P Cisco Firepower

Introduction

Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your organization’s security policy.

Main Use Cases

Below are the main use cases for this packages:

Covered under L1- Perimeter Monitoring - Indicators and Warnings package

  • High Volume of Deny Events to Same Destination
  • Multiple Deny Events from Same Source
  • Multiple Deny Events to Same Destination
  • Multiple Denies and an Allow from Same Source

Covered under L1- Network Monitoring - Indicators and Warnings package

  • DoS Activity Detected by IDS
  • Exploit Attempt Detected by IDS
  • High Severity IDS Event
  • Multiple Exploit Attempts from Same Source
  • Multiple Exploit Attempts to Same Destination
  • Multiple IDS Events from Same Source
  • Multiple IDS Events to Same Destination
  • Multiple Sources Generating the Same IDS Event
  • Multiple Unique IDS Events to Same Destination
  • Privilege Escalation Attempt Detected
  • Reconnaissance Activity Detected by IDS
  • Unique IDS Events from Same Source
  • Very High Severity IDS Event
  • Unique IDS Events to Same Destination

Covered under L1- Entity Monitoring - Indicators and Warnings package

  • User Account Brute Force Attempt
  • User Account Brute Force Attempt from Multiple Sources
  • User Account Brute Force Attempt Reported by Device

Download Instructions

Download the package from the ArcSight Marketplace.

Device Configuration

Cookbook configuration instructions for product packages
  • Activate Base Package 2.5.2.0 or higher has been installed
  • Ensure to have configured properly the Cisco Firepower connector.
  • Ensure that the ESM is setup to sort packages by their IDs:
    • Open ESM server.properties (<ARCSIGHT_HOME>)/manager/config)
    • Add following line: export.archive.reference.sort.order=id
  • For ESM in Compact Mode: Restart the ESM Manager or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Content Configuration

Content Hooks for Product Package:

1. Below filters needs to be configured for L1-Network Monitoring - Indicators and Warnings rules to trigger:

L1 Network Monitoring Filter URI in P Cisco Firepower Description
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Denial of Service Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Intrusion Sensor Specific Events/Firepower Denial of Service Activity
This filter detects the DOS events detected by Cisco Firepower
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS High Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Intrusion Sensor Specific Events/Firepower Agent Severity High
This filter detects the High IDS events detected by Cisco Firepower
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Very High Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Intrusion Sensor Specific Events/Firepower Agent Severity Very High
This filter detects the Very High IDS events detected by Cisco Firepower
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Exploitation Activity Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Intrusion Sensor Specific Events/Firepower Exploitation Activity
This filter detects the Exploitation events detected by Cisco Firepower
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Privilege Escalation Activity Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Intrusion Sensor Specific Events/Firepower Privilege Escalation Activity
This filter detects the Privilege Escalation events detected by Cisco Firepower
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Reconnaissance Activity Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Intrusion Sensor Specific Events/Firepower Reconnaissance Activity
This filter detects the Reconnaissance events detected by Cisco Firepower
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/All Cisco Firepower Events
This filter detects all the cisco firepower events.
2. Below filters needs to be configured for L1-Perimeter Monitoring - Indicators and Warnings rules to trigger:

L1 Perimeter Monitoring Filter URI in P Cisco Firepower Description
/All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Firewall Deny Traffic /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Product Specific Events/Firewall Suspicious Events/Firepower Connection Blocks This filter detects all the Firewall Deny events detected by Cisco Firepower
3. Below filters needs to be configured for L1-Entity Monitoring - Indicators and Warnings rules to trigger:

L1 Entity Monitoring Filter URI in P-Cisco Firepower Description
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Brute Force Attempt Reported by Device
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco/Firepower/Entity Authentication/Firepower Bruteforce Attempt Activity
This Filter Detects Brute force Activity detected by Cisco Firepower

Package Installation Procedure

Steps Instructions
1. Download P-Cisco_Firepower_1.0.0.0.zip CFP1.JPG
2. Open command prompt and navigate to <ARCSIGHT_HOME>  
3. Copy the PCiscoFirepowerInstallAndUpdate _1.0.0.0.bat OR PCiscoFirepowerInstallAndUpdate _1.0.0.0.sh file as well as the P-Cisco_Firepower_1.0.0.0.arb file to the current directory on the path where the ArcSight Console is installed i.e C:\arcsight\console\current

For Windows: Just run PCiscoFirepowerInstallAndUpdate _1.0.0.0.bat
For Linux use: sh PCiscoFirepowerInstallAndUpdate _1.0.0.0.sh

CFP2.JPG
4. You will be prompted to enter the manager hostname, port, username and password. For Windows the password is displayed in clear text, please be aware of your environment and after installation finish you will see something like the screenshot posted in instructions. CFP3.JPG
5. After the update, your packages in ArcSight ESM will look like this screenshot If you run into any issues, the errors will be displayed in the command prompt window CFP4.JPG
6. You can now delete the files from ARCSIGHT_HOME CFP5.JPG

Uninstallation

Steps Instructions

1. Highlight the package (see the below screenshot), right click 'Uninstall Package'

2. Highlight this uninstalled package, and select 'Delete Package'

3. This content should be removed from ESM

CFP6.JPG

Test Plan

PCiscoFirepowerTestPlan provides the methodology for testing this package.

Resources

The link below contains a table of all resources included in this package:

-- DatNguyen - 10 Sep 2019
Topic attachments
I Attachment Action Size Date Who Comment
CFP1.JPGJPG CFP1.JPG manage 22.2 K 10 Sep 2019 - 21:51 DatNguyen  
CFP2.JPGJPG CFP2.JPG manage 48.7 K 10 Sep 2019 - 21:51 DatNguyen  
CFP3.JPGJPG CFP3.JPG manage 24.7 K 10 Sep 2019 - 21:51 DatNguyen  
CFP4.JPGJPG CFP4.JPG manage 64.5 K 10 Sep 2019 - 21:52 DatNguyen  
CFP5.JPGJPG CFP5.JPG manage 17.2 K 10 Sep 2019 - 21:52 DatNguyen  
CFP6.JPGJPG CFP6.JPG manage 47.6 K 10 Sep 2019 - 21:52 DatNguyen  
Topic revision: r12 - 12 Sep 2019, EstebanHerrera


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback