Cisco Firepower Threat Defense

Version: Cisco Firepower Threat Defense (FTD) | Release 6.3 and later

Note – “File Malware and File events” are available from Cisco Firepower release 6.4 and above

Cisco Firepower Threat Defense is an integrative software image combining CISCO ASA and Firepower feature into one hardware and software inclusive system.

The Cisco Firepower NGIPS is a next generation intrusion prevention system. It shares a management console with the Cisco firewall offerings, called the Firepower Management Center.

Netsurion Open XDR, when integrated with Cisco Firepower NGIPS, collects log from Cisco FTD and creates a detailed reports, alerts, dashboards and saved searches. These features of Netsurion Open XDR helps users to view the critical and important information on a single platform.

Reports will contain details of activities like, IDS events. (which outlines the targeted host and source of attack. Reports also consists of events of activities such as SSLVPN/ VPN/ WebVPN access, user command execution, and system activities.

IPS events include Blocked connections, File and Malware detection summary, Allowed URL’s summary, and many more. It includes information such as, date, time, the type of exploit, and contextual information about the source of the attack and its target.

Alerts are provided as soon as any critical event is triggered by Cisco FTD. With alerts users will be able to get real time occurrences of events such as, possible attack that is will be carried out, SSLVPN/ VPN/ WebVPN login success, failures and logout events.

For IPS event, connection blocked due to malicious entity is discovered by NGIPS engine, alerts are directly sent to their email services.

Visual/graphical representation consists of events such as blocked/ allowed connections, security event summary count, and geo-location information which can be viewed on Netsurion Open XDR ‘dashboard’.

Dashboard also displays events related to IDS such as the time of possible attacks from unknown or suspicious sources, information about suspicious URLs, Files, SSL Flow Status, threat name, SHA Disposition, source IP address, and Protocol/service used for establishing connection with FTD etc.

Once Cisco FTD is configured to deliver events to Netsurion Open XDR Manager; alerts, dashboards, and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

TypeNameDescription
SecurityCisco FTD – NGIPS has blocked a suspicious connectionThis alert is triggered when the Cisco Firepower NGIPS detects a suspicious connection event.
SecurityCisco FTD – NGIPS has detected a MalwareThis alert is triggered when the Cisco Firepower NGIPS detects a File Malware Event.
SecurityCisco FTD – NGIPS has blocked an intrusion eventThis alert is triggered when Cisco Firepower NGIPs detects an intrusion event and blocks it.
SecurityCisco FTD – Authorization fail detected for admin userThis alert is triggered when Cisco FTD login fails for the admin user.
SecurityCisco FTD – Authorization fail detected for network userThis alert is triggered when Cisco FTD detects a login failure for network user.
SecurityCisco FTD – Device console ‘enable’ password incorrectThis alert is triggered when Cisco FTD receives incorrect credentials for device console that is “enable”.
SecurityCisco FTD – Device console login failedThis alert is triggered when there is an incorrect login attempt or a failed login to FTD to the console.
SecurityCisco FTD – Intrusion detection event has been detectedThis alert is triggered when the IDS engine discovers a potential attack/scanning on the network.
SecurityCisco FTD – SSL-VPN invalid client tried to loginThis alert is triggered when an invalid/ unknown SSL VPN Client/ AnyConnect client tries to login.
SecurityCisco FTD – SSL-VPN login fail detectedThis alert is triggered when the SSL handshake with remote device fails.
SecurityCisco FTD – User session request with IP options has been discardedThis alert is triggered when an IP packet is seen with IP options. Because IP options are considered as security risk, the incoming packet is discarded.
SecurityCisco FTD – User session with possible ARP poisoning in progressThis alert is triggered when the FTD device receives an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
SecurityCisco FTD – User session with possible footprint/port scanning in progressThis alert is triggered when a real IP packet is denied by ACL. When this event is reoccurring, it becomes suspicious for port scanning/ footprint attempt.
SecurityCisco FTD – User session with possible IP address spoof detectedThis alert is triggered when there is an attack in progress where an adversary is attempting to spoof an IP address on an inbound connection.
SecurityCisco FTD – user session with possible spoofing attack in progressThis alert is triggered when either FTD device receives a packet with the same IP, but a different MAC address from one of its uauth entries, Or, FTD device receives a packet with exempt MAC address, but a different IP address from the corresponding uauth entry.
SecurityCisco FTD – User session with teardrop signature detectedThis alert is triggered when FTD device discards a packet with a teardrop signature containing either a small offset or fragment overlapping.
SecurityCisco FTD – VPN session failedThis alert is triggered when a VPN client authentication fails.
SecurityCisco FTD – WebVPN/AnyConnect session login failedThis alert is triggered when a WebVPN/ AnyConnect authentication is rejected.
OperationsCisco FTD – High memory utilization detected on FTD deviceThis alert is triggered when the FTD system reports high memory utilization.
OperationsCisco FTD – Device configuration erasedThis alert is triggered when the device configuration is erased by any user.
OperationsCisco FTD – SSL-VPN unsupported client has been rejectedThis alert is triggered when an unsupported AnyConnect client connection is rejected.
ComplianceCisco FTD – WebVPN/AnyConnect session file access deniedThis alert is triggered when a file access via a WebVPN/ AnyConnect session is denied for any user.

