<update custom field, e.g., Cisco Confidential or Cisco Highly Confidential>. All printed copies and duplicate soft copies are considered uncontrolled and the original online version should be referred to for the latest version. Cisco Firepower Dashboard for QRadar Operations Guide August 20, 2017 Version 1.1 Cisco Systems, Inc. Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 Toll Free: 800 553-NETS (6387) Fax: 408 526-4100
13
Embed
Cisco Firepower Dashboard for QRadar · August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled and the original
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
<update custom field, e.g., Cisco Confidential or Cisco Highly Confidential>. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Cisco Firepower Dashboard for QRadar
Operations Guide August 20, 2017
Version 1.1 Cisco Systems, Inc. Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 Toll Free: 800 553-NETS (6387) Fax: 408 526-4100
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 2 of 13
1.1 Document Purpose The purpose of this document is to outline the operations of the Cisco Firepower Dashboard for QRadar and may be used to assist users with installation and execution.
1.2 Application Summary IBM QRadar consolidates log source event data from thousands of device endpoints and applications distributed throughout a network. Cisco Firepower Management Center (FMC) is the administrative nerve center for managing critical Cisco network security solutions. By configuring Cisco FMC to deliver log events to QRadar, it is possible to leverage QRadar to provide deep insight into network security. The Cisco Firepower Dashboard for QRadar provides data visualization for malware and intrusion events collected by Cisco FMC.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 5 of 13
2 Operations
2.1 Pre-requisite The Cisco Firepower Dashboard for QRadar requires IBM QRadar version 7.2.6 or higher.
2.2 Installation The Cisco Firepower Dashboard for QRadar is available from the IBM Security App Exchange at:
https://exchange.xforce.ibmcloud.com/hub
2.3 Configuration This is a two-step configuration.
2.3.1 FMC eStreamer Certificate Creation Steps to generate an eStreamer client certificate are as follows. Navigate to the web interface of the FMC – https://fmc-ip-address and log in with your FMC credentials. In the FMC 6.x GUI, navigate to System > Integration > eStreamer
Figure 1: FMC eStreamer Certificate Creation
Click Create Client. Provide the Hostname and password.
Note: This should be the IP of the client, which will be collecting the event data from the FMC. This password will be required when you first execute eStreamer eNcore.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 6 of 13
Please note that the IP address you enter here must be the IP address of the eStreamer-eNcore client from the perspective of the FMC. In other words, if the client is behind a NAT device, then the IP address must be that of the upstream NAT interface.
Figure 2: Create Client Hostname and Password Screen
Click Save.
Figure 3: Create Client Save Screen
Download the pkcs12 file.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 7 of 13
Figure 4: Download Screen
Copy the pkcs12 file to the desired location in the target device.
2.3.2 Qradar Configuration • Log in to your QRadar Console or Event Collector as the root user. • Copy the pkcs12 certificate from your FireSIGHT Management Center appliance to the
following directory:
• To import your pkcs12 file, type the following command and any extra parameters:
Parameter Description -f Identifies the file name of the pkcs12 files to import.
-o
Overrides the default Estreamer name for the keystore and truststore files. Use the -oparameter when you integrate multiple FireSIGHT Management Center devices. For example, /opt/qradar/bin/estreamer-cert-import.pl -f <file name> -o 192.168.1.100 The import script creates the following files:
2.3.3 Configuring a log source for Cisco FireSIGHT Management Center events
You must configure a log source because QRadar® does not automatically discover Cisco FireSIGHT Management Center events.
• Log in to QRadar. • Click the Admin tab. • On the navigation menu, click Data Sources. • Click the Log Sources icon.
• Click Add.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 9 of 13
• From the Log Source Type list, select Cisco FireSIGHT Management Center. • From the Protocol Configuration list, select Cisco Firepower eStreamer.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 10 of 13
• Click Save • Deploy the configuration
• Check log Events and you should receive the events
2.4 Cisco Support Please contact [email protected] for support requests and troubleshooting.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 11 of 13
3 Troubleshooting
3.1 Connection refused on deploying log source configuration
Please check following if there is above error
1. Check the keystore/truststore has the correct path in the log source configuration 2. The port is correct 3. The port 8302 is opened on the network 4. Make sure you have deployed the “full configuration” after making changes to log
source.
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 12 of 13
4 Appendix A: Acronym Listing
Term Definition
FMC Cisco Firepower Management Center
August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version. Page 13 of 13