Cisco Firepower Management Center
The IBM QRadar DSM for Cisco Firepower Management Center collects Cisco Firepower Management Center events by using the eStreamer API service.
Cisco Firepower Management Center is formerly known as Cisco FireSIGHT Management Center.
QRadar supports Cisco Firepower Management Center V 5.2 to V 7.1.
Configuration overview
To integrate QRadar with Cisco Firepower Management Center, you must create certificates in the Firepower Management Center interface, and then add the certificates to the QRadar appliances that receive eStreamer event data.
If your deployment includes multiple Cisco Firepower Management Center appliances, you must copy the certificate for each appliance that sends eStreamer events to any temporary location on the QRadar Event Collector. The certificate allows the Cisco Firepower Management Center appliance and the QRadar Console or QRadar Event Collectors to communicate by using the eStreamer API to collect events.
- Create the eStreamer certificate on your Firepower Management Center appliance. For more information about creating eStreamer certificates, see Creating Cisco Firepower Management Center 5.x, 6.x, and 7.x certificates.
- Import a Cisco Firepower Management Center certificate in QRadar. For more information about importing a certificate, see Importing a Cisco Firepower Management Center certificate in QRadar.
- Add a Cisco Firepower Management Center log source on the QRadar Console. For more information about Cisco Firepower Management Center log source parameters, see Cisco Firepower Management Center log source parameters.
Supported event types
- Discovery Events
- Correlation and White List Events
- Impact Flag Alerts
- User Activity
- Malware Events
- File Events
- Connection Events
- Intrusion Events
- Intrusion Event Packet Data
- Intrusion Event Extra Data
Intrusion events that are categorized by the Cisco Firepower Management Center DSM in QRadar use the same QRadar Identifiers (QIDs) as the Snort DSM to ensure that all intrusion events are categorized properly.
Intrusion events in the 1,000,000 - 2,000,000 range are user-defined rules in Cisco Firepower Management Center. User-defined rules that generate events are added as an Unknown event in QRadar, and include additional information that describes the event type. For example, a user-defined event can identify as Unknown:Buffer Overflow for Cisco Firepower Management Center.
Event name | Low level category | Sample log message |
---|---|---|
User Login Change Event | Computer Account Changed |
|
User Removed Change Event | User Account Removed |
|
INTRUSION EVENT EXTRA DATA RECORD |
Information |
|
RUA User record | Information |
|