Scribd
Upload
125 views54 pages

BRKSEC 2124 Estreamer Syslog

Syslog

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
125 views54 pages

BRKSEC 2124 Estreamer Syslog

Syslog

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

#CiscoLive

eStreamer or Syslog
Which one to choose for Cisco Secure Firewall
Security Events
Dinkar Sharma, Technical Marketing Engineer – CSTA
Seyed Khadem, Technical Solutions Architect - CSTA
@Dinkar88, @Seyed54119008
BRKSEC-2124

#CiscoLive
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated [Link]

by the speaker until June 17, 2022.

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
Dinkar Sharma (Cisco Security)
• Technical Marketing Engineer (Current)
• Cisco Secure Technical Alliance (SBG)
• 10 years in Cisco includes
• Technical Consulting Engineer (Firewall & VPN)
• Technical Consulting Engineer (AAA Security)
• Customer Success Specialist (Security)
• CCIE Security #47755, CCDA (Devnet Associate)
• Masters in Cyber Defense
• Candidate (Dakota State University)

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Introduction
• Unified Syslog
• Unified Syslog Configuration
• Syslog Security Event Samples
• Event Streamer (eStreamer)
• eStreamer config and record types
• eStreamer sample events
• Syslog vs eStreamer
• Roadmap

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction: Management Designed for the User
Flexibility of cloud or on-premises options
Security Integrations Common APIs

Cisco Firepower Cisco Cisco Firepower


Management Center Defense Orchestrator Device Manager
(FMC) (CDO) (FDM)
Coexist

Helps administrators enforce


For centralized cloud-based
consistent access policies, rapidly For easy on-box management of
policy management of multiple
troubleshoot security events, and single FTD or pair of FTDs
deployments
view summarized reports across the running in HA
*For FTD release 6.4 or higher
deployment

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Introduction: Management Designed for the User
Flexibility of cloud or on-premises options
Security Integrations Common APIs

Cisco Firepower Cisco Cisco Firepower


Management Center Defense Orchestrator Device Manager
(FMC) (CDO) (FDM)
Coexist

Helps administrators enforce


For centralized cloud-based
consistent access policies, rapidly For easy on-box management of
On premise Centralized Manager Cloud Based
policy Centralized
management Manager
of multiple On-box manager
troubleshoot security events, and single FTD or pair of FTDs
SecOps Focused NetOps Focused
deployments NetOps Focused
view summarized reports across the running in HA
*For FTD release 6.4 or higher
deployment

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Introduction: Secure FMC, More than a Config Tool
• A policy configuration tool for NGFW / NGIPS
• A quick way to see the context /
composition of your network (Network &
Host Discovery)
• A tool to “check-on” your threat events

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Introduction: Secure FMC, More than a Config Tool
Indication of Compromise (IoC’s)
• Performs Data Correlation on threat events to generate IoC’s
Analysis > Hosts > Indication of Compromise

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Introduction: Secure FMC, More than a Config Tool
Indication of Compromise (IoC’s)
• Performs Data Correlation on threat events to generate IoC’s
Analysis > Hosts > Indication of Compromise

Analysis > Hosts > Indication of Compromise > Hosts

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Introduction: Visual Guide to Firepower Event Sources

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Event Sources
• Security Events:
• Connection, SI, Intrusion, File, Malware, Discovery, Correlation, User Activity, Impact Flags

Device Syslog Event Streamer Database API


(eStreamer)

FMC Yes Yes Yes

FDM Yes No No

CDO Yes No No

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Unified Syslog
Secure Firewall 6.3+
• Unified Security Events : Managed by FMC,CDO or FDM
• Legacy and New events: Sent using one mgmt or data interface

• All events sent under same hostname.