Reports

TypeNameDescription
SecurityCisco FTD – NGIPS (Intrusion Events)This report generates a summary of intrusion events as detected by Cisco Firepower NGIPS. It includes, date, time, the type of exploit, and contextual information about the source of the attack and its target.
SecurityCisco FTD – IDS scanning reportThis report contains a summary of IDS events when a host is being targeted/ attacked. It includes the destination subnet, or endpoint IP address with action that is being performed on the target system.
SecurityCisco FTD – SSLVPN failed connectionsThis report has a summary of failed SSLVPN handshakes. This includes source IP/ Source port, destination IP/ destination port, and type of peer type i.e. ‘client’ or ‘server’.
SecurityCisco FTD – VPN client failed connectionsThis report consists summary of failed VPN client connections. It includes source Ip address and username.
SecurityCisco FTD – WebVPN failed connectionsThis report is generated when there is a failed login attempt from WebVPN/ AnyConnect client. This includes, the user group name, username, and session type, e.g. ‘WebVPN’ or ‘admin’.
OperationsCisco FTD – NGIPS (Network connection)This report outlines a summary of network connections at the beginning and at the end of a session. This includes SSL flow status, access control rule action, URL accessed, etc.
OperationsCisco FTD – User command executionThis report provides a detailed summary of commands executed by the user, like show config, or run diagnostics.
OperationsCisco FTD – System login successThis report generates a detailed summary of successful login by a user to FTD device. It includes, username, source IP/ source port, destination IP/ destination port, and event timestamp.
OperationsCisco FTD – Allowed traffic activitiesThis report generates a detailed summary of allowed traffic connection, like TCP, UDP, or ICMP. It includes, protocol type, source IP/ source port, destination IP/ destination port, and event timestamp.
ComplianceCisco FTD – SSLVPN successful connectionsThis report generates a detailed summary of successful SSLVPN handshake with client. This includes, the protocol version used to establish connection, along with peer type, source IP/ source port, and destination Ip/ destination port.
ComplianceCisco FTD – VPN client successful connectionsThis report is generated for successful VPN client connections. It includes, username and source IP address.
ComplianceCisco FTD – WebVPN successful connectionsThis report includes a summary of successful WebVPN/AnyConnect client connections/ sessions. This includes the username, user group name, and source IP address.
ComplianceCisco FTD – Device configuration changesThis report is generated for the configuration changes on the FTD device by any user. This includes, username, time of command execution, and the actual command that was executed to make any changes in device configuration.
ComplianceCisco FTD – User privilege changedThis report is generated when there is a user privilege change. It includes, username, old privilege level, new privilege level and event timestamp.
ComplianceCisco FTD – User managementThis report generates a detailed summary of event which includes new user creation in FTD database, and user deletion from FTD database. It includes, username and privilege level assigned to that user.
ComplianceCisco FTD – System login failedThis report generates a detailed summary of failed login attempt in Cisco FTD device. It includes, username, source IP/ source port, destination IP/ destination port, and event timestamp.
ComplianceCisco FTD – Traffic activity (TCP denied)This report generates a detailed summary of failed TCP connections. It includes, source IP/ source port, destination IP/ destination port, and event timestamp.
ComplianceCisco FTD – Traffic activity (UDP denied)This report generates a detailed summary of failed UDP connections. It includes, source IP/ source port, destination IP/ destination port, and event timestamp.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, and Cisco FTD.

Download Integration Guide for configuration instructions and more information.