Cisco Security Analytics and Logging

About Security Analytics and Logging

Security Analytics and Logging (SAL) is a central log management and advanced threat detection service which delivers scalable Cisco firewall logging and correlated analytics. Central logging helps in providing visibility, helps troubleshoot network access issues including disruptions, and enables device and overall network health monitoring. Analytics provide detection against advanced threats.

The SAL service is available in the following two methods:

  • Security Analytics and Logging (SaaS)—A hosted software as a service (SaaS) which stores events and provides data for security analytics using Secure Cloud Analytics (formerly Stealthwatch Cloud). This service connects the Security Analytics and Logging cloud data store to the firewall cloud manager, Cisco Security Cloud Control (Security Cloud Control).

    In this documentation, this method is also referred to as SAL (SaaS).

  • Security Analytics and Logging (On Premises)—A service that runs on the Secure Network Analytics (formerly Stealthwatch) appliances to store event logs at the customer's own premises. This service connects the Security Analytics and Logging (On Premises) data to the on-premises manager, Secure Firewall Management Center.

    In this documentation, this method is also referred to as SAL (OnPrem).

For more information about Security Analytics and Logging, see https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html.

Comparison of SAL Remote Event Storage and Monitoring Options

SAL integration shows similar options for storing event data externally to a management center and Security Cloud Control:

SAL (OnPrem)

SAL (SaaS)

Why choose this solution?

You want to increase your on-premises firewall event data storage capacity, retain this data for a longer period, and export your event data to the Secure Network Analytics appliance.

You want to send firewall events for storage and optionally make your firewall event data available for security analytics using Secure Cloud Analytics.

Licensing

Purchase license and set-up the storage system behind your firewall.

For more information, see Licensing for SAL (OnPrem)

Purchase license and a data storage plan and send your data to the Cisco cloud.

For more information, see Licensing for SAL (SaaS)

Supported event types

  • Connection

  • File and Malware

  • Intrusion

  • LINA

  • Security Intelligence

  • Connection

  • File and Malware

  • Intrusion

  • Security Intelligence

Supported methods to send events

Supports both, syslog and direct integration.

Supports both, syslog and direct integration.

Event viewing

  • View events on the Secure Network Analytics Manager.

  • Cross-launch from the management center event viewer to view events on the Secure Network Analytics Manager.

  • View remotely stored connection and security intelligence events in the management center.

View events in Security Cloud Control or Secure Network Analytics Manager, depending on your license. Cross-launch from the management center event viewer.

About SAL (OnPrem)

You can configure SAL (OnPrem) to store firewall event data for increased storage at a larger retention period. By deploying Secure Network Analytics appliances and integrating them with your firewall deployment, you can export your event data to a Secure Network Analytics appliance.

This provides you with the following capabilities:

  • Store events on the Secure Network Analytics appliance.

  • Specify this remote data source to view these events in the management center.

  • Review event data from the Secure Network Analytics Manager (formerly Stealthwatch Management Console) Web App UI using the Event Viewer.

  • Cross-launch from the management center UI to the Event Viewer to view additional context on the information from which you cross-launched.

Licensing for SAL (OnPrem)

You must obtain the Logging and Troubleshooting smart license to use SAL (OnPrem). You can obtain the license based on the amount of data you anticipate while sending the syslog data from your firewall deployment to your Secure Network Analytics appliance on a daily basis.

For information on licensing the Secure Network Analytics appliances, see Secure Network Analytics Smart Software Licensing Guide.

For information on the available SAL (OnPrem) licensing options, see the Cisco Security Analytics and Logging Ordering Guide.


Note


For license calculation purposes, the amount of data is reported to the nearest whole GB. For example, If you send 4.9 GB in a day, it is reported as 4 GB.


Manage SAL (OnPrem) for Security Cloud Control-Managed Threat Defense Devices

Starting with Secure Firewall Threat Defense(formerly Firepower Threat Defense) version 7.2, you can choose to send fully qualified events that are generated by Security Cloud Control-managed threat defense devices to the management center. The management center receives and displays data analytics for these events. The management center receiving and displaying the event data is also referred to as an analytics-only management center. .

If your devices are enabled to send connection events to a Secure Network Analytics Manager using SAL (OnPrem), you can view and work with these remotely stored events in the management center event viewer and context explorer, and include them when generating reports. By deploying the Secure Network Analytics appliance and integrating it with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to view and manage the events in the management center UI. From the management center interface, you can also cross-launch to Secure Network Analytics Manager to view and manage the events data.

