And Yet Another Weekend Post! (YAWP)
In this article we are going to describe the integration of FTD with Splunk when you manage FTDs via FMC!
Moreover, we try to clarify the process of connecting Cisco Firepower Threat Defense with Splunk for log analysis and event correlation with events from other devices in our infrastructure. We describe different ways of log collection, mention the pons and cons of them and provide instructions of how to do that using eNcore eStreamer Add-on and App for Splunk.
It's better to know some basics and definitions first:
Why Security Information and Event Management (SIEM)?
It's a software product focused on the security of systems. It's a combination of security information management (SIM) and security event management (SEM) tools. This combination allows you to do real-time analysis and offline analysis with persisted data that you can retain for a long time.
Everything starts with data collection, and that's where SIM comes into play. Depending on the specific tool you use, you can actively move data or upload data on demand to a centralized place. Choosing one tool over another will determine whether you're doing real-time analysis or forensic analysis using data from the past. Once you load data, you can perform searches for troubleshooting and create reports and visualizations to make sense of the collected data
Things then get interesting when SEM comes to the table. After you've identified patterns in the data, you can correlate the data to automate notifications and actions based on the rules you define. For example, you can set it to trigger an alert because there are too many 404 errors. By looking at the logs, you can then correlate the requests to see that someone is trying to find a hole in your system.
You can implement everything I've mentioned here yourself. Still, there are tools that will help you get started quickly so you can focus your attention on using the data to improve the security of your system. Splunk is the SIEM tool I'm recommending—but why should you choose it?
Why using Splunk for SIEM?
According to the Gartner report, there are lots of tools for SIEM, but Splunk stands out above the rest.
You can collect, parse, and store data in a standard format with Splunk so that it's easy to analyze. You can also configure automatic notifications with alerts and reports, correlate data with searches, and create visualizations with dashboards. It doesn't matter really what the sources of the data are; you can collect data in real time or on demand. You can install and configure Splunk on any cloud provider, on-premises, or using a hybrid of those two. If you don't want to administrate Splunk yourself, they also have an as-a-service option.
But what makes Splunk really stand out, according to the Gartner report, is what Splunk calls "apps" and other specialized services for security. These apps provide a set of searches, preset alerts, reports, and dashboards so that you can start analyzing data quickly. The apps include PCI Compliance,Analytics for Hadoop, Stream, Security Essential and Machine Learning Toolkit. You can also use services like Enterprise Security or User Behavior Analytics.
Centralized Data Repository
If you want to be proactive about security, you need to store all your data in a centralized location. Reading and trying to understand different formats from different sources is demanding work. Instead, use Splunk to store your data so you can analyze it all in one place. Having a centralized repository becomes even more important if you need to support long-term storage for compliance reasons.
You can move your data to Splunk using forwarders or, as I mentioned before, you can manually upload data on demand. I recommend that you start uploading data manually and familiarize yourself with how Splunk interprets your data.
Splunk makes it easier to analyze that centrally stored data by converting data into events with timestamps. It starts by parsing the data to identify break lines and default fields, encoding characters, setting a timestamp if there's no date field, and even masking certain data. Then, all this data is effectively distributed into the cluster so that search and indexing speeds remain fast. This process is called indexing; Splunk charges you by index volume.
Once you load your data into Splunk, you can perform searches, reports, and visualizations.
First things first, when the necessity of log collection from Firepower appeared, guys who did this integration already said that it was a really tough task. There is an add-on which is written in Perl and during the configuration process you received too many errors and had no idea how to manage it. But when we started reviewing possible methods, we found new opportunities to provide this.
So let’s talk about possible ways of sending logs from FirePower Threat Defence to Splunk.
There are 2 variants:
When eStreamer came out there were a LOT of issues with Perl modules, and other technology which was used by the Splunk estreamer Add-on.
So let’s have a closer look at eStreamer Ad-on:
The FireSIGHT System Event Streamer (eStreamer) uses a message-oriented protocol to stream events and host profile information to the client application. Your client can request event and host profile data from a Defense Center, and intrusion event data only from a managed device. The client application starts the data stream by submitting request messages, which specify the data to be sent, and then controls the message flow from the Defense Center or managed device after streaming begins. The other feature of using this method is that communication between devices is encrypted over SSL.
Pheniix found the Splunk Add-on for eStreamer. There are 3 versions:
click here to download
Hint: FTD and FMC should be in one network as Splunk with eStreamer add-on.
One possible Headache would be:
When your Splunk is installed in the cloud (such as Azure,AWS , Google Cloud) and you have an office, which is located in a business center where your local network is hosted behind the NAT with one white IP address for many companies. Your Splunk would NOT have the possibility to communicate with your device directly.
There are 2 possible solution here:
Deploy Splunk Heavy Forwarder (HF) in your corporate network where was the possibility for add-on to access FTD and FMC devices directly.
The other one is to configure Destination NAT, or port forwarding on core router for your FTD appliance.
Add-on should be installed on the heavy forwarder and provides only log collection, the other part is eStreamer eNcore App which provides log transformation, data model log mapping to CIM, and consist of many dashboards for monitoring.
We should have configured Splunk Heavy Forwarder. In our case, we have installed it on Ubuntu server, because eStreamer eNcore add-on works only on Linux systems.
We should check if all required packets and libraries are installed.
If it isn’t in place you can simply install it using your packet manager.
Then, download eNcore add-on from here and install it on Heavy Forwarder
You must have a valid PKCS12 file for your Splunk server. Once you have the PKCS12 file you must rename the file to “client.pkcs12” and place it on the Splunk server here:
This will require some form of SCP,SSH or console access to the server.
Go to your FMC and navigate System->Integration -> eStreamer check out what type of events you want to log and save.
Then, click Add client button.
On the next page add IP address of your Splunk server and any password -- write it down cause you will need it later.
After that you should save your *.pkcs12 file. And add it to the Splunk add-on path on heavy forwarder.
Then check Splunk GUI. Before making any further steps be sure that all necessary inputs are enabled. Go to the Settings -> Data inputs: