Cisco Firepower Management Center

The IBM® QRadar® DSM for Cisco Firepower Management Center collects Cisco Firepower Management Center events by using the eStreamer API service.

Cisco Firepower Management Center is formerly known as Cisco FireSIGHT Management Center.

QRadar supports Cisco Firepower Management Center V 5.2 to V 6.4.

Configuration overview

To integrate QRadar with Cisco Firepower Management Center, you must create certificates in the Firepower Management Center interface, and then add the certificates to the QRadar appliances that receive eStreamer event data.

If your deployment includes multiple Cisco Firepower Management Center appliances, you must copy the certificate for each appliance that sends eStreamer events to any temporary location on the QRadar Event Collector. The certificate allows the Cisco Firepower Management Center appliance and the QRadar Console or QRadar Event Collectors to communicate by using the eStreamer API to collect events.

To integrate QRadar with Cisco Firepower Management Center, complete the following steps:
  1. Create the eStreamer certificate on your Firepower Management Center appliance. For more information about creating eStreamer certificates, see Creating Cisco Firepower Management Center 5.x and 6.x certificates.
  2. Import a Cisco Firepower Management Center certificate in QRadar. For more information about importing a certificate, see Importing a Cisco Firepower Management Center certificate in QRadar.
  3. Add a Cisco Firepower Management Center log source on the QRadar Console. For more information about Cisco Firepower Management Center log source parameters, see Cisco Firepower Management Center log source parameters.

Supported event types

QRadar supports the following event types from Cisco Firepower Management Center:
  • Discovery Events
  • Correlation and White List Events
  • Impact Flag Alerts
  • User Activity
  • Malware Events
  • File Events
  • Connection Events
  • Intrusion Events
  • Intrusion Event Packet Data
  • Intrusion Event Extra Data

    Intrusion events that are categorized by the Cisco Firepower Management Center DSM in QRadar use the same QRadar Identifiers (QIDs) as the Snort DSM to ensure that all intrusion events are categorized properly.

    Intrusion events in the 1,000,000 - 2,000,000 range are user-defined rules in Cisco Firepower Management Center. User-defined rules that generate events are added as an Unknown event in QRadar, and include additional information that describes the event type. For example, a user-defined event can identify as Unknown:Buffer Overflow for Cisco Firepower Management Center.

The following table provides sample event messages for the Cisco Firepower Management Center DSM:
Table 1. Cisco Firepower Management Center sample messages supported by the Cisco Firepower Management Center device.
Event name Low level category Sample log message
User Login Change Event Computer Account Changed
DeviceType=Estreamer    DeviceAddress
=<IP_address>    CurrentTime=150774
0597988    netmapId=0    recordTyp
e=USER_LOGIN_CHANGE_EVENT    record
Length=142    timestamp=01 May 201
5 12:13:50    detectionEngineRef=
0    ipAddress=<IP_address>    MACAddres
s=<MAC_address>    hasIPv6=tru
e    eventSecond=1430491035    eve
ntMicroSecond=0    eventType=USER_
LOGIN_INFORMATION    fileNumber=00
000000    filePosition=00000000    
ipV6Address=<IPv6_address>    
userLoginInformation.timestamp=
1430491035    userLoginInformati
on.ipv4Address=<IP_address>    userLog
inInformation.userName=username
    userLoginInformation.userRef=0
    userLoginInformation.protocol
Ref=710    userLoginInformation.ema
il=    userLoginInformation.ipv6Ad
dress=<IP_address>    userLoginIn
formation.loginType=0    userLogi
nInformation.reportedBy=IPAddress"
User Removed Change Event User Account Removed
DeviceType=Estreamer DeviceAddress
=<IP_address>    CurrentTime=15077
43344985    netmapId=0    recordTyp
e=USER_REMOVED_CHANGE_EVENT    reco
rdLength=191    timestamp=21 Sep 201
7 14:53:14    detectionEngineRef=
0    ipAddress=<IP_address>    MACAddress
=<MAC_address>    hasIPv6=tru
e    eventSecond=1506016392    event
MicroSecond=450775    eventType=DELE
TE_USER_IDENTITY    fileNumber=0000
0000    filePosition=00000000    ip
V6Address=<IPv6_address>    userIn
formation.id=1    userInformatio
n.userName=username    userInformat
ion.protocol=710    userInformation
.firstName=firstname    userInformation
.lastName=lastname    userInformation
.email=EmailAddress
    userInformation.department=R
esearch    userInformation.phone
=000-000-0000

INTRUSION EVENT EXTRA DATA RECORD

Information
DeviceType=Estreamer DeviceAddress
=<IP_address>    CurrentTime=150774
0690263    netmapId=0    recordType=
INTRUSION_EVENT_EXTRA_DATA_RECORD    r
ecordLength=49    timestamp=01 May 20
15 15:32:53    eventExtraData.eventId=
393275    eventExtraData.eventSecond=
1430505172    eventExtraData.managed
Device.managedDeviceId=6    eventExtr
aData.managedDevice.name=manageddevic
e.<Server>.example.com    eventExtraData
.extraDataType.eventExtraDataType.ty
pe=10    eventExtraData.extraDataTyp
e.eventExtraDataType.name=HTTP Hostn
ame    eventExtraData.extraDataType
.eventExtraDataType.encoding=String
    eventExtraData.extraData=
www.example.com
RUA User record Information
DeviceType=Estreamer DeviceAddress
=<IP_address>    CurrentTime=15077
40603372    netmapId=0    recordTyp
e=RUA_USER_RECORD    recordLength=
21    timestamp=11 Oct 2017 13:50:
02    userRef=2883    protocolRef=
710    userName=UserName