Security Analytics and Logging (SAL) is a central log management and advanced threat detection service which delivers scalable Cisco firewall logging and correlated analytics. Central logging helps in providing visibility, helps troubleshoot network access issues including disruptions, and enables device and overall network health monitoring. Analytics provide detection against advanced threats.

The SAL service is available in the following two methods:

• Security Analytics and Logging (SaaS)—A hosted software as a service (SaaS) which stores events and provides data for security analytics using Secure Cloud Analytics (formerly Stealthwatch Cloud). This service connects the Security Analytics and Logging cloud data store to the firewall cloud manager, Cisco Security Cloud Control (Security Cloud Control).

  In this documentation, this method is also referred to as SAL (SaaS).

• Security Analytics and Logging (On Premises)—A service that runs on the Secure Network Analytics (formerly Stealthwatch) appliances to store event logs at the customer's own premises. This service connects the Security Analytics and Logging (On Premises) data to the on-premises manager, Secure Firewall Management Center.

  In this documentation, this method is also referred to as SAL (OnPrem).

For more information about Security Analytics and Logging, see https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html.

SAL integration shows similar options for storing event data externally to a management center and Security Cloud Control:

You can configure SAL (OnPrem) to store firewall event data for increased storage at a larger retention period. By deploying Secure Network Analytics appliances and integrating them with your firewall deployment, you can export your event data to a Secure Network Analytics appliance.

This provides you with the following capabilities:

• Store events on the Secure Network Analytics appliance.

• Specify this remote data source to view these events in the management center.

• Review event data from the Secure Network Analytics Manager (formerly Stealthwatch Management Console) Web App UI using the Event Viewer.

• Cross-launch from the management center UI to the Event Viewer to view additional context on the information from which you cross-launched.

Starting with Secure Firewall Threat Defense(formerly Firepower Threat Defense) version 7.2, you can choose to send fully qualified events that are generated by Security Cloud Control-managed threat defense devices to the management center. The management center receives and displays data analytics for these events. The management center receiving and displaying the event data is also referred to as an analytics-only management center. .

If your devices are enabled to send connection events to a Secure Network Analytics Manager using SAL (OnPrem), you can view and work with these remotely stored events in the management center event viewer and context explorer, and include them when generating reports. By deploying the Secure Network Analytics appliance and integrating it with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to view and manage the events in the management center UI. From the management center interface, you can also cross-launch to Secure Network Analytics Manager to view and manage the events data.

The management center can receive and display event analytics for the following Security Cloud Control-managed threat defense devices:

• New or existing threat defense devices onboarded to Security Cloud Control

  For information on onboarding a threat defense device to Security Cloud Control, see Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center.

  The workflow is as follows:

  1. Onboard a threat defense device to Security Cloud Control.

     Onboard the threat defense devices using the onboarding methods that are described in Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center. The onboarding process includes assigning policies and choosing the appropriate licenses.

  2. Register this threat defense device in the appropriate management center.

     For the management center to display events generated by a Security Cloud Control-managed threat defense device, you must register the threat defense device in the management center. To register this device in the management center, enable the device to be registered using the configure manager add {hostname | IPv4_address | IPv6_address}reg_key[nat_id] CLI, and then add the device to the management center using the Security Cloud Control Managed Device check box.

     Note	The registration key and the NAT ID must be unique from those used while onboarding the device to Security Cloud Control.

     For more information, see Add a Device to the Management Center and Complete the Threat Defense Initial Configuration Using the CLI in Firepower Management Center Device Configuration Guide.

  3. View events in the management center or cross-launch to a configured Secure Network Analytics Manager.

     To view and work with the events in the management center event viewer. If the Secure Network Analytics appliance is deployed and integrated with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to cross-launch from the management center UI to the Secure Network Analytics Manager to view and manage the events data.

     For more information, see Events and Assets and Event Analysis Using External Tools.

• Existing threat defense devices on the management center.

  You can change the management of the threat defense devices from management center to Security Cloud Control using the change threat defense manager functionality. The change threat defense manager functionality provides you to ability to change the management of threat defense devices from management center to Security Cloud Control. While changing the manager, you can choose to retain the events data generated by these threat defense devices on the management center. If you choose to retain the events data on the management center, a copy of the threat defense device in an analytics-only mode is retained on the management center.

  For more information, see Migrate Secure Firewall Threat Defense to Cloud.

  The workflow is as follows:

  1. Onboard the management center to Security Cloud Control

     To onboard the existing threat defense devices from management center to Security Cloud Control, you must onboard the appropriate management center to Security Cloud Control.

     For more information, see Onboard an FMC.

  2. Complete the change threat defense management process

     During the change threat defense management process, while changing the device manager, you can choose to retain events data generated by these threat defense devices on the management center.

     For more information, see Migrate Secure Firewall Threat Defense to Cloud.

  3. View events in the management center or cross-launch to configured Secure Network Analytics appliance.

     To view and work with the events in the management center event viewer. If the Secure Network Analytics appliance is deployed and integrated with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to cross-launch from the management center UI to the Secure Network Analytics Manager to view and manage the events data.

     For more information, see Events and Assets and Event Analysis Using External Tools.

You can configure Security Cloud Control to send events to the Secure Network Analytics appliance using one of the following deployment options:

• Secure Network Analytics Manager Only—Deploy a standalone manager to receive and store events. The threat defense devices send event data to the Network Analytics Manager. All event data is stored on the Network Analytics Manager. From the management center user interface, you can cross-launch the manager to view more information about the stored events.

• Secure Network Analytics Data Store—Deploy a Cisco Secure Network Analytics Flow Collector to receive events, a Cisco Secure Network Analytics Data Store (containing 3 Cisco Secure Network Analytics Data Nodes) to store events, and a manager . The threat defense devices send event data to the flow collector from where the events are sent to the Data Store for storage. From the management center user interface, you can cross-launch the manager to view more information about the stores events.

  Starting with threat defense version 7.2, you can choose to associate different flow collectors to different devices.

SAL (SaaS) allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your threat defense devices and view them in one place in Security Cloud Control. The events are stored in the Cisco cloud and are viewable from the Event Logging page in Security Cloud Control, where you can filter and review them to gain a clear understanding of what security rules are triggering in your network.

With additional licensing, after you capture these events, you can cross-launch from Security Cloud Control to the Secure Cloud Analytics portal provisioned for you. Secure Cloud Analytics is a software as a service (SaaS) solution that tracks the state of your network by performing a behavioral analysis on events and network flow data. By gathering information about your network traffic from sources including firewall events and network flow data, it creates observations about the traffic and automatically identifies roles for network entities based on their traffic patterns. Using this information combined with other sources of threat intelligence, such as Talos, Secure Cloud Analytics generates alerts, which constitute a warning that there is behavior that may be malicious in nature. Along with the alerts, Secure Cloud Analytics provides network and host visibility, and contextual information it has gathered to provide you with a better basis to research the alert and locate sources of malicious behavior.