Cisco Cloud Event Settings
Sending firewall events to the cloud allows you to use external tools to investigate the firewall incidents. The devices send firewall events to the Security Services Exchange (SSE), from where they can be forwarded to various cloud services to unify visibility and enhance your threat investigations.
To allow your devices to send firewall events to Cisco Security Cloud, you must either register the management center with the smart license (System () ) or enable Cisco Security Cloud integration. Cisco Security Cloud integration associates the management center with your CDO account and brings your secure firewall deployment onboard to the Cisco cloud tenancy, allowing it to connect
to Cisco's integrated security cloud services.
For more information about integrating the management center with Cisco security cloud, see Enable Cisco Security Cloud.
Configure the Management Center to Send Events to the Cisco Security Cloud
Configure your management center to have the managed threat defense devices send events directly to Cisco Security Cloud. The cloud region and event types that you configure in this page can be used for multiple integrations when applicable and enabled.
Before you begin
-
Determine the Cisco regional cloud that you want to use for sending firewall events. While choosing a regional cloud, keep in mind that:
-
The regional cloud you select is also used for the Cisco Support Diagnostics and Cisco Support Network capabilities. This setting also governs the cloud region for the Secure Network Analytics cloud using Security Analytics and Logging (SaaS).
-
You cannot merge or aggregate data in different regional clouds. To aggregate data from multiple regions, devices in all the regions must send data to the same regional cloud.
Table 1. Cisco Regional Clouds Region
Link to Cloud
North America
Europe
Asia (APJC)
Australia
India
-
-
Ensure that you register the management center with the Smart License (System (
) ) or enable Cisco Security Cloud integration to allow your devices to send firewall events to the Cisco cloud.
-
In the management center:
-
Go to the System > Configuration page and give your management center a unique name to clearly identify it in the Devices list in the cloud.
-
Add your threat defense devices to the management center, assign licenses to them, and ensure that the system is working correctly. Ensure that you have created the necessary policies and the generated events are displayed as expected in the management center UI under the Analysis menu.
-
-
Ensure that you have your Cisco security cloud sign on credentials and can sign in to the regional cloud in which your account was created.
-
Ensure that you link your smart account or the CDO tenant to your SSE account.
-
If you are currently sending events to the cloud using syslog, disable it to avoid duplication.
Procedure
Step 1 |
In your management center, click . |
|||||||||||||||
Step 2 |
Choose a regional cloud from the Current Region drop-down list. |
|||||||||||||||
Step 3 |
Check the Send events to the cloud check box to enable the cloud event configuration. |
|||||||||||||||
Step 4 |
Select the event types that you want to send to the cloud.
|
|||||||||||||||
Step 5 |
Click Save. |
Enable Cisco XDR Automation
Enable this setting to allow the automated workflows created by Cisco Extended Detection and Response (Cisco XDR) users to interact with your management center resources.
Cisco XDR automation provides a no-to-low code approach for building automated workflows. You can design your own workflows with the drag-and-drop interface, and they can be set to run in response to different schedules and events. Cisco XDR automation helps you to rectify threats using automation and guided response recommendations across all relevant control points.
![]() Note |
Cisco XDR is a separately licensed product. It requires an additional subscription beyond the licenses for Cisco Secure Firewall products. For more information, see Cisco XDR Licenses. |
For more information about the Cisco XDR automation capabilities, see the Cisco XDR documentation.
Before you begin
Enable Cisco Security Cloud and register your management center to the cloud. See Enable Cisco Security Cloud.
Procedure
Step 1 |
Click . |
Step 2 |
Check the Enable Cisco XDR Automation check box. |
Step 3 |
Choose the management center user role that you want to assign to the Cisco XDR automation workflows. The Access Admin role is set as the default, allowing access to access control policy and associated functionality in the Policies menu. |
Step 4 |
Click Save. |