Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Firepower Management Center

 

The JSA DSM for Cisco Firepower Management Center collects Firepower Management Center events by using the eStreamer API service.

Cisco Firepower Management Center is formerly known as FireSIGHT Management Center.

JSA supports Firepower Management Center version 5.2 to version 6.4.

Configuration Overview

To integrate with Firepower Management Center, you must create certificates in the Firepower Management Center interface, and then add the certificates to the JSA appliances that receive eStreamer event data.

If your deployment includes multiple Firepower Management Center appliances, you must copy the certificate for each appliance that receives eStreamer events. The certificate allows the Firepower Management Center appliance and the JSA console or JSA Event Collectors to communicate by using the eStreamer API to collect events.

To integrate JSA with Firepower Management Center, use the following steps:

  1. Create the eStreamer certificate on your Firepower Management Center appliance. For more information about creating eStreamer certificates, see Creating Cisco Firepower Management Center 5.x and 6.x Certificates

  2. Import a Cisco Firepower Management Center certificate in JSA. For more information about importing a certificate, see Importing a Cisco Firepower Management Center Certificate to JSA

  3. If you want to send intrusion or connection events to JSA by using Syslog, enable external logging on your Cisco Firepower appliance. For more information about enabling external logging, see Configure your Cisco Firepower Appliance to Send Intrusion or Connection Events to JSA by using Syslog.

  4. If JSA does not automatically detect the log source, add a Cisco Firepower Management Center log source on the JSA Console. For more information about Cisco Firepower Management Center log source parameters, see Cisco Firepower Management Center Log Source Parameters.

Supported Event Types

JSA supports the following event types from Firepower Management Center:

  • Discovery Events

  • Correlation and White List Events

  • Impact Flag Alerts

  • User Activity

  • Malware Events

  • File Events

  • Connection Events

  • Intrusion Events

  • Intrusion Event Packet Data

  • Intrusion Event Extra Data

    Intrusion events that are categorized by the Cisco Firepower Management Center DSM in JSA use the same JSA Identifiers (QIDs) as the Snort DSM to ensure that all intrusion events are categorized properly.

    Intrusion events in the 1,000,000 - 2,000,000 range are user-defined rules in Firepower Management Center. User-defined rules that generate events are added as an Unknown event in JSA, and include additional information that describes the event type. For example, a user-defined event can identify as Unknown:Buffer Overflow for Firepower Management Center.

The following table provides sample event messages for the Cisco Firepower Management Center DSM:

Table 1: Cisco Firepower Management Center Sample Messages Supported by the Cisco Firepower Management Center Device

Event name

Low level category

Sample log message

User Login Change Event

Computer Account Changed

DeviceType=Estreamer DeviceAddress =1.1.1.1 CurrentTime=150774 0597988 netmapId=0 recordTyp e=USER_LOGIN_CHANGE_EVENT record Length=142 timestamp=01 May 201 5 12:13:50 detectionEngineRef= 0 ipAddress=0.0.0.0 MACAddres s=00:00:00:00:00:00 hasIPv6=tru e eventSecond=1430491035 eve ntMicroSecond=0 eventType=USER_ LOGIN_INFORMATION fileNumber=00 000000 filePosition=00000000 ipV6Address=1.1.1.1 userLoginInformation.timestamp= 1430491035 userLoginInformati on.ipv4Address=0.0.0.0 userLog inInformation.userName=username userLoginInformation.userRef=0 userLoginInformation.protocol Ref=710 userLoginInformation.ema il= userLoginInformation.ipv6Ad dress=1.1.1.1 userLoginIn formation.loginType=0 userLogi nInformation.reportedBy=IPAddress"

User Removed Change Event

User Account Removed

DeviceType=Estreamer DeviceAddress =1.1.1.1 CurrentTime=15077 43344985 netmapId=0 recordTyp e=USER_REMOVED_CHANGE_EVENT reco rdLength=191 timestamp=21 Sep 201 7 14:53:14 detectionEngineRef= 0 ipAddress=IPAddress MACAddress =00:00:00:00:00:00 hasIPv6=tru e eventSecond=1506016392 event MicroSecond=450775 eventType=DELE TE_USER_IDENTITY fileNumber=0000 0000 filePosition=00000000 ip V6Address=0:0:0:0:0:0:0:0 userIn formation.id=1 userInformatio n.userName=username userInformat ion.protocol=710 userInformation .firstName=firstname userInformation .lastName=lastname userInformation .email=EmailAddress userInformation.department=R esearch userInformation.phone =000-000-0000

INTRUSION EVENT EXTRA DATA RECORD

Information

DeviceType=Estreamer DeviceAddress =1.1.1.1 CurrentTime=150774 0690263 netmapId=0 recordType= INTRUSION_EVENT_EXTRA_DATA_RECORD r ecordLength=49 timestamp=01 May 20 15 15:32:53 eventExtraData.eventId= 393275 eventExtraData.eventSecond= 1430505172 eventExtraData.managed Device.managedDeviceId=6 eventExtr aData.managedDevice.name=manageddevic e.dcloud.cisco.com eventExtraData .extraDataType.eventExtraDataType.ty pe=10 eventExtraData.extraDataTyp e.eventExtraDataType.name=HTTP Hostn ame eventExtraData.extraDataType .eventExtraDataType.encoding=String eventExtraData.extraData=www.ho medepot.com

RUA User record

Information

DeviceType=Estreamer DeviceAddress =1.1.1.1 CurrentTime=15077 40603372 netmapId=0 recordTyp e=RUA_USER_RECORD recordLength= 21 timestamp=11 Oct 2017 13:50: 02 userRef=2883 protocolRef= 710 userName=UserName

Creating Cisco Firepower Management Center 5.x and 6.x Certificates

JSA requires a certificate for every FireSIGHT Management Center appliance in your deployment. Certificates are generated in pkcs12 format and must be converted to a keystore and a truststore file, which are usable by JSA appliances.

