Cisco Firepower Management Center
The JSA DSM for Cisco Firepower Management Center collects Firepower Management Center events by using the eStreamer API service.
Cisco Firepower Management Center is formerly known as FireSIGHT Management Center.
JSA supports Firepower Management Center version 5.2 to version 6.4.
Configuration Overview
To integrate with Firepower Management Center, you must create certificates in the Firepower Management Center interface, and then add the certificates to the JSA appliances that receive eStreamer event data.
If your deployment includes multiple Firepower Management Center appliances, you must copy the certificate for each appliance that receives eStreamer events. The certificate allows the Firepower Management Center appliance and the JSA console or JSA Event Collectors to communicate by using the eStreamer API to collect events.
To integrate JSA with Firepower Management Center, use the following steps:
Create the eStreamer certificate on your Firepower Management Center appliance. For more information about creating eStreamer certificates, see Creating Cisco Firepower Management Center 5.x and 6.x Certificates.
Import a Cisco Firepower Management Center certificate in JSA. For more information about importing a certificate, see Importing a Cisco Firepower Management Center Certificate to JSA.
Add a Cisco Firepower Management Center log source on the JSA Console. For more information about Cisco Firepower Management Center log source parameters, see Cisco Firepower Management Center Log Source Parameters.
Supported Event Types
JSA supports the following event types from Firepower Management Center:
Discovery Events
Correlation and White List Events
Impact Flag Alerts
User Activity
Malware Events
File Events
Connection Events
Intrusion Events
Intrusion Event Packet Data
Intrusion Event Extra Data
Intrusion events that are categorized by the Cisco Firepower Management Center DSM in JSA use the same JSA Identifiers (QIDs) as the Snort DSM to ensure that all intrusion events are categorized properly.
Intrusion events in the 1,000,000 - 2,000,000 range are user-defined rules in Firepower Management Center. User-defined rules that generate events are added as an Unknown event in JSA, and include additional information that describes the event type. For example, a user-defined event can identify as Unknown:Buffer Overflow for Firepower Management Center.
The following table provides sample event messages for the Cisco Firepower Management Center DSM:
Event name |
Low level category |
Sample log message |
|---|---|---|
User Login Change Event |
Computer Account Changed |
DeviceType=Estreamer DeviceAddress =10.1.1.1 CurrentTime=150774 0597988 netmapId=0 recordTyp e=USER_LOGIN_CHANGE_EVENT record Length=142 timestamp=01 May 201 5 12:13:50 detectionEngineRef= 0 ipAddress=0.0.0.0 MACAddres s=00:00:00:00:00:00 hasIPv6=tru e eventSecond=1430491035 eve ntMicroSecond=0 eventType=USER_ LOGIN_INFORMATION fileNumber=00 000000 filePosition=00000000 ipV6Address=10.1.1.1 userLoginInformation.timestamp= 1430491035 userLoginInformati on.ipv4Address=0.0.0.0 userLog inInformation.userName=username userLoginInformation.userRef=0 userLoginInformation.protocol Ref=710 userLoginInformation.ema il= userLoginInformation.ipv6Ad dress=10.1.1.1 userLoginIn formation.loginType=0 userLogi nInformation.reportedBy=IPAddress" |
User Removed Change Event |
User Account Removed |
DeviceType=Estreamer DeviceAddress =10.1.1.1 CurrentTime=15077 43344985 netmapId=0 recordTyp e=USER_REMOVED_CHANGE_EVENT reco rdLength=191 timestamp=21 Sep 201 7 14:53:14 detectionEngineRef= 0 ipAddress=IPAddress MACAddress =00:00:00:00:00:00 hasIPv6=tru e eventSecond=1506016392 event MicroSecond=450775 eventType=DELE TE_USER_IDENTITY fileNumber=0000 0000 filePosition=00000000 ip V6Address=0:0:0:0:0:0:0:0 userIn formation.id=1 userInformatio n.userName=username userInformat ion.protocol=710 userInformation .firstName=firstname userInformation .lastName=lastname userInformation .email=EmailAddress userInformation.department=R esearch userInformation.phone =000-000-0000 |
INTRUSION EVENT EXTRA DATA RECORD |
Information |
DeviceType=Estreamer DeviceAddress =10.1.1.1 CurrentTime=150774 0690263 netmapId=0 recordType= INTRUSION_EVENT_EXTRA_DATA_RECORD r ecordLength=49 timestamp=01 May 20 15 15:32:53 eventExtraData.eventId= 393275 eventExtraData.eventSecond= 1430505172 eventExtraData.managed Device.managedDeviceId=6 eventExtr aData.managedDevice.name=manageddevic e.dcloud.cisco.com eventExtraData .extraDataType.eventExtraDataType.ty pe=10 eventExtraData.extraDataTyp e.eventExtraDataType.name=HTTP Hostn ame eventExtraData.extraDataType .eventExtraDataType.encoding=String eventExtraData.extraData=www.ho medepot.com |
RUA User record |
Information |
DeviceType=Estreamer DeviceAddress =10.1.1.1 CurrentTime=15077 40603372 netmapId=0 recordTyp e=RUA_USER_RECORD recordLength= 21 timestamp=11 Oct 2017 13:50: 02 userRef=2883 protocolRef= 710 userName=UserName |
Creating Cisco Firepower Management Center 5.x and 6.x Certificates
JSA requires a certificate for every FireSIGHT Management Center appliance in your deployment. Certificates are generated in pkcs12 format and must be converted to a keystore and a truststore file, which are usable by JSA appliances.
