Cisco Firepower Threat Defense

OverviewResources

Applies To: Cisco Firepower Threat Defense (FTD) | Release 6.3 and later
Note – “File Malware and File events” are available from Cisco Firepower release 6.4 and above

Overview

Cisco Firepower Threat Defense is an integrative software image combining CISCO ASA and Firepower feature into one hardware and software inclusive system.

The Cisco Firepower NGIPS is a next generation intrusion prevention system. It shares a management console with the Cisco firewall offerings, called the Firepower Management Center.

EventTracker, when integrated with Cisco Firepower NGIPS, collects log from Cisco FTD and creates a detailed reports, alerts, dashboards and saved searches. These features of EventTracker helps users to view the critical and important information on a single platform.

Reports will contain details of activities like, IDS events. (which outlines the targeted host and source of attack. Reports also consists of events of activities such as SSLVPN/ VPN/ WebVPN access, user command execution, and system activities.

IPS events include Blocked connections, File and Malware detection summary, Allowed URL’s summary, and many more. It includes information such as, date, time, the type of exploit, and contextual information about the source of the attack and its target.

Alerts are provided as soon as any critical event is triggered by Cisco FTD. With alerts users will be able to get real time occurrences of events such as, possible attack that is will be carried out, SSLVPN/ VPN/ WebVPN login success, failures and logout events.

For IPS event, connection blocked due to malicious entity is discovered by NGIPS engine, alerts are directly sent to their email services.

Visual/graphical representation consists of events such as blocked/ allowed connections, security event summary count, and geo-location information which can be viewed on EventTracker ‘dashboard’.

Dashboard also displays events related to IDS such as the time of possible attacks from unknown or suspicious sources, information about suspicious URLs, Files, SSL Flow Status, threat name, SHA Disposition, source IP address, and Protocol/service used for establishing connection with FTD etc.

Once Cisco FTD is configured to deliver events to EventTracker Manager; alerts, dashboards, and reports can be configured into EventTracker.

Compliance

Alerts

Cisco FTD: WebVPN/AnyConnect session file access denied – This alert is triggered when a file access via a WebVPN/ AnyConnect session is denied for any user.

Reports

Cisco FTD - SSLVPN successful connections – This report generates a detailed summary of successful SSLVPN handshake with client. This includes, the protocol version used to establish connection, along with peer type, source IP/ source port, and destination Ip/ destination port.
Cisco FTD - VPN client successful connections – This report is generated for successful VPN client connections. It includes, username and source IP address.
Cisco FTD - WebVPN successful connections – This report includes a summary of successful WebVPN/AnyConnect client connections/ sessions. This includes the username, user group name, and source IP address.
Cisco FTD - Device configuration changes – This report is generated for the configuration changes on the FTD device by any user. This includes, username, time of command execution, and the actual command that was executed to make any changes in device configuration.
Cisco FTD – User privilege changed – This report is generated when there is a user privilege change. It includes, username, old privilege level, new privilege level and event timestamp.
Cisco FTD – User management – This report generates a detailed summary of event which includes new user creation in FTD database, and user deletion from FTD database. It includes, username and privilege level assigned to that user.
Cisco FTD – System login failed – This report generates a detailed summary of failed login attempt in Cisco FTD device. It includes, username, source IP/ source port, destination IP/ destination port, and event timestamp.
Cisco FTD – Traffic activity (TCP denied) – This report generates a detailed summary of failed TCP connections. It includes, source IP/ source port, destination IP/ destination port, and event timestamp.
Cisco FTD – Traffic activity (UDP denied) – This report generates a detailed summary of failed UDP connections. It includes, source IP/ source port, destination IP/ destination port, and event timestamp.

Operations

Alerts

Cisco FTD: High memory utilization detected on FTD device – This alert is triggered when the FTD system reports high memory utilization.
Cisco FTD: Device configuration erased – This alert is triggered when the device configuration is erased by any user.
Cisco FTD: SSL-VPN unsupported client has been rejected – This alert is triggered when an unsupported AnyConnect client connection is rejected.

