Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Firepower Threat Defense

 

The JSA DSM for Cisco Firepower Threat Defense (FTD) collects syslog events from a Cisco Firepower Threat Defense appliance. The syslog events that are collected by the Cisco Firepower Threat Defense DSM were previously collected by the Cisco Firepower Management Center DSM.

JSA collects the following event types from Cisco Firepower Threat Defense appliances:

  • Device health and network-related logs from FTD devices

  • Connection, security intelligence, and intrusion logs from FTD devices

  • Logs for file and malware events.

To integrate Cisco Firepower Threat Defense with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of Cisco Firepower Threat Defense RPM on your JSA Console.
    • DSM Common RPM

    • Cisco Firepower Threat Defense DSM RPM

    • Cisco Firewall Devices DSM RPM

  2. Configure your Cisco Firepower Threat Defense device to send Syslog events to JSA. Fore more information, see Configuring Cisco Firepower Threat Defense to Communicate with JSA.
  3. If JSA does not automatically detect the log source, add Cisco Firepower Threat Defense log source on the JSA Console.

Cisco Firepower Threat Defense DSM Specifications

When you configure the Cisco Firepower Threat Defense, understanding the specifications for the Cisco Firepower Threat Detection DSM can help ensure a successful integration. For example, knowing what the supported version of Cisco Firepower Threat Defense is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Cisco Firepower Threat Defense DSM..

Table 1: Cisco Firepower Threat Defense DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Firepower Threat Defense

RPM file name

DSM-Cisco Firepower Threat Defense-JSA_version-build_number.noarch.rpm

Supported versions

6.3

Protocol

Syslog

Event format

Syslog

Comma-separated values (CSV)

Name-value pair (NVP)

Recorded event types

Intrusion

Connection

Automatically discovered?

Yes

Includes identity?

Yes

Includes custom properties?

No

More information

Firepower Management Center Configuration Guide

Configuring Cisco Firepower Threat Defense to Communicate with JSA

To send intrusion or connection events to JSA by using the syslog protocol, you need to enable external logging and configure basic settings on your Cisco Firepower appliance.

  1. Log in to your Cisco Firewall appliance.
  2. Enable external logging.
  3. Enable Logging Destinations.
  4. Deploy changes.

Sample Event Messages

Use this sample event message to verify a successful integration with JSA.

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Cisco Firepower Threat Defense sample message when you use the Syslog protocol

The following sample shows an intrusion event that has a Generator ID (GID) and Snort IDs (SID).

Aug 14 08:59:30 192.168.0.7 SFIMS : % FTD - 5 - 430001 : Protocol: tcp , SrcIP: 10.1.1.57 , DstIP: 10.5.12.209 , SrcPort: 2049 , DstPort: 746 , Priority: 1, GID: 1 , SID: 648 , Revision: 18, Message: \"INDICATOR-SHELLCODE x86 NOOP\", Classification: Executable Code was Detected, User: No Authentication Required, ACPolicy: test, NAPPolicy: Balanced Security and Connectivity, InlineResult: Blocked

Table 2: Highlighted fields

JSA field name

Highlighted payload field name

Event ID

As an intrusion event, a concatenation of the GID and SID is used.

Category

As an intrusion event, the category is set to Snort.

Device Time

If not provided in the DSM, Aug 14 08:59:30 is taken from the syslog header.

Source IP

SrcIP

Destination IP

DstIP

Source Port

SrcPort

Destination Port

DstPort

Protocol

Protocol

Severity

5

The value in this field is converted and mapped to an appropriate JSA severity value.