Overview of the Cisco Firepower integration

Cisco Firepower is a firewall solution that utilises real-time contextual awareness to combine advanced threat protection, intrusion prevention, and a next-generation firewall into one integrated platform.

Sophos documents

Integrate Cisco Firepower

What we ingest

Sample alerts seen by Sophos:

• INDICATOR-COMPROMISE
• MALWARE-CNC Win.Trojan.Njrat variant outbound connection
• INDICATOR-SCAN SSH brute force login attempt
• PROTOCOL-SCADA Moxa discovery packet information disclosure attempt
• SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt
• FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt
• SQL generic convert injection attempt - GET parameter
• Executable Code was Detected
• APP-DETECT Steam game URI handler
• SERVER-APACHE Apache Struts remote code execution attempt
• W32.975C0D48C4.RET.SBX.TG

Alerts ingested in full

Sophos ingests Security alerts. They must contain Message: or ThreatName: in the syslog.

These alerts are then mapped to version 8 of the Mitre Framework.

Filtering

We only ingest alerts which relate to security events. They must contain the fields Message: or ThreatName: in the syslog.

See Cisco Secure Firewall Threat Defense: Security Event Syslog Messages.

Sample threat mappings

We define the alert type as follows:

If the field message exists, sanitise it and use it. Otherwise use the field ThreatName.

{"alertType": "(ftp_server) FTP traffic encrypted", "threatId": "T1027", "threatName": "Obfuscated Files or Information"}
{"alertType": "PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN", "threatId": "T1046", "threatName": "Network Service Scanning"}
{"alertType": "Misc Activity", "threatId": "TA0043", "threatName": "Reconnaissance"}

Vendor documentation

• Secure Firewall Management Center Configuration Guides
• Firepower Management Center Configuration Guide, Version 6.2: Connection logging
• Cisco Secure Firewall Threat Defense: Security Event Syslog Messages