Cisco Firepower Threat Defense

The IBM QRadar DSM for Cisco Firepower Threat Defense (FTD) collects syslog events from a Cisco Firepower Threat Defense appliance. The syslog events that are collected by the Cisco Firepower Threat Defense DSM were previously collected by the Cisco Firepower Management Center DSM.

QRadar collects the following event types from Cisco Firepower Threat Defense appliances:
  • Device health and network-related logs from FTD devices
  • Connection, security intelligence, and intrusion logs from FTD devices
  • Logs for file and malware events.
For more information about syslog message types for Cisco Firepower Threat Defense, see Firepower Syslog Message Types on the Cisco website. (https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/analyze_events_using_external_tools.html#id_85461)
To integrate Cisco Firepower Threat Defense with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console:
    • DSM Common RPM
    • Cisco Firepower Threat Defense DSM RPM
    • Cisco Firewall Devices DSM RPM
  2. Configure your Cisco Firepower Threat Defense device to send events to QRadar. For more information, see Configuring Cisco Firepower Threat Defense to communicate with QRadar®.
  3. If QRadar does not automatically detect the log source, add a Cisco Firepower Threat Defense log source on the QRadar Console.