Cisco Firepower Management Center
The JSA DSM for Cisco Firepower Management Center collects Firepower Management Center events by using the eStreamer API service.
Cisco Firepower Management Center is formerly known as FireSIGHT Management Center.
JSA supports Firepower Management Center version 5.2 to version 6.2.3
To integrate with Firepower Management Center, you must create certificates in the Firepower Management Center interface, and then add the certificates to the JSA appliances that receive eStreamer event data.
If your deployment includes multiple Firepower Management Center appliances, you must copy the certificate for each appliance that receives eStreamer events. The certificate allows the Firepower Management Center appliance and the JSA console or JSA Event Collectors to communicate by using the eStreamer API to collect events.
To integrate JSA with Firepower Management Center, use the following steps:
Create the eStreamer certificate on your Firepower Management Center appliance.
Add the Firepower Management Center certificate files to JSA.
Configure a log source in JSA for your Firepower Management Center appliances.
Supported Event Types
JSA supports the following event types from Firepower Management Center:
Correlation and White List Events
Impact Flag Alerts
Intrusion Event Packet Data
Intrusion Event Extra Data
Intrusion events that are categorized by the Cisco Firepower Management Center DSM in JSA use the same JSA Identifiers (QIDs) as the Snort DSM to ensure that all intrusion events are categorized properly.
Intrusion events in the 1,000,000 - 2,000,000 range are user-defined rules in Firepower Management Center. User-defined rules that generate events are added as an Unknown event in JSA, and include additional information that describes the event type. For example, a user-defined event can identify as Unknown:Buffer Overflow for Firepower Management Center.
The following table provides sample event messages for the Cisco Firepower Management Center DSM:
Table 1: Cisco Firepower Management Center Sample Messages Supported by the Cisco Firepower Management Center Device
Low level category
Sample log message
User Login Change Event
Computer Account Changed
DeviceType=Estreamer DeviceAddress =22.214.171.124 CurrentTime=150774 0597988 netmapId=0 recordTyp e=USER_LOGIN_CHANGE_EVENT record Length=142 timestamp=01 May 201 5 12:13:50 detectionEngineRef= 0 ipAddress=0.0.0.0 MACAddres s=00:00:00:00:00:00 hasIPv6=tru e eventSecond=1430491035 eve ntMicroSecond=0 eventType=USER_ LOGIN_INFORMATION fileNumber=00 000000 filePosition=00000000 ipV6Address=126.96.36.199 userLoginInformation.timestamp= 1430491035 userLoginInformati on.ipv4Address=0.0.0.0 userLog inInformation.userName=username userLoginInformation.userRef=0 userLoginInformation.protocol Ref=710 userLoginInformation.ema il= userLoginInformation.ipv6Ad dress=188.8.131.52 userLoginIn formation.loginType=0 userLogi nInformation.reportedBy=IPAddress"
User Removed Change Event
User Account Removed
DeviceType=Estreamer DeviceAddress =184.108.40.206 CurrentTime=15077 43344985 netmapId=0 recordTyp e=USER_REMOVED_CHANGE_EVENT reco rdLength=191 timestamp=21 Sep 201 7 14:53:14 detectionEngineRef= 0 ipAddress=IPAddress MACAddress =00:00:00:00:00:00 hasIPv6=tru e eventSecond=1506016392 event MicroSecond=450775 eventType=DELE TE_USER_IDENTITY fileNumber=0000 0000 filePosition=00000000 ip V6Address=0:0:0:0:0:0:0:0 userIn formation.id=1 userInformatio n.userName=username userInformat ion.protocol=710 userInformation .firstName=firstname userInformation .lastName=lastname userInformation .email=EmailAddress userInformation.department=R esearch userInformation.phone =000-000-0000
INTRUSION EVENT EXTRA DATA RECORD
DeviceType=Estreamer DeviceAddress =220.127.116.11 CurrentTime=150774 0690263 netmapId=0 recordType= INTRUSION_EVENT_EXTRA_DATA_RECORD r ecordLength=49 timestamp=01 May 20 15 15:32:53 eventExtraData.eventId= 393275 eventExtraData.eventSecond= 1430505172 eventExtraData.managed Device.managedDeviceId=6 eventExtr aData.managedDevice.name=manageddevic e.dcloud.cisco.com eventExtraData .extraDataType.eventExtraDataType.ty pe=10 eventExtraData.extraDataTyp e.eventExtraDataType.name=HTTP Hostn ame eventExtraData.extraDataType .eventExtraDataType.encoding=String eventExtraData.extraData=www.ho medepot.com
RUA User record
DeviceType=Estreamer DeviceAddress =18.104.22.168 CurrentTime=15077 40603372 netmapId=0 recordTyp e=RUA_USER_RECORD recordLength= 21 timestamp=11 Oct 2017 13:50: 02 userRef=2883 protocolRef= 710 userName=UserName
Creating Cisco Firepower Management Center 5.x and 6.x Certificates
JSA requires a certificate for every FireSIGHT Management Center appliance in your deployment. Certificates are generated in pkcs12 format and must be converted to a keystore and a truststore file, which are usable by JSA appliances.
