About the Secure Firewall App for Splunk
 Important |
The Secure Firewall App for Splunk (https://splunkbase.splunk.com/app/4388/) has reached end-of-life as of July 15, 2024. Limited support will be provided for this application. Use the latest Cisco Security Cloud app (https://splunkbase.splunk.com/app/7404) for connecting your Cisco devices with Splunk. For more information about the Cisco Security Cloud app, see Cisco Security Cloud App for Splunk User Guide. |
This is the documentation for the Secure Firewall app for Splunk (formerly Firepower App for Splunk), available from Splunkbase at https://splunkbase.splunk.com/app/4388/.
Discover and investigate threats using threat and traffic data from the Secure Firewall Management Center . Splunk can store far more data than the management center can, so you have greater visibility into activity on your network.
This app is a successor to the Cisco Firepower eNcore App for Splunk (https://splunkbase.splunk.com/app/3663/). You can run both apps in parallel if you choose to do so.
Set Up the Secure Firewall App for Splunk
Requirements and Limitations
-
The Secure Firewall App for Splunk presents security and network event information sent to Splunk from the management center running version 6.0 or later. Available functionality is affected by your management center version.
-
For supported Splunk versions and other compatibility information, see https://splunkbase.splunk.com/app/4388/.
-
Before you can use this app, ensure that your management center event data is available in Splunk.
To bring your management center data into Splunk, use the Cisco Secure eStreamer Client Add-On for Splunk (formerly, the Cisco eStreamer eNcore Add-on for Splunk). This technical add-on (TA) is available from https://splunkbase.splunk.com/app/3662/.
Documentation for this TA is available from https://www.cisco.com/c/en/us/support/security/defense-center/products-programming-reference-guides-list.html.
-
For information about the types of event data available for analysis in the Splunk app, see https://splunkbase.splunk.com/app/3662/.
Install the Secure Firewall App for Splunk
Before you begin
Meet the requirements and prerequisites in Requirements and Limitations.
Procedure
|
Step 1 |
|
|
Step 2 |
Log into Splunk as an Admin. |
|
Step 3 |
Download the app. |
|
Step 4 |
Select Apps > Manage Apps. |
|
Step 5 |
Click Install App from File. |
|
Step 6 |
Navigate to the app Cisco Secure Firewall app for Splunk. |
|
Step 7 |
Click Upgrade app. This will do a fresh install if you do not have an existing installed version of this app, or overwrite any previous version. |
|
Step 8 |
Restart Splunk as instructed. |
Best Practices
Configure network settings (specifically, identify your home network) so you can easily identify attacks that originate inside your network.
Configure the Secure Firewall App for Splunk
At a minimum, you should specify the IP addresses that define your internal and external networks so you can easily see the threats that originate within your network.
Procedure
|
Step 1 |
Access the standard Splunk location to configure settings for an app:
|
|
Step 2 |
Specify the IP addresses and ranges on your internal network, so you can determine exploit direction:
|
|
Step 3 |
Enable the ability to right-click applicable data to quickly pivot to view the data in the management center. For example, host profile information is available only on the management center.
|
|
Step 4 |
Click Save. |
Use the Secure Firewall App for Splunk
Suggested Investigations
-
Confirm that your system is blocking threats that the system has identified:
On the page, filter for threats not blocked, regardless of direction.
On the page, filter for Impact 1 threats not blocked.
-
Look for compromised internal hosts:
Attacks initiated by internal hosts always indicate compromise.
-
On the page, filter for Impact 3 threats whether or not they were blocked, then click the relevant internal hosts option in the pie chart below the timeline. Investigate the internal IP addresses in the table at the bottom of the page.
-
Then do the same for Impact 2 events.
-
On the page, filter for Direction originating with internal hosts, whether blocked or not, and investigate internal hosts involved, regardless of whether or not the threats were blocked.
-
-
Identify hosts affected by malware that entered your network before it was known to be a threat:
Identify affected hosts using the retrospective malware events graph on the page.
