Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Cisco Firepower Threat Defense

The JSA DSM for Cisco Firepower Threat Defense (FTD) collects syslog events from a Cisco Firepower Threat Defense appliance. The syslog events that are collected by the Cisco Firepower Threat Defense DSM were previously collected by the Cisco Firepower Management Center DSM.

JSA collects the following event types from Cisco Firepower Threat Defense appliances:

  • Device health and network-related logs from FTD devices

  • Connection, security intelligence, and intrusion logs from FTD devices

  • Logs for file and malware events.

To integrate Cisco Firepower Threat Defense with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of Cisco Firepower Threat Defense RPM on your JSA Console.

    • DSM Common RPM

    • Cisco Firepower Threat Defense DSM RPM

    • Cisco Firewall Devices DSM RPM

  2. Configure your Cisco Firepower Threat Defense device to send Syslog events to JSA. Fore more information, see Configuring Cisco Firepower Threat Defense to Communicate with JSA.

  3. If JSA does not automatically detect the log source, add Cisco Firepower Threat Defense log source on the JSA Console.

Cisco Firepower Threat Defense DSM Specifications

When you configure the Cisco Firepower Threat Defense, understanding the specifications for the Cisco Firepower Threat Detection DSM can help ensure a successful integration. For example, knowing what the supported version of Cisco Firepower Threat Defense is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Cisco Firepower Threat Defense DSM..

Table 1: Cisco Firepower Threat Defense DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Firepower Threat Defense

RPM file name

DSM-Cisco Firepower Threat Defense-JSA_version-build_number.noarch.rpm

Supported versions

6.3

Protocol

Syslog

Event format

Syslog

Comma-separated values (CSV)

Name-value pair (NVP)

Recorded event types

Intrusion

Connection

Automatically discovered?

Yes

Includes identity?

Yes

Includes custom properties?

No

More information

Firepower Management Center Configuration Guide

Configuring Cisco Firepower Threat Defense to Communicate with JSA

To send intrusion or connection events to JSA by using the syslog protocol, you need to enable external logging and configure basic settings on your Cisco Firepower appliance.

  1. Log in to your Cisco Firewall appliance.

  2. Enable external logging.

  3. Enable Logging Destinations.

  4. Deploy changes.

Configuring JSA to use Previous Connection Event Processing for Cisco Firepower Threat Defense

If you want to change the way that JSA parses connection events an enable earlier behavior without adding action results, use the DSM Editor to enable previous connection event processing.

By default, Cisco Firepower Threat Defense connection events are extended with firewall action results ALLOW or BLOCK.

  1. On the Admin tab, in the Data Sources section, click DSM Editor.

  2. From the Select Log Source Type window, select Cisco Firepower Threat Defense from the list, and then click Select.

  3. Click the Configuration tab, and then set Display DSM Parameters Configuration to on.

  4. Set Use Previous Connection Event Processing to on.

  5. Click Save.

Configuring JSA 7.3.0 to use previous connection processing for Cisco Firepower Threat Defense

If you want to change the way that JSA 7.3.0 parses connection events an enable earlier behavior without adding action results, use the command line.

By default, Cisco Firepower Threat Defense connection events are extended with firewall action results ALLOW or BLOCK.

  1. Using SSH, log in to your JSA Console as the root user.

  2. To create a new properties file or to edit an existing properties file, type the following command:

    vi /opt/qradar/conf/CiscoFirepowerThreatDefense.properties

  3. To enable processing, add the following line in the text file:

    usePreviousConnectionEventProcessing=true

  4. To disable processing, add the following line in the text file:

    usePreviousConnectionEventProcessing=false

  5. Save your changes and then exit the terminal.

  6. Restart the event collection service. For more information, see Restarting the event collection service.

Cisco Firepower Threat Defense Sample Event Messages

Use this sample event message to verify a successful integration with JSA.

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Cisco Firepower Threat Defense sample message when you use the Syslog protocol

The following sample shows an intrusion event that has a Generator ID (GID) and Snort IDs (SID).

Aug 14 08:59:30 192.168.0.7 SFIMS : % FTD - 5 - 430001 : Protocol: tcp , SrcIP: 10.1.1.57 , DstIP: 10.5.12.209 , SrcPort: 2049 , DstPort: 746 , Priority: 1, GID: 1 , SID: 648 , Revision: 18, Message: \"INDICATOR-SHELLCODE x86 NOOP\", Classification: Executable Code was Detected, User: No Authentication Required, ACPolicy: test, NAPPolicy: Balanced Security and Connectivity, InlineResult: Blocked

Table 2: Highlighted fields

JSA field name

Highlighted payload field name

Event ID

As an intrusion event, a concatenation of the GID and SID is used.

Category

As an intrusion event, the category is set to Snort.

Device Time

If not provided in the DSM, Aug 14 08:59:30 is taken from the syslog header.

Source IP

SrcIP

Destination IP

DstIP

Source Port

SrcPort

Destination Port

DstPort

Protocol

Protocol

Severity

5

The value in this field is converted and mapped to an appropriate JSA severity value.