Configure a Secure Network Analytics Data Store

Configure a Secure Network Analytics data store deployment to integrate SAL (OnPrem) with threat defense devices that are CDO-managed.

Before you begin

Ensure the following:

  • You have a provisioned CDO tenant and have the following CDO user roles:

    • Admin

    • Super admin

  • Your threat defense devices are working as expected and generating events.

  • If you are currently using syslog to send events to the Secure Network Analytics appliance from device versions that support sending events directly, disable syslog for those devices (or assign those devices an access control policy that does not include syslog configurations) to avoid duplicate events on the remote volume.

  • Gather the following information:

    • The hostname or the IP address of your Secure Network Analytics Manager.

    • The IP address of your flow collector.

Note

You may be logged out of the Secure Network Analytics Manager during the registration process; complete any work in progress before you start with the deployment wizard.

Procedure

Step 1

Log in to CDO.

Step 2

From the CDO menu, navigate Tools & Services > Firewall Management Center to open the Services page.

Step 3

Choose Cloud-Delivered FMC and click Configuration.

Step 4

Navigate to Integration > Security Analytics & Logging.

Step 5

In the Secure Network Analytics Data Store widget, click Start.

Step 6

Enter the hostname or the IP address and port number of the flow collector.

To add more flow collectors, click +Add another Flow Collector.

Step 7

If you have configured more than one flow collector, associate the managed devices with different flow collectors:

Note

By default, all the managed devices are assigned to the default flow collector.

  1. Click Assign Devices.

  2. Select the managed devices that you want to assign.

  3. From the reassign device drop-down list, choose the flow collector.

    If you do not want a managed device to send event data to any of the flow collectors, select that device, and choose Do not log to flow collector from the reassign device drop-down list.

    You can change the default flow collector by hovering over the intended flow collector and clicking Set default.

  4. Click Apply Changes.

  5. Click Next.

Step 8

Click Next.

Step 9

Deploy the changes to the registered managed devices.

The event data is not logged to the SAL (OnPrem) until the logging policy changes are deployed to the registered threat defense devices.

Note

If you must change any of these configurations, run the wizard again. If you disable the configuration or run he wizard again, all settings except the account credentials are retained.

You can view and work with these remotely stored events in the event viewer and context explorer in the management center, and include them when generating reports. You can also cross-launch from an event in the management center to view related data on your Secure Network Analytics Manager.

For more information, see the online help for the management center.