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Unified Syslog: Event Types
Security Events

Syslog Message Id Type of Event Introduced in

430001 Intrusion Event 6.3

430002 Connection Event 6.3


(At beginning)
430003 Connection Event 6.3
(At the End)
430004 File Event 6.4

430005 File Malware Event 6.4

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Unified Syslog: AC Policy Configuration
Security Event Syslog
1. Policy > Logging

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Unified Syslog: AC Policy Configuration
Security Event Syslog
1. Policy > Logging

2. Devices > Platform Settings

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Unified Syslog: AC Policy Configuration
Security Event Syslog
1. Policy > Edit > Logging

2. Devices > Platform Settings

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Unified Syslog: IPS Event
Event ID 430001 Sample

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Unified Syslog: IPS Event
Event ID 430001 Sample
Syslog Device
Session ID ID 5-tupple
ID info Signature
Priority ID
Message Classification
IPS Inline Result AC
AC Rule
Policy Or Policy
Action

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Syslog Sample: Connection at the Beginning & End
Event Id 430002 & 430003

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Syslog Sample: Connection at the Beginning & End
Event Id 430002 Syslog
&Id430003 Event Device
AC Rule
5-Tupple
Session Priority ID info
Id Acton
AC Rule
Username Name

URL, Category
& Reputation
NAT details info
7.1+
Syslog
Id

Session
WebApp Duration
SSL Ciphers
TLS SSL Action SSL
version Session ID

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Syslog Sample: File Event
Event Id 430004

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Syslog Sample: File Event
Event Id 430004
Syslog 5-Tupple File
Id info Direction
File SHA- Action SHA
256 Disposition
File File
Type Size

File
Stored?

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Syslog Sample: Malware Event
Event Id 430005

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Syslog Sample: Malware Event
Event Id 430005
Syslog
Id

SHA Threat Threat


Disposition Signature Score

File Sandbox
status

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Syslog Challenges: FTD
• No IoC, Impact Flags, Discovery, correlation and host events, etc.....
• Not available for later access to FTD due to limited storage (depends on buffer)
• No on demand comprehensive data for Intrusion Events
• No Redundancy (backup)
• TLS syslog is only supported over the data interfaces
• Less dashboard customization as compared to Event Streamer (eStreamer)

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Data Correlation is Critical
OS
DNS Intrusion Local
IOCs Version
Activity Events Vuln
Data

IPSec URL Sec DNS User Threat


Intel Intel Sec Intel Data Intel

Policy Network App


Malware File Data
Violation Flow Data

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Data Correlation is Critical

Analysis
Organisation
Filtration
WHY? Correlation
• Most SOCs fail or keep Relatedness
getting “re-invented” Intelligence
Integration
• Good Security Analysts are
hard to find/keep and are
expensive

The COST of security is not sustainable even in


today’s climate of regulation, fear, and loss.

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Event Streamer (eStreamer)
Secure Firewall Management Center
• Provides 8 types of Security
Events
• Supports Correlation events
• Reduces noise and admin overhead
• On demand comprehensive data
for Intrusion Events
• Requires Cisco enCore client on
SIEM solutions: Splunk, Sentinel,
Arcsight

[Link]

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Event Streamer (eStreamer): Configuration
Secure Firewall Management Center
1. System > Integration

2. Create Client
3. Event Configuration

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Event Streamer (eStreamer)
Security Event and Metadata Record Types

Record Type Description Metadata Record Metadata Description


Type
10-29 and more Discovery Event
2 Packet Data (IPS)
71 Connection Data
9 Intrusion Impact Alert (IPS)
112 Correlation Event
62 User Metadata
125 Malware Event
121 URL Category Metadata
400 Intrusion Event
Record 123 Managed Device Metadata

500 File Event 128 Malware Event Type


Metadata

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Event Streamer (eStreamer): Sample
IPS Event with Packet Data

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Event Streamer (eStreamer): Sample
IPS Event with Packet Data
Record
type Client
Dst App
Country
HTTP Headers true-
IoC
ip/XFF

Impact level
&
description

Metadata
Record type

Packet
Data

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Event Streamer (eStreamer): Sample
Malware Event

