Transcription
Cisco Firepower QRadar AppVersion Number: 1.1.0Date: Mar 26, 2020Copyright 2020 Cisco1
ContentsContents. 21.2.3.Introduction. 31.1.Overview . 31.2.About this Document . 31.3.About the app . 31.4.Prerequisites . 31.5.Custom Field Properties of DSM . 3General . 52.1Installation . 52.2Importing a FMC certificate in QRadar . 72.3Configuring Log Source. 72.4Configuring Log Source Extension . 92.5Suggested CEP to be Indexed . 10Cisco Firepower for QRadar App . 113.13.1.1Time Range Selector. 113.1.2Reset. 113.24General . 11Threats Tab. 123.2.1Threat Summary . 123.2.2Context Explorer . 133.2.3Intrusion Events . 143.3Network Tab . 153.4Report Tab . 163.4.1Indications of Compromise by Host Report. 163.4.2Event Viewer(User Activity) . 173.4.3Event Viewer(Connections by Security Intelligence Category) . 173.4.4Event Viewer – Firewall Events . 173.4.5Event Viewer – Source Port . 183.4.6Event Viewer – Destination Port . 183.4.7Event Viewer – IP Protocol. 18Legal Notice. 194.1 Confidentiality Notice . 192
1. Introduction1.1.OverviewThe Cisco Firepower App for IBM QRadar provides insight from multiple securityproducts and integrates them with QRadar. The Cisco Firepower platform helps the userto automate security and contain threats faster and directly from QRadar.1.2.About this DocumentThis document explains how to deploy and use the Cisco Firepower App for IBM QRadar.1.3.About the appQRadar provides a robust solution for Security Information and Event Management(SIEM), anomaly detection, incident forensics, and vulnerability management.When you set up Cisco Firepower app for QRadar, it integrates all the data fromCisco Firepower platform and allows you to view the data in graphical form in theQRadar console. From the application, analysts can: 1.4. 1.5.View the Threat SummaryContent ExplorerNetwork TabReport TabIntrusion EventPrerequisitesIBM QRadar version 7.3.1 patched to 73120181123182336 and 7145706.noarch and 08190552.noarch and aboveAdministration privileges.Custom Field Properties of DSMFollowing fields are part of the DSM:3
4
2. General2.1 Installation1.2.3.4.Login to QRadar and go to Admin tab.Select Extension Management Services.Install the application as a QRadar Plugin (For more details plugin installation, click here)After the installation, deploy changes in QRadar if any.5
6
2.2 Importing a FMC certificate in QRadar1.2.Login to the Cisco Firepower Management Centre and download the .pkcscertificate (For more details refer here)Importing the downloaded Cisco Firepower Management Centre certificate intoQRadar(For more details refer here).Use this command to import the certificate into QRadarØ /opt/qradar/bin/estreamer-cert-import.pl -f pkcs12 absolute filepath options2.3 Configuring Log Source1.2.3.a.b.c.d.e.f.g.h.i.j.k.l.From the Admin tab on the QRadar navigation bar, scroll down to Log Sources.Click on Add to create a new log source.Enter the required parameters for creating log source:Enter a Log Source NameFrom the Log Source Type list, select Cisco Firepower Management Centre.From the Protocol Configuration list, select Cisco Firepower eStreamer.Server Address, The IP address or host name of the Cisco FirepowerManagement Centre device.Server Port, The port number that the Cisco Firepower Management Centredevice is configured to accept connection requests on. The default port thatQRadar uses for the Cisco Firepower Management Centre device is 8302.Keystore Filename, The directory path and file name for the keystore privatekey and associated certificate. By default, the import script creates thekeystore file in the following directory: /opt/qradar/conf/estreamer.keystoreTruststore Filename, The directory path and file name for the truststorefiles. The truststore file contains the certificates that are trusted by theclient. By default, the import script creates the truststore file in the followingdirectory: /opt/qradar/conf/estreamer.truststoreRequest Extra Data, Select this option to request intrusion event extra datafrom Cisco Firepower Management Centre. For example, extra data includesthe original IP address of an event.Domain, The domain where the events are streamed from.Log Source Extension Select “SourcefireDefenseCenter ext” from the list.Save.Deploy Changes7
8
2.4 Configuring Log Source Extension1. If Extension Name is not mapped to the Log source type FirepowerManagement Centre, Choose the Log Source Name from the List.2. Save changes.9
2.5 Suggested CEP to be IndexedIn Order increase the efficiency of the Searched, it is recommended to index few CEPs.1.2.3.4. Navigate to admin, Index ManagementSelect the CEP to be indexed, and click Enable IndexSave the changesFollowing Fields can be indexedIOC ValueUser IDsecurityIntelligenceNameBytes INRecordTypeBytes OUTNote: Predefined "Data retrieval function" given by IBM QRadar will implicitly add the homenet range.10
