Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense

Cisco Firepower Management Center (FMC) provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. It can easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks.

This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defense via the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in eStreamer integration or via the Cisco FirePower eStreamer eNcore client.

The Cisco eNcore client Collects System intrusion, discovery, and connection data from the Firepower Management Center or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to FortiSIEM.

• What is Discovered and Monitored
• Event Types
• Rules
• Reports
• Configuration
• Using Cisco eStreamer Client

What is Discovered and Monitored

Protocol	Information Discovered	Logs Collected	Used For
eStreamer API		Intrusion Events, Malware Events. File Events. Discovery Events, User Activity Events, Impact Flag Events	Security Monitoring

Event Types

FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol. Event types follow.

• Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

  [PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eventType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGeneratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[webAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPolicyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[destIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=

• Malware events: PH_DEV_MON_FIREAMP_MALWARE

  [PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[hashAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0,[phLogDetail]=

• File events: PH_DEV_MON_FIREAMP_FILE

  [PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAddr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCounter]=103,[connEventTime]=1430497343,[phLogDetail]=

• Discovery events:

  • PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

    PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetail]=

  • PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

    [PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=737,[reptDevIpAddr]=10.1.23.177,[fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7,[hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]=

  • PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP

    [PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=775,[reptDevIpAddr]=10.1.23.177,[clientAppId]=638,[appName]=Firefox,[phLogDetail]=

  • PH_DEV_MON_FIREAMP_DISCOVERY_SERVER

    [PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=853,[reptDevIpAddr]=10.1.23.177,[applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]=

• User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN

  [PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]="User1 ,[userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 ,[phLogDetail]=

• Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG

  [PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648,[compEventType]=PH_DEV_MON_FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14,[ipsClassificationId]=29,[srcIpAddr]=10.131.12.240,[destIpAddr]=10.131.11.46,[srcIpPort]=80,[destIpPort]=8964,[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]=

Rules

There are no predefined rules for this device.

Reports

The following reports are provided:

• Top Cisco FireAMP Malware Events
• Top Cisco FireAMP File Analysis Events
• Top Cisco FireAMP Vulnerable Intrusion Events
• Top Cisco FireAMP Discovered Login Events
• Top Cisco FireAMP Discovered Network Protocol
• Top Cisco FireAMP Discovered Client App
• Top Cisco FireAMP Discovered OS

Configuration

• Cisco FireSIGHT Configuration

• FortiSIEM Configuration

Cisco FireSIGHT Configuration

1. Login to Cisco FIRESIGHT console.
2. Go to System > Local > Registration > eStreamer
3. Click Create Client
   1. Enter IP address and Password for FortiSIEM. The password can only contain alpha (a-z, A-Z) and numeric (0-9) characters. Special characters are not allowed.
   2. Click Save.
4. Select the types of events that should be forwarded to FortiSIEM.
5. Click Download Certificate and save the certificate to a local file.

FortiSIEM Configuration

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

• Define Cisco FireSIGHT console and FirePower Threat Defense Credential in FortiSIEM

• Create IP Range to Credential Association and Test Connectivity

Define Cisco FireSIGHT console and FirePower Threat Defense Credential in FortiSIEM

1. Go to the ADMIN > Setup > Credentials tab.
2. In Step 1: Enter Credentials, click New to create a new credential.
   1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
   2. Enter these settings in the Access Method Definition dialog box and click Save:

1. Settings	Description
   Name	Enter a name for the credential
   Device Type	Cisco FireAMP
   Access Protocol	eStreamer SDK
   Password	Enter the Password as in Step 3a from Cisco FireSIGHT Configuration.
   Certificate File	Click Upload and enter/select the certificate downloaded in Step 5 from Cisco FireSIGHT Configuration.
   Organization	The organization the device belongs to.
   Description	Description of the device.

Create IP Range to Credential Association and Test Connectivity

From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
   1. Enter the IP address of the FireSIGHT console in the IP/Host Name field.
   2. Select the name of the credential created in Define Cisco FireSIGHT console and FirePower Threat Defense Credential in FortiSIEM from the Credentials drop-down list.
   3. Click Save.
2. Select the entry just created and click the Test drop-down list and select Test Connectivity. FortiSIEM will start collecting events from the FIRESIGHT console.

Using Cisco eStreamer Client

Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than FortiSIEM’s own eStreamer client.

If you decide to use Cisco’s eStreamer client instead of FortiSIEM’s eStreamer client, follow these steps.

• Step 1: Install a New Version of Python with a New User 'estreamer'

• Step 2: Download and Configure eStreamer Client

• Step 3: Start eStreamer Client

Step 1: Install a New Version of Python with a New User 'estreamer'

This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer client requires the standard version of python built with PyUnicodeUCS4.

1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed.
2. Install openssl-devel and openssl-devel.i686 by running the following command.
   yum install openssl-devel openssl-devel.i686
   
3. Create eStreamer user using the following command.
   1. useradd estreamer
4. Download the python library using the following commands.
   1. su estreamer
   2. mkdir ~/python
   3. cd ~/python
   4. wget https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz
5. Install python library by using the following commands.
   1. tar zxfv Python-3.9.0.tgz
   2. find ~/python -type d | xargs chmod 0755
   3. cd Python-3.9.0
   4. ./configure --prefix=$HOME/python --enable-unicode=ucs4
   5. make && make install
   6. Add the following two lines to ~/.bashrc.
      export PATH=$HOME/python/Python-3.9.0/:$PATH
export PYTHONPATH=$HOME/python/Python-3.9.0
   7. source ~/.bashrc

Step 2: Download and Configure eStreamer Client

1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user.
2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git
3. Change directory using the following command.
   cd fp-05-firepower-cef-connector-arcsight
4. Login to eStreamer server and take the following steps.
   1. Go to System > Integration > eStreamer.
   2. Create a New client and enter the IP address of the Supervisor/Collector as the host.
   3. Download the pkcs12 file and save it to directory.
      fp-05-firepower-cef-connector-arcsight
5. Go back to fp-05-firepower-cef-connector-arcsight directory.
6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated.
7. Edit estreamer.conf with the below settings (in JSON format).
   • handler.outputters.stream.uri : "udp://VA_IP:514"
   • servers.host : eStreamer_Server_IP
   • servers.pkcs12Filepath : /path/to/pkcs12
8. Run the following two commands.
   • openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05-firepower-cef-connector-arcsight/{eStreamer_Server_IP}-{port}_pkcs.key"
   • openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05-firepower-cef-connector-arcsight/{eStreamer_Server_IP}-{port}_pkcs.cert"
     

Notes:

1. 8302 is the default port.
2. The public IP of the device must be used to create client.pkcs12 according to Cisco FireSIGHT Configuration documentation. The command curl ifconfig.co can be used to get the public IP of the device.
   
   

Step 3: Start eStreamer Client

SSH to FortiSIEM Collector or the node where eStreamer client is installed, as eStreamer user. Start eStreamer client by entering:
sh encore.sh start

Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco eStreamer client. Trigger a few events in eStreamer server and query from FortiSIEM to verify if everything is working.