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Event Streamer (eStreamer): Sample
Malware Event
Record File
type Archive Action
Client Depth
App
File
SHA- Name
256 Retro
Disposition

Threat
Score

Threat
Signature
Splunk
Web UI

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Event Streamer (eStreamer): Sample
Discovery Event

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Event Streamer (eStreamer): Sample
Discovery Event

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Event Streamer (eStreamer): Sample
Correlation Event using Correlation Policy

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Event Streamer (eStreamer): Sample
Correlation Event using Correlation Policy

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco Integration Products
Splunk, Arcsight, Sentinel, Qradar
• Splunk App for Firepower Splunk Firepower App Dashboard
• Supports both eStreamer and
Syslog data ingest
• Analytics Dashboard
• Support output in Splunk (key-
value pair)
• Arcsight Client
• Support output in CEF format
• Microsoft Sentinel Connector
• CEF based, future integration
with JSON
• Encore CLI
• Support output in CEF format

• Qradar
• Have their own connector

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
eStreamer additional Telemetry and Metadata
IPS Event telemetry & Metadata not available in Syslog events
Telemetry Record Metadata (IPS Event)
Type
IoC
2 Packet Data
Impact Flags
4 Priority Metadata
Impact Alert and
Description 9 Impact Alert

True-IP or XFF 66 Rule Metadata

http hostname, uri, 110,111 Intrusion Event Extra Data


response
118 Intrusion Policy Name
Source/Dst IP Country Metadata
Client App 140 Rule Documentation Data
Block

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
eStreamer additional Telemetry and Metadata
Malware Event telemetry & Metadata not available in Syslog events
Telemetry Record Metadata (IPS Event)
Type
IoC
127 AMP Cloud Name Metadata
SRC & DST GeoIP
128,129 Malware Event Type
Archive Depth Metadata

Retro Disposition 130 AMP for Endpoints Detector


Type Metadata
131 AMP for Endpoints File Type
Metadata

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
eStreamer Challenges: FMC
• Only send event data and not syslog logs (CPU, memory, HA etc)
• Does not keep a history of the events it sends
• Only Supported by FMC
• Each FMC requires a dedicated SIEM server (e.g Splunk encore) (CSCvq14351)
• Cost could be a factor : Requires more storage, license and skills
• Requires more effort in setup than Syslog: Admin overhead, Maintenance
• Not supported by cloud FMC introduced in 7.2

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Syslog vs eStreamer
Type of Event eStreamer Syslog

Discovery Events Yes No

Correlation Events Yes No

Impact Flag Alerts Yes No

Intrusion Events Yes Yes

Intrusion & Malware metadata Yes No

Malware Events Yes Yes

File Events Yes Yes

Connection Events Yes Yes

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Partners and eStreamer Clients
Partner Client Built By Maintained By Support Model
LogRhythm LogRhythm LogRhythm LogRhythm
IBM QRadar IBM IBM IBM
Splunk Cisco Services & CSTA Cisco (CSTA) TAC & Eng. + Community
Microsoft Sentinel Cisco Services & CSTA Cisco (CSTA) TAC & Eng.
MicroFocus Arcsight Cisco Services & CSTA Cisco (CSTA) TAC & Eng.
LogZilla Cisco & Logzilla LogZilla LogZilla
Huntsman Huntsman Huntsman Huntsman
Symantec Symantec Symantec Symantec
Hawk Defense HawkDefense HawkDefense HawkDefense
TrustWave TrustWave TrustWave TrustWave
McAfee McAfee McAfee McAfee
Assuria Assuria Assuria Assuria
SecureWorks Unknown SecureWorks SecureWorks

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Secure Firewall Logging Roadmap (Tentative)
Software 6.5 to 7.1 7.2 7.4 7.x x.x?
Version
'Classic’ 'Classic’ 'Classic’ 'Classic’ eStreamer EOL
eStreamer. All eStreamer. All eStreamer. All eStreamer. All
event types event types event types event types

