Cisco Firepower Threat Defense (FTD) is a popular firewall solution that combines a firewall, intrusion prevention system, and malware protection into a single platform. This integration can be used for Managed Detection and Response (MDR) and is stored, searchable, and and used as context in threat investigations when added to the Security Data Lake.
Ingest Details
These ingest methods allow Red Canary to receive logs from your Cisco Firepower appliance either via syslog or email.
Via Syslog: Red Canary provides a managed syslog server. You will be provided the fully qualified hostname and port of the syslog server to which you will point your Cisco Firepower appliance. Authentication is handled via TLS.
Via Email: Red Canary also supports log ingestion via email. You can configure your appliance to send logs directly to a unique, Red Canary-managed email address.
By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Cisco Firepower with Red Canary, follow the procedure below for your chosen ingest method.
Prerequisites
Before you start the syslog integration, please make sure the following requirements are met:
You have an active Red Canary Security Data Lake license
You have appropriate admin permissions to make configuration changes in Cisco Firepower
1 Red Canary | Add the Integration
From your Red Canary homepage, go to the Integrations page, then click Add Integration.
On the Add integration dialog, search for Cisco Firepower, then click Configure.
Enter a name for your integration.
2 Red Canary | Choose How Red Canary Will Receive Data
Under Ingest Format / Method, select Cisco Firepower via Syslog (Recommended) or Cisco Firepower via Email.
Click the Next button.
3 Red Canary | Configure Red Canary to Retrieve Data
Click the Provision button.
This will save and activate your integration. If successful, you should get a “Collector provisioned successfully” notification.
Under Send data to Red Canary, there are URL and Port values to set up log forwarding in your external data source. Copy and save these values to use in a later step.
Check I’ve configured this integration to send data to Red Canary.
Under Configure transport encryption, leave the default selection No for now.
Click the Next button.
4 Red Canary | Customize How Data is Handled
For the Security Data Lake, this section is not applicable. Move onto the next step.
5 Red Canary | Customize How This Data is Retained
Check Store in the Security Data Lake.
Specify the desired data retention period in days and click Save.
6 Cisco Firepower | Configure Log Forwarding
Via Syslog Ingest Method
If you selected Via Syslog as the ingest method, navigate to Cisco Firepower, set up log forwarding using the URL and Port values noted in Step 3. For detailed instructions on how to set up syslog forwarding for FTD devices, refer to the Cisco documentation.
When configuring syslog message settings, make sure:
Enable timestamp on each syslog message is checked
The selected Timestamp Format is “RFC 5424 (yyyy-MM-ddTHH:mm:ssZ)”
Enable Syslog Device ID is checked and “Host Name” is selected under the type of ID
When configuring the syslog server settings:
Allow user traffic to pass when TCP syslog server is down (Recommended) is checked
The protocol for the syslog server is “TCP”
Enable Secure Syslog is checked
Under the Devices > Certificates page, the appropriate Certificate Authority (CA) root certificate is uploaded. If you did not configure a custom TLS certificate earlier, you will need to install the ISRG Root X1 certificate. You can download the ISRG Root X1
.pemcertificate and upload it to Cisco manually.
Via Email Ingest Method
If you selected Via Email as the ingest method, you’ll need to forward the logs to the provisioned Red Canary email address:
Log in to the Firepower Management Center (FMC).
Go to Device > Platform Setting > Threat Defense Policy > Syslog > Email Setup.
Click Add.
In the Destination Email Address field, enter the Red Canary email address provisioned above.
In the Syslog Severity drop-down, choose warning.
Click OK to save the configuration.
Click Save to save the platform settings.
Go to Deploy, choose the FTD appliance where you want to apply the changes, then click Deploy.
For additional information, please see the Cisco FMC documentation.
Email Format
Red Canary needs to ingest the log as originally formatted by Firepower. Make sure that any perimeter devices in line between Firepower and Red Canary aren’t subsequently reformatting the email to HTML.
Querying Cisco Firepower Data
The tables below outline the fields available for querying Cisco Firepower data in the Security Data Lake.
Red Canary Metadata
All Security Data Lake sources include a set of metadata columns generated by Red Canary at the time of ingestion. These fields are always identified by the rc_ prefix.
Column Name | Data Type | Description |
|---|---|---|
| String | Internal row identifier. |
| String | Red Canary subdomain name. |
| String | Internal source identifier. |
| String | Internal source type. |
| String | Internal file name. |
| Numeric | Internal file line number. |
| Timestamp | Red Canary ingestion date (UTC). |
| Timestamp | Red Canary creation date (UTC). |
| Timestamp | Red Canary ingestion date (UTC). |
Cisco Firepower Syslog Fields
Cisco Firepower sources also include fields parsed directly from the original syslog message.
Column Name | Data Type | Description |
|---|---|---|
| Timestamp | Timestamp from the syslog record (if available). If a time zone is not provided as part of the timestamp, this will default to UTC. |
| Numeric | Priority/severity. |
| String | Source hostname/IP address. |
| String | Source application. |
| String | Process ID. |
| String | Message body. |
| String | Type of message (if specified by source application). |
| String | “Structured Data” elements. |