The management center can receive and display event analytics for the following Security Cloud Control-managed threat defense devices:

  • New or existing threat defense devices onboarded to Security Cloud Control

    For information on onboarding a threat defense device to Security Cloud Control, see Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center.

    The workflow is as follows:

    1. Onboard a threat defense device to Security Cloud Control.

      Onboard the threat defense devices using the onboarding methods that are described in Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center. The onboarding process includes assigning policies and choosing the appropriate licenses.

    2. Register this threat defense device in the appropriate management center.

      For the management center to display events generated by a Security Cloud Control-managed threat defense device, you must register the threat defense device in the management center. To register this device in the management center, enable the device to be registered using the configure manager add {hostname | IPv4_address | IPv6_address}reg_key[nat_id] CLI, and then add the device to the management center using the Security Cloud Control Managed Device check box.


      Note


      The registration key and the NAT ID must be unique from those used while onboarding the device to Security Cloud Control.


      For more information, see Add a Device to the Management Center and Complete the Threat Defense Initial Configuration Using the CLI in Firepower Management Center Device Configuration Guide.

    3. View events in the management center or cross-launch to a configured Secure Network Analytics Manager.

      To view and work with the events in the management center event viewer. If the Secure Network Analytics appliance is deployed and integrated with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to cross-launch from the management center UI to the Secure Network Analytics Manager to view and manage the events data.

      For more information, see Events and Assets and Event Analysis Using External Tools.

  • Existing threat defense devices on the management center.

    You can change the management of the threat defense devices from management center to Security Cloud Control using the change threat defense manager functionality. The change threat defense manager functionality provides you to ability to change the management of threat defense devices from management center to Security Cloud Control. While changing the manager, you can choose to retain the events data generated by these threat defense devices on the management center. If you choose to retain the events data on the management center, a copy of the threat defense device in an analytics-only mode is retained on the management center.

    For more information, see Migrate Secure Firewall Threat Defense to Cloud.

    The workflow is as follows:

    1. Onboard the management center to Security Cloud Control

      To onboard the existing threat defense devices from management center to Security Cloud Control, you must onboard the appropriate management center to Security Cloud Control.

      For more information, see Onboard an FMC.

    2. Complete the change threat defense management process

      During the change threat defense management process, while changing the device manager, you can choose to retain events data generated by these threat defense devices on the management center.

      For more information, see Migrate Secure Firewall Threat Defense to Cloud.

    3. View events in the management center or cross-launch to configured Secure Network Analytics appliance.

      To view and work with the events in the management center event viewer. If the Secure Network Analytics appliance is deployed and integrated with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to cross-launch from the management center UI to the Secure Network Analytics Manager to view and manage the events data.

      For more information, see Events and Assets and Event Analysis Using External Tools.

Configure SAL (OnPrem) Integration

You can configure Security Cloud Control to send events to the Secure Network Analytics appliance using one of the following deployment options:

  • Secure Network Analytics Manager Only—Deploy a standalone manager to receive and store events. The threat defense devices send event data to the Network Analytics Manager. All event data is stored on the Network Analytics Manager. From the management center user interface, you can cross-launch the manager to view more information about the stored events.

  • Secure Network Analytics Data Store—Deploy a Cisco Secure Network Analytics Flow Collector to receive events, a Cisco Secure Network Analytics Data Store (containing 3 Cisco Secure Network Analytics Data Nodes) to store events, and a manager . The threat defense devices send event data to the flow collector from where the events are sent to the Data Store for storage. From the management center user interface, you can cross-launch the manager to view more information about the stores events.

    Starting with threat defense version 7.2, you can choose to associate different flow collectors to different devices.

Configure a Secure Network Analytics Manager

Configure the Secure Network Analytics Manager deployment to integrate SAL (OnPrem) with Security Cloud Control-managed threat defense devices.

Before you begin

Ensure the following:

  • You have a provisioned Security Cloud Control tenant and have the following Security Cloud Control user roles:

    • Admin

    • Super admin

  • Your threat defense devices are working as expected and are generating events.

  • If you are currently using syslog to send events to the Secure Network Analytics Manager from device versions that support sending events directly, disable syslog for those devices (or assign those devices an access control policy that does not include syslog configurations) to avoid duplicating events on the remote volume.

  • You have the hostname or the IP address of your Secure Network Analytics Manager.


Note


You may be logged out of the Secure Network Analytics Manager during the registration process; complete any work in progress before you start with the deployment wizard.


Procedure


Step 1

Log in to Security Cloud Control.

Step 2

From the Security Cloud Control menu, navigate Administration > Firewall Management Center to open the Services page.

Step 3

Select Cloud-Delivered FMC and then click Configuration.