-
Look for anomalies on your network, such as unapproved applications or nonstandard ports in use:
-
Check the graphs on the Network page.
-
Look for activity on uncommon ports, as highlighted on the "Top Server Applications In Use with Least Seen TCP Ports" graph on the Network page.
-
-
Review the data for for outliers – activity or parameters that are unexpectedly frequently or infrequently seen.
-
Investigate any unexpected hosts on your network:
Level 0 intrusion events without associated host discovery on the network could indicate the presence of a ghost network.
(Level 0 intrusion events also could indicate that your network discovery policy is not properly implemented.)
-
Look for spikes or trends in high-priority attacks over time or against key hosts (for example, servers):
These are easiest to see in the timeline graphs on each page under the Threats menu.
Select various time ranges to see what stands out.
-
Eliminate large chunks of insignificant data so the important data stands out.
-
Look carefully at unique events, which may indicate highly targeted attacks.
-
Drill down on interesting items.
As you find patterns, hosts, users, applications, ports, and more, that raise flags, drill down and filter to see what other transactions involve the relevant entities. Also right-click items to see if additional information is available.
-
As you explore, look for any other behavior that could be suspicious. For example:
-
A single URLis unexpectedly associated with multiple IP addresses and MAC addresses over time.
-
A host has unexpectedly connected to 30 different endpoints in the past hour using SSH.
-
-
Look for events and data associated with a particular IP address:
Use the page.
Note
If your filter includes many IP addresses, the app may become very slow, depending on how you have your data set up.
-
See also Intrusion Event Impact Levels.
Widget descriptions:
Most of the widgets in this app are the same as their equivalents in the management center. For information about these widgets, see the Cisco Secure Firewall Management Center Configuration Guide for your version at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.
Intrusion Event Impact Levels
|
Impact Level |
Description and Suggested Actions |
|---|---|
|
0 |
Unexpected Hosts on the Network Neither the source nor destination host IP address is within the network as defined in the discovery policy in the management center. If your discovery policy is correctly configured, Impact 0 events may indicate unauthorized devices on the network (a ghost network.) Click this impact level and look at the table at the bottom of the page to determine which sensor is seeing this traffic and engage your network team to locate and isolate these devices. |
|
1 |
High Priority Intrusion Events The targeted host is vulnerable to the exploit. These events can be OS, server, or client vulnerabilities, or indications of compromise as defined by Cisco Talos. To see a breakdown of these events by type, see the “Impact 1 – High Priority Events” widget below, or look at the table at the bottom of the page to see a list of at-risk hosts. |
|
2 |
Possibly Compromised Hosts If the exploit originates inside your network, this indicates a compromised host and you should investigate the source IP address. A known vulnerability on the destination host to the exploit has not been identified. However, regardless of the source IP, you should verify that the destination host has not been compromised. |
|
3 |
Probably Compromised Hosts Impact 3 events generally occur only when an internal host is the source of an exploit. An internally-sourced event always indicates a compromised host. Click the relevant widget below to display internally-sourced events in the table at the bottom of the page, then investigate the source IP addresses in that table. |
|
4 |
Hosts Not Fully Integrated into the Network The host is within the expected range of IP addresses as configured in a discovery policy in the management center, but has no host profile. The host may be new to your network, for example as part of an acquisition or network buildout that has not yet been properly configured. |
Troubleshooting
Review Existing Instructions
Verify that you have met requirements and prerequisites described in Set Up the Secure Firewall App for Splunk.
Getting Support
This app is provided as-is, with no warranty, and is community-supported. Try the following:
-
Cisco communities, for example:
-
Splunk community: Splunk Answers
-
Report bugs and request features: fp-4-splunk@cisco.com
Related Documentation
For more information (not specific to this integration), see the management center documentation:
-
The online help in the management center (Under the Help menu near the top right corner of the browser window.)
-
The Cisco Secure Firewall Management Center Configuration Guide for your version:
-
Other management center resources:
Feedback