Reports

Cisco FTD - NGIPS (Network connection) – This report outlines a summary of network connections at the beginning and at the end of a session. This includes SSL flow status, access control rule action, URL accessed, etc.
Cisco FTD - User command execution – This report provides a detailed summary of commands executed by the user, like show config, or run diagnostics.
Cisco FTD – System login success – This report generates a detailed summary of successful login by a user to FTD device. It includes, username, source IP/ source port, destination IP/ destination port, and event timestamp.
Cisco FTD – Allowed traffic activities – This report generates a detailed summary of allowed traffic connection, like TCP, UDP, or ICMP. It includes, protocol type, source IP/ source port, destination IP/ destination port, and event timestamp.

Security

Alerts

Cisco FTD: NGIPS has blocked a suspicious connection – This alert is triggered when the Cisco Firepower NGIPS detects a suspicious connection event.
Cisco FTD: NGIPS has detected a Malware - This alert is triggered when the Cisco Firepower NGIPS detects a File Malware Event.
Cisco FTD: NGIPS has blocked an intrusion event – This alert is triggered when Cisco Firepower NGIPs detects an intrusion event and blocks it.
Cisco FTD: Authorization fail detected for admin user – This alert is triggered when Cisco FTD login fails for the admin user.
Cisco FTD: Authorization fail detected for network user – This alert is triggered when Cisco FTD detects a login failure for network user.
Cisco FTD: Device console 'enable' password incorrect – This alert is triggered when Cisco FTD receives incorrect credentials for device console that is “enable”.
Cisco FTD: Device console login failed – This alert is triggered when there is an incorrect login attempt or a failed login to FTD to the console.
Cisco FTD: Intrusion detection event has been detected – This alert is triggered when the IDS engine discovers a potential attack/scanning on the network.
Cisco FTD: SSL-VPN invalid client tried to login – This alert is triggered when an invalid/ unknown SSL VPN Client/ AnyConnect client tries to login.
Cisco FTD: SSL-VPN login fail detected – This alert is triggered when the SSL handshake with remote device fails.
Cisco FTD: User session request with IP options has been discarded – This alert is triggered when an IP packet is seen with IP options. Because IP options are considered as security risk, the incoming packet is discarded.
Cisco FTD: User session with possible ARP poisoning in progress – This alert is triggered when the FTD device receives an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Cisco FTD: User session with possible footprint/port scanning in progress – This alert is triggered when a real IP packet is denied by ACL. When this event is reoccurring, it becomes suspicious for port scanning/ footprint attempt.
Cisco FTD: User session with possible IP address spoof detected – This alert is triggered when there is an attack in progress where an adversary is attempting to spoof an IP address on an inbound connection.
Cisco FTD: user session with possible spoofing attack in progress – This alert is triggered when either FTD device receives a packet with the same IP, but a different MAC address from one of its uauth entries, Or, FTD device receives a packet with exempt MAC address, but a different IP address from the corresponding uauth entry.
Cisco FTD: User session with teardrop signature detected – This alert is triggered when FTD device discards a packet with a teardrop signature containing either a small offset or fragment overlapping.
Cisco FTD: VPN session failed – This alert is triggered when a VPN client authentication fails.
Cisco FTD: WebVPN/AnyConnect session login failed – This alert is triggered when a WebVPN/ AnyConnect authentication is rejected.

Reports

Cisco FTD - NGIPS (Intrusion Events): This report generates a summary of intrusion events as detected by Cisco Firepower NGIPS. It includes, date, time, the type of exploit, and contextual information about the source of the attack and its target.
Cisco FTD - IDS scanning report – This report contains a summary of IDS events when a host is being targeted/ attacked. It includes the destination subnet, or endpoint IP address with action that is being performed on the target system.
Cisco FTD - SSLVPN failed connections – This report has a summary of failed SSLVPN handshakes. This includes source IP/ Source port, destination IP/ destination port, and type of peer type i.e. ‘client’ or ‘server’.
Cisco FTD - VPN client failed connections – This report consists summary of failed VPN client connections. It includes source Ip address and username.
Cisco FTD - WebVPN failed connections – This report is generated when there is a failed login attempt from WebVPN/ AnyConnect client. This includes, the user group name, username, and session type, e.g. ‘WebVPN’ or ‘admin’.

Scope

The configuration details are consistent with EventTracker version 9.x and later, and Cisco FTD release 6.3 and above.

Documentation:

To configure Cisco FTD to send logs to EventTracker, refer to the How-to Guide.

For more information please refer to the Integration guide.