Step 4

Navigate to Integration > Security Analytics & Logging.

Step 5

In the Secure Network Analytics Manager Only widget, click Start.

Step 6

Enter the hostname or the IP address and port number of the Secure Network Analytics Manager and click Next.

Step 7

Deploy the changes to the managed devices.

The event data is not logged to the SAL (OnPrem) until the logging policy changes are deployed to the registered threat defense devices.

Note

 

If you must change any of these configurations, run the wizard again. If you disable the configuration or run he wizard again, all settings except the account credentials are retained.

You can view and work with these remotely stored events in the event viewer and context explorer in the management center, and include them when generating reports. You can also cross-launch from an event in the management center to view related data on your Secure Network Analyticss appliance.

For more information, see the online help for the management center.

Step 8

Click OK.


Configure a Secure Network Analytics Data Store

Configure a Secure Network Analytics data store deployment to integrate SAL (OnPrem) with threat defense devices that are Security Cloud Control-managed.

Before you begin

Ensure the following:

  • You have a provisioned Security Cloud Control tenant and have the following Security Cloud Control user roles:

    • Admin

    • Super admin

  • Your threat defense devices are working as expected and generating events.

  • If you are currently using syslog to send events to the Secure Network Analytics appliance from device versions that support sending events directly, disable syslog for those devices (or assign those devices an access control policy that does not include syslog configurations) to avoid duplicate events on the remote volume.

  • Gather the following information:

    • The hostname or the IP address of your Secure Network Analytics Manager.

    • The IP address of your flow collector.


Note


You may be logged out of the Secure Network Analytics Manager during the registration process; complete any work in progress before you start with the deployment wizard.


Procedure


Step 1

Log in to Security Cloud Control.

Step 2

From the Security Cloud Control menu, navigate Administration > Firewall Management Center to open the Services page.

Step 3

Choose Cloud-Delivered FMC and click Configuration.

Step 4

Navigate to Integration > Security Analytics & Logging.

Step 5

In the Secure Network Analytics Data Store widget, click Start.

Step 6

Enter the hostname or the IP address and port number of the flow collector.

To add more flow collectors, click +Add another Flow Collector.

Step 7

If you have configured more than one flow collector, associate the managed devices with different flow collectors:

Note

 

By default, all the managed devices are assigned to the default flow collector.

  1. Click Assign Devices.

  2. Select the managed devices that you want to assign.

  3. From the reassign device drop-down list, choose the flow collector.

    If you do not want a managed device to send event data to any of the flow collectors, select that device, and choose Do not log to flow collector from the reassign device drop-down list.

    You can change the default flow collector by hovering over the intended flow collector and clicking Set default.

  4. Click Apply Changes.

  5. Click Next.

Step 8

Click Next.

Step 9

Deploy the changes to the registered managed devices.

The event data is not logged to the SAL (OnPrem) until the logging policy changes are deployed to the registered threat defense devices.

Note

 

If you must change any of these configurations, run the wizard again. If you disable the configuration or run he wizard again, all settings except the account credentials are retained.

You can view and work with these remotely stored events in the event viewer and context explorer in the management center, and include them when generating reports. You can also cross-launch from an event in the management center to view related data on your Secure Network Analytics Manager.

For more information, see the online help for the management center.


About SAL (SaaS)

SAL (SaaS) allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your threat defense devices and view them in one place in Security Cloud Control. The events are stored in the Cisco cloud and are viewable from the Event Logging page in Security Cloud Control, where you can filter and review them to gain a clear understanding of what security rules are triggering in your network.

With additional licensing, after you capture these events, you can cross-launch from Security Cloud Control to the Secure Cloud Analytics portal provisioned for you. Secure Cloud Analytics is a software as a service (SaaS) solution that tracks the state of your network by performing a behavioral analysis on events and network flow data. By gathering information about your network traffic from sources including firewall events and network flow data, it creates observations about the traffic and automatically identifies roles for network entities based on their traffic patterns. Using this information combined with other sources of threat intelligence, such as Talos, Secure Cloud Analytics generates alerts, which constitute a warning that there is behavior that may be malicious in nature. Along with the alerts, Secure Cloud Analytics provides network and host visibility, and contextual information it has gathered to provide you with a better basis to research the alert and locate sources of malicious behavior.

Licensing for SAL (SaaS)

The SAL (SaaS) licenses allows you to use a Security Cloud Control tenant to view firewall logs and a Cisco Secure Cloud Analytics instance for analytics, without holding separate licenses for either of these products.

For details on the available SAL (SaaS) licensing options, see the Cisco Security Analytics and Logging Ordering Guide.