your FDM-managed device to send events directly to the Cisco cloud.

  4. Confirm events are visible in CDO. From the navigation bar, select Analytics > Event Logging. Click the Live tab to view live events.

  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Cisco Secure Cloud Analytics.

Existing CDO Customer Workflow to Implement Secure Logging Analytics (SaaS) and Send Events through the Secure Event Connector to the Cisco Cloud

  1. Onboard your FDM-Managed Devices. You can onboard the device with the admin username and password or with a registration token.

  2. Syslog Server Object for Secure Logging Analytics (SaaS).

  3. Configure the FDM-Managed Device Policy to log connection events.

  4. Send events generated by rules and policies to the Secure Event Connector.

  5. Confirm events are visible in CDO. From the navigation bar, select Analytics > Event Logging. Click the Live tab to view live events.

  6. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Cisco Secure Cloud Analytics.

Existing CDO Customer Workflow to Implement Secure Logging Analytics (SaaS) and Send Events Directly to the Cisco Cloud

  1. Onboard your FDM-Managed Devices. You can only use a registration key.

  2. Configure the FDM-Managed Device Policy to log connection events.

  3. Configure your FDM-managed device to send events directly to the Cisco cloud.

  4. Confirm events are visible in CDO. From the navigation bar, select Analytics > Event Logging. Click the Live tab to view live events.

  5. If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, continue with Analyzing Events in Cisco Secure Cloud Analytics.

Analyzing Events in Cisco Secure Cloud Analytics

If you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license, perform the following in addition to the previous steps:

  1. Provision a Cisco Secure Cloud Analytics Portal.

  2. Deploy one or more Secure Cloud Analytics sensors to your internal network if you purchased a Total Network and Monitoring license. See Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting.

  3. Invite users to create Secure Cloud Analytics user accounts, tied to their Cisco Single Sign-On credentials. See Viewing Cisco Secure Cloud Analytics Alerts from CDO.

  4. Cross-launch from CDO to Secure Cloud Analytics to monitor the Secure Cloud Analytics alerts generated from firewall device manager events. See Viewing Cisco Secure Cloud Analytics Alerts from CDO.

Reviewing Secure Cloud Analytics Alerts by Cross-launching from CDO

With a Logging Analytics and Detection or Total Network Analytics and Monitoring license, you can cross-launch from CDO to Secure Cloud Analytics to review the alerts generated by Secure Cloud Analytics, based on firewall device manager events.

Review these articles for more information:

Secure Analytics and Logging (SaaS) Workflows

Troubleshooting Using Security and Analytics Logging Events describes using the events generated from Secure Logging Analytics (SaaS) to determine why a user can't access a network resource.

See also Working with Alerts Based on FDM Events.