New eStreamer New eStreamer New eStreamer New eStreamer


FQ for 6 event FQ for ALL 8 FQ for ALL 8 FQ for ALL 8
FMC
types. (no event types. event types. event types.
Discovery or
Correlation)
Syslog for all Syslog for all
event types event types

Syslog for Syslog for Syslog for Syslog for Syslog for
Firewall Intrusion, Intrusion, Intrusion, Intrusion, Intrusion,
File/Malware, File/Malware, File/Malware, File/Malware, File/Malware,
Connection Connection Connection Connection Connection

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Summary
Key Points Syslog eStreamer

Telemetry
(+metadata)
Low Cost
Easy Implementation

Dashboard Customization
Data Correlation
Requires user Skills

Cisco SecureX

3rd party integration

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Demo
eStreamer or Syslog
Which one to choose for Cisco Secure
Firewall Security Events
BRKSEC-2125, Jun15 | 2.30pm – 3.15pm
Seyed Khadem
Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!

• Attendees will also earn 100 points


in the Cisco Live Game for every
survey completed.

• These points help you get on the


leaderboard and increase your chances
of winning daily and grand prizes.

#CiscoLive BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Security Reference Architecture
Threat Intelligence | Malware Analytics | Actionable Intelligence | Unmatched Visibility | Collective Responses

Security Operations Managed Detection


Security, Orchestration, Automation and Response Incident Response and Remediation Services
and Response Services

(XDR) Threat Visibility & Hunting Device Insights Kenna Vuln Mgmt Secure Cloud Insights 3rd Party Integrations

User/Device Security Network Security Application Security


Cloud Edge
ZERO TRUST SECURE ACCESS SERVICE EDGE (SASE) ZERO TRUST PRIVATE CLOUD EDGE (MSP or CUSTOMER) ZERO TRUST

Adaptive MFA | Passwordless | Trust Threat Protection | Secure Access Control | Managed Remote Access Reliable | Scalable | Flexible Policy | API Security
Application Segmentation
Duo Secure Secure Run-time Application Security
Access E-mail Umbrella/Duo SDWAN
Cloud access Application Security Stack
DNS-layer Secure web L7 firewall
SASE/REMOTE WORKER ZTNA security broker/
security gateway + IPS
shadow IT APIC-DC
Unified Client | EDR | Cloud Managed SSL
Remote
Data loss
Cloud SDWAN Secure ThousandEyes Cloud
RAaaS browser malware Cloud Native Security APIC
decryption
Isolation
prevention
detection SDWAN by Viptela Firewall DDoS,WAF

On-Premises Secure Secure Application


Cisco Secure Client Workload by AppDynamics
SASE/SDWAN ZERO TRUST
VPN
Scalable | Flexible | Visibility | Comprehensive Security Segmentation | Identity and Context | Profiling | Containment | Encrypted Visibility
Posture
Security App Observability | Detection | Response
Telemetry Network
Edge SDWAN Secure Analytics
Threat by Viptela Firewall ThousandEyes and Logging Secure Firewall DuoCloud Network Hybrid Public
SDWAN SSO+IDP Gateway Private Cloud
Query
IoT/OT SECURITY
Secure Full Stack Secure Network ISE Cisco
Device Mgmt Secure Secure
Secure Critical Infrastructure | Unified IT and OT DDoS Analytics TrustSec DNA Center
Cloud Analytics Firewall
Secure Web
Appliance
ThousandEyes Meraki SM Industrial Industrial Industrial Cyber ISE Secure
(Visibility) ThousandEyes DDoS, WAF/Bot
OS, App Control Router Firewall Switch/AP Vision TrustSec

#CiscoLive Session ID © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. [Link]/go/certs

Learn Train Certify


Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals

Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions

#CiscoLive Session ID © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
• Visit the Cisco Showcase
for related demos

• Book your one-on-one


Meet the Engineer meeting

• Attend the interactive education


with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library


for more sessions at
[Link]/on-demand

BRKSEC-2124 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Thank you

#CiscoLive
#CiscoLive

You might also like