  1. Log in to your Firepower Management Center interface.
    • If you are using version 5.x, select System >Local >Registration.

    • If you are using version 6.x, select System >Integration.

  2. Click the eStreamer tab.
  3. Select the types of events that you want Firepower Management Center to send to JSA, and then click Save.

    The following image lists the types of events that Firepower Management Center sends to JSA.

    Figure 1: Firepower Management Center EStreamer Event Configuration
    Firepower Management Center EStreamer
Event Configuration
  4. Click Create Client in the upper right side of the window.
  5. In the Hostname field, type the IP address or host name, depending on which of the following conditions applies to your environments.
    • If you use a JSA console or you use a JSA All-in-One appliance to collect eStreamer events, type the IP address or host name of your JSA console.

    • If you use a JSA Event Collector to collect eStreamer events, type the IP address or host name for the Event Collector.

    • If you use JSA High Availability (HA), type the virtual IP address.

  6. In the Password field, type a password for your certificate. If you choose to provide a password, the password is required to import the certificate.
  7. Click Save.

    The new client is added to the eStreamer Client list and the host can communicate with the eStreamer API on port 8302.

  8. Click Download Certificate for your host to save the pkcs12 certificate to a file location.
  9. Click OK to download the file.

You are now ready to import your Firepower Management Center certificate to your JSA appliance.

Importing a Cisco Firepower Management Center Certificate to JSA

The estreamer-cert-import.pl script for JSA converts your pkcs12 certificate file to a keystore and truststore file and places the certificates in the proper directory on your JSA appliance. Repeat this procedure for each Sourcefire Defense Center pcks12 certificate you need to import to your JSA Console or Event Collector.

You must have root or su - root privileges to run the estreamer-cert-import.pl import script.

The estreamer-cert-import.pl script is stored on your JSA appliance when you install the Firepower Management Center protocol.

The script converts and imports one pkcs12 file at a time. You are required only to import a certificate for the JSA appliance that manages the Firepower Management Center log source. For example, after the Firepower Management Center event is categorized and normalized by an Event Collector in a JSA deployment, it is forwarded to the JSA Console. In this scenario, you would import a certificate to the Event Collector.

When you import a new certificate, existing Firepower Management Center certificates on the JSA appliance are renamed to estreamer.keystore.old and estreamer.truststore.old.

  1. Log in to your JSA Console or Event Collector as the root user.
  2. Copy the pkcs12 certificate from your Firepower Management Center appliance to the following directory:
  3. To import your pkcs12 file, type the following command and any extra parameters:

    The -f parameter is required. All other parameters that are described in the following table are optional.

    Extra parameters are described in the following table:

    Parameter

    Description

    -f

    Identifies the file name of the pkcs12 files to import.

    -o

    Overrides the default Estreamer name for the keystore and truststore files. Use the -o parameter when you integrate multiple Firepower Management Center devices. For example, /opt/qradar/bin/estreamer-cert-import.pl -f <file name> -o 192.168.1.100

    The import script creates the following files:

    • /opt/qradar/conf/192.168.0.100.keystore

    • /opt/qradar/conf/192.168.0.100.truststore

    -d

    Enables verbose mode for the import script. Verbose mode is intended to display error messages for troubleshooting purposes when pkcs12 files fail to import properly.

    -p

    Specifies a password if a password was accidentally provided when you generated the pkcs12 file.

    -v

    Displays the version information for the import script.

    -h

    Displays a help message on using the import script.

The import script displays the location where the import files were copied.

Configure your Cisco Firepower Appliance to Send Intrusion or Connection Events to JSA by using Syslog

To send intrusion events or connection events to JSA by using the Syslog protocol, you need to enable external logging on your Cisco Firepower appliance.

To enable external logging for intrusion events, create a new intrusion policy or edit an existing intrusion policy in Adaptive Security Device Manager (ASDM).

The following table describes the parameters that require specific values to collect Cisco Firepower Management Center events from the eStreamer API service.

Cisco Firepower Management Center Log Source Parameters

When you add a Cisco Firepower Management Center log source on the JSA Console by using the Cisco Firepower eStreamer protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Cisco Firepower Management Center events from the eStreamer API service.

Table 2: Cisco Firepower eStreamer Protocol Log Source Parameters for the Cisco Firepower Management Center DSM

Parameter

Value

Log Source type

Cisco Firepower Management Center

Protocol Configuration

Cisco Firepower eStreamer

Related Documentation