Log in to your Firepower Management Center interface.
If you are using version 5.x, select System >Local >Registration.
If you are using version 6.x, select System >Integration.
Click the eStreamer tab.
Select the types of events that you want Firepower Management Center to send to JSA, and then click Save.
The following image lists the types of events that Firepower Management Center sends to JSA.
Figure 1: Firepower Management Center EStreamer Event Configuration
Click Create Client in the upper right side of the window.
In the Hostname field, type the IP address or host name, depending on which of the following conditions applies to your environments.
If you use a JSA console or you use a JSA All-in-One appliance to collect eStreamer events, type the IP address or host name of your JSA console.
If you use a JSA Event Collector to collect eStreamer events, type the IP address or host name for the Event Collector.
If you use JSA High Availability (HA), type the virtual IP address.
In the Password field, type a password for your certificate. If you choose to provide a password, the password is required to import the certificate.
Click Save.
The new client is added to the eStreamer Client list and the host can communicate with the eStreamer API on port 8302.
Click Download Certificate for your host to save the pkcs12 certificate to a file location.
Click OK to download the file.
You are now ready to import your Firepower Management Center certificate to your JSA appliance.
Importing a Cisco Firepower Management Center Certificate to JSA
The estreamer-cert-import.pl script for JSA converts your pkcs12 certificate file to a keystore and truststore file and places the certificates in the proper directory on your JSA appliance. Repeat this procedure for each Sourcefire Defense Center pcks12 certificate you need to import to your JSA Console or Event Collector.
You must have root or su - root privileges to run the estreamer-cert-import.pl import script.
The estreamer-cert-import.pl script is stored on your JSA appliance when you install the Firepower Management Center protocol.
The script converts and imports one pkcs12 file at a time. You are required only to import a certificate for the JSA appliance that manages the Firepower Management Center log source. For example, after the Firepower Management Center event is categorized and normalized by an Event Collector in a JSA deployment, it is forwarded to the JSA Console. In this scenario, you would import a certificate to the Event Collector.
When you import a new certificate, existing Firepower Management Center certificates on the JSA appliance are renamed to estreamer.keystore.old and estreamer.truststore.old.
Log in to your JSA Console or Event Collector as the root user.
Copy the pkcs12 certificate from your Firepower Management Center appliance to the following directory:
/opt/qradar/bin/
To import your pkcs12 file, type the following command and any extra parameters:
/opt/qradar/bin/estreamer-cert-import.pl -f pkcs12_file_name options
The -f parameter is required. All other parameters that are described in the following table are optional.
Extra parameters are described in the following table:
Parameter
Description
-f
Identifies the file name of the pkcs12 files to import.
-o
Overrides the default Estreamer name for the keystore and truststore files. Use the -o parameter when you integrate multiple Firepower Management Center devices. For example, /
opt/qradar/bin/estreamer-cert-import.pl -f <file name> -o 192.168.1.100The import script creates the following files:
/opt/qradar/conf/192.168.0.100.keystore
/opt/qradar/conf/192.168.0.100.truststore
-d
Enables verbose mode for the import script. Verbose mode is intended to display error messages for troubleshooting purposes when pkcs12 files fail to import properly.
-p
Specifies a password if a password was accidentally provided when you generated the pkcs12 file.
-v
Displays the version information for the import script.
-h
Displays a help message on using the import script.
The import script displays the location where the import files were copied.
Cisco Firepower Management Center Log Source Parameters
When you add a Cisco Firepower Management Center log source on the JSA Console by using the Cisco Firepower eStreamer protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Cisco Firepower Management Center events from the eStreamer API service.
Parameter |
Value |
|---|---|
Log Source type |
Cisco Firepower Management Center |
Protocol Configuration |
Cisco Firepower eStreamer |