3. Cisco Firepower for QRadar App3.1GeneralTo navigate to the Cisco Firepower QRadar app, in IBM QRadar:From the QRadar Homepage, click the Cisco Firepower for QRadar tab.3.1.1Time Range Selector1.The Time range selector tool can be used by the user to display information fora certain timeframe. By default, the application shows the data of Last 24 Hours.2.User can select the predefined date ranges additionally feature providedfor customized date selection3.The Time range selector can be found in all the pages.3.1.2ResetThe user can click on the Cancel button to reset the Date range to default Daterange i.e. Last 24 Hours.11
3.2 Threats TabThe Threat Menu contains the below sub menus:1.Threat Summary2.Context Explorer3.Intrusion Events3.2.1 Threat Summary1. Threat Summary tab gives the information such as Indications of Compromise by Host, NewIndications of Compromise Over Time, Connections by Security Intelligence Category,Malware Threats, Intrusion Events By Impact Level and Top Security Intelligence Categories.2. Threat Summary Tab enables the user to search the information related to Source IPAddress, Destination IP Address, Time, Traffic Direction and Blocked or not blocked.3. Every widget will lead the user to its respective Event-Viewer.12
3.2.2Context Explorer1. Context Explorer tab gives the information such as Correlation Events, Security Intelligence,Intrusion Events, Malware Events, IP as Source Vs Destination, Location of Threat Events andTraffic, User, Threats Events and Traffic Patterns.2. Context Explorer Tab enables the user to search the information related to Source IPAddress, Destination IP Address, Time, Traffic Direction and Blocked or not blocked.3. Correlation Events ,Security Intelligence ,Intrusion Event ,Malware widget count will leadthe user to its respective Event-Viewer.13
3.2.3Intrusion Events1. Intrusion Events tab gives the information such as Home-net Trend, Impact 1 - HighSeverity Events, Intrusion Events - Initiated by Internal vs. External Hosts, Intrusion Eventsby Sensors and Impacts.2. Intrusion Events tab enables the user to search the related to Source IP Address,Destination IP Address, Traffic Direction, Time, Impact Level and Blocked or not blocked.14
3.3Network Tab1. Network tab gives the information such as Network Events by Firewall Rule, NetworkActivity by Source Port, Network Events by Destination Port, Network Activity by User,Events by IP Protocol and Network Events by Priority Level.2. Network tab enables the user to search the information related to Source IP Address,Destination IP Address, Time, Traffic Direction and Blocked or not blocked.3. Every widget will lead the user to its respective Event-Viewer.15
3.4Report Tab1. Report tab gives the information related to Indications of Compromise by Host Report, EventViewer(User Activity), Event Viewer(Connections by Security Intelligence Category) , EventViewer – Firewall Events, Event Viewer – Web Application, Event Viewer – Client Application,, Event Viewer-IP Protocol in the form of a tables.2. Report tab enables the user to search the information related to Source IP Address, DestinationIP Address, Source Port, Destination Port, Time, Traffic Direction and Blocked or not blocked.3.4.1 Indications of Compromise by Host Report16
3.4.2 Event Viewer(User Activity)3.4.3 Event Viewer(Connections by Security Intelligence Category)3.4.4 Event Viewer – Firewall Events17
3.4.5 Event Viewer – Source Port3.4.6 Event Viewer – Destination Port3.4.7 Event Viewer – IP Protocol18
4 Legal Notice4.1 Confidentiality NoticeThis document transmission (and/or the documents accompanying it) is for the sole useof the intended recipient(s) and may contain information protected by the attorneyclient privilege, the attorney-work-product doctrine or other applicable privileges orconfidentiality laws or regulations. If you are not an intended recipient, you may notreview, use, copy, disclose or distribute this message or any of the informationcontained in this message to anyone. If you are not the intended recipient, contact thesender by reply e-mail and destroy all copies of this message and attachments.19
The Cisco Firepower platform helps the user to automate security and contain threats faster and directly from QRadar. 1.2. About this Document This document explains how to deploy and use the Cisco Firepower App for IBM QRadar. 1.3. About the app QRadar provides a robust solution for Security Information and Event Management