- Log in to your Firepower Management Center interface.
If you are using version 5.x, select System >Local >Registration.
If you are using version 6.x, select System >Integration.
- Click the eStreamer tab.
- Select the types of events that you want Firepower Management
Center to send to JSA, and then click Save.
The following image lists the types of events that Firepower Management Center sends to JSA.
- Click Create Client in the upper right side of the window.
- In the Hostname field, type the IP address
or host name, depending on which of the following conditions applies
to your environments.
If you use a JSA console or you use a JSA All-in-One appliance to collect eStreamer events, type the IP address or host name of your JSA console.
If you use a JSA Event Collector to collect eStreamer events, type the IP address or host name for the Event Collector.
If you use JSA High Availability (HA), type the virtual IP address.
- In the Password field, type a password for your certificate. If you choose to provide a password, the password is required to import the certificate.
- Click Save.
The new client is added to the eStreamer Client list and the host can communicate with the eStreamer API on port 8302.
- Click Download Certificate for your host to save the pkcs12 certificate to a file location.
- Click OK to download the file.
You are now ready to import your Firepower Management Center certificate to your JSA appliance.
Importing a Cisco Firepower Management Center Certificate to JSA
The estreamer-cert-import.pl script for JSA converts your pkcs12 certificate file to a keystore and truststore file and places the certificates in the proper directory on your JSA appliance. Repeat this procedure for each Sourcefire Defense Center pcks12 certificate you need to import to your JSA Console or Event Collector.
You must have
su - root privileges to run the
estreamer-cert-import.pl import script.
estreamer-cert-import.pl script is stored on your JSA appliance when you install
the Firepower Management Center protocol.
The script converts and imports one pkcs12 file at a time. You are required only to import a certificate for the JSA appliance that manages the Firepower Management Center log source. For example, after the Firepower Management Center event is categorized and normalized by an Event Collector in a JSA deployment, it is forwarded to the JSA Console. In this scenario, you would import a certificate to the Event Collector.
When you import a new certificate, existing Firepower Management
Center certificates on the JSA appliance are renamed
- Log in to your JSA Console or Event Collector as the root user.
- Copy the pkcs12 certificate from your Firepower Management
Center appliance to the following directory:
- To import your pkcs12 file, type the following command
and any extra parameters:
/opt/qradar/bin/estreamer-cert-import.pl -f pkcs12_file_name options
The -f parameter is required. All other parameters that are described in the following table are optional.
Extra parameters are described in the following table:
Identifies the file name of the pkcs12 files to import.
Overrides the default Estreamer name for the keystore and truststore files. Use the -o parameter when you integrate multiple Firepower Management Center devices. For example, /
opt/qradar/bin/estreamer-cert-import.pl -f <file name> -o 192.168.1.100
The import script creates the following files:
Enables verbose mode for the import script. Verbose mode is intended to display error messages for troubleshooting purposes when pkcs12 files fail to import properly.
Specifies a password if a password was accidentally provided when you generated the pkcs12 file.
Displays the version information for the import script.
Displays a help message on using the import script.
The import script displays the location where the import files were copied.
Configuring a Log Source for Cisco Firepower Management Center Events
JSA does not automatically discover Cisco Firepower Management Center events. You must configure a log source in JSA.
- Log in to JSA.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon, and then click Add.
- From the Log Source Type list, select Cisco Firepower Management Center.
- From the Protocol Configuration list, select Cisco Firepower eStreamer.
- Configure the following parameters:
The IP address or host name of the Firepower Management Center device.
The port number that the Firepower Management Center device is configured to accept connection requests on. The default port that JSA uses for the Firepower Management Center device is 8302.
The directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory:
The directory path and file name for the truststore files. The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory:
Request Extra Data
Select this option to request intrusion event extra data from Firepower Management Center. For example, extra data includes the original IP address of an event.
Note: Domain Streaming Requests are only supported for eStreamer version 6.x. Leave the Domain field blank for eStreamer version 5.x.
The domain where the events are streamed from.
The value in the Domain field must be a fully qualified domain. This means that all ancestors of the desired domain must be listed starting with the top-level domain and ending with the leaf domain that you want to request events from.
Global is the top level domain, B is a second level domain that is a subdomain of Global, and C is a third-level domain and a leaf domain that is a subdomain of B. To request events from C, type the following value for the Domain parameter:
Global \ B \ C
- Click Save.