12/14/2021: Cisco Firepower Logs & Incident Generation

Alert Logic Managed Detection & Response customers who utilize Cisco Firepower can connect deployments to and access incidents generated from Cisco Firepower Intrusion Detection (IDS) and Intrusion Prevention (IPS) Systems logs via the Alert Logic console.

Summary incidents covering six initial Cisco Firepower use cases can be auto-escalated to the Alert Logic console to:

• Help save you time by analyzing, aggregating, and summarizing findings
• Provide better insights into Cisco Firepower events
• Inform you about any suggested actions

Cisco Firepower Use Cases

The following use cases will generate incidents from your environments utilizing Cisco Firepower IDS and IPS:

• Infected Traffic Allowed or Blocked - An internal IP address attacker has potentially infected with malware
• Server Attack Traffic Allowed or Blocked - An internal IP address attacker is attacking other systems with service vulnerabilities
• Client-Side Attack Traffic Allowed or Blocked - An internal IP address attacker is attacking other systems with client-side vulnerabilities

Configuration Requirements

If you are already providing Alert Logic with your Cisco Firepower logs, no additional actions are required to begin utilizing the updated experience. 

If you have not yet configured your Cisco Firepower logs to be sent to Alert Logic, complete the following steps to do so:

1. In the Alert Logic console, navigate to (navigation menu) > Configure > Application Registry.
   
2. Select Cisco, and then Cisco Firewall Logs to view the documents needed to configure your environment properly. The information is also available in our Firewall Incidents documentation.
   

Cisco Firepower Incidents

Summary incidents generated by the Cisco Firepower logs are available for review in the Alert Logic console at  > Respond > Incidents > Incident List. In the top right-hand corner of the incident list, search Firepower to see a list of all Cisco Firepower-generated incidents.

Cisco Firepower-generated summary incidents contain the attack summary, a recommended course of actions, evidence, and pre-populated search query links to help provide more insight into the incident.