Cisco ASA Firewall

Version: Cisco ASA Firewall 5500 Series and later.

Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family.It delivers enterprise-class firewall capabilities for ASA devices in an array of form factors – standalone appliances, blades, and virtual appliances – for any distributed network environment.

Netsurion Open XDR acts as the Syslog Server for Cisco ASA, where Cisco ASA sends Syslog messages via UDP to Appliance Syslog Listener. The configuration procedures within this document setup Cisco ASA appliances to send Syslog messages to the Cisco Adaptive Security Device Manager (ASDM). Syslog messages are then forwarded to the Netsurion Open XDR from ASDM.

Netsurion Data Source Integration for Cisco Adaptive Security (ASA) allows you to monitor following:-

  • Operations – Syslog messages for different services, account operations (addition, deletion and modification of user and group) and shutdown/restarting of system.
  • Security – Suspicious network activities, if there is any changes in privileges on user logon/authentication activities. (logon, logoff)
  • Compliance – Changes in policy configuration. (addition and deletion)

Once logs are received in to Netsurion Open XDR, Flex reports and Alerts can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security Cisco ASA – Authentication failed This alert is generated when authentication failed event occurs.
Security Cisco ASA – Failover messages This alert is generated when failover event occurs. Reports:-
Operations Cisco ASA – Access denied This alert is generated when access denied event occurs.
Compliance Cisco ASA – IDS intrusion detection This alert is generated when IDS intrusion detection event occurs.
Compliance Cisco ASA – Security incidents detected This alert is generated when security incidents detected event occurs.

Reports

Type Name Description
Security Cisco ASA – User authentication failed This flex report provides information related to user authentication failed. It gives the information about authentication failed for Username, Source IP, Source port no. and Target IP, Target port no.
Security Cisco ASA – User authentication success This flex report provides information related to user authentication success. It gives the information about authentication success for Username, Source IP, Source port no. and Target IP, Target port no.
Security Cisco ASA – User login failed This flex report provides information related to user login failed. It gives information which User, from Source IP and port no. login failed and what was the logon type.
Security Cisco ASA – User password changed This flex report provides information related to user password changed. It gives information about for which user password has been changed.
Security Cisco ASA – Connection denied This flex report provides information related to traffic denied by firewall. it gives information about Traffic direction, Source and Destination address and port, Protocol details.
Operations Cisco ASA – User account locked out This flex report provides information related to user account locked out. It gives the User account name and Reason why is it locked out.
Operations Cisco ASA – User account unlocked This flex report provides information related to user account unlocked. It gives the User account name and who has unlocked the user account.
Compliance Cisco ASA – Privilege level changed This flex report provides information related to user privilege level changed. It shows from which level to which level user privilege changed by whom.
Compliance Cisco ASA – Attack detection This flex report provides information related to failure attacks that has occurred from which source address to which targeted address.
Compliance Cisco ASA – Security incident This flex report provides information related to security incident detection.
Compliance Cisco ASA – Traffic details This flex report provides information related to access and denied traffic. it gives information about Traffic direction, Source and Destination address and port, Bytes transfer, Duration for connection and its status.

Documentation

The configuration details are consistent with Netsurion Open XDR 7.x and later, Cisco ASA Firewall.

Download Integration Guide and How-to Guide for configuration instructions and more information.