思科 Firepower 整合概觀

記錄收集器防火牆

Cisco Firepower 是一種防火牆解決方案，利用即時情境感知將進階威脅防護、入侵防禦和新一代防火牆整合到一個整合平台中。

Sophos 文件資訊

整合 Cisco Firepower

資料擷取內容

Sophos 可擷取的範例警示包括：

INDICATOR-COMPROMISE
MALWARE-CNC Win.Trojan.Njrat variant outbound connection
INDICATOR-SCAN SSH brute force login attempt
PROTOCOL-SCADA Moxa discovery packet information disclosure attempt
SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt
FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt
SQL generic convert injection attempt - GET parameter
Executable Code was Detected
APP-DETECT Steam game URI handler
SERVER-APACHE Apache Struts remote code execution attempt
W32.975C0D48C4.RET.SBX.TG

完整擷取警示

資料擷取（安全警示）它們必須在系統日誌中包含Message:或ThreatName:。

這些警示訊息隨後將被映射到Mitre Framework的第8版。

資料篩選

我們僅接收與安全事件相關的警報。必須在系統日誌中包含Message:或ThreatName:欄位。

See Cisco Secure Firewall Threat Defense: Security Event Syslog Messages.

威脅對應範例

我們將警示類型定義如下：

如果存在message字段，請進行消毒並使用它。否則請使用欄位ThreatName。

{"alertType": "(ftp_server) FTP traffic encrypted", "threatId": "T1027", "threatName": "Obfuscated Files or Information"}
{"alertType": "PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN", "threatId": "T1046", "threatName": "Network Service Scanning"}
{"alertType": "Misc Activity", "threatId": "TA0043", "threatName": "Reconnaissance"}

原廠文件

安全防火牆管理中心配置指南
Firepower Management Center Configuration Guide, Version 6.2: Connection logging
Cisco Secure Firewall Threat Defense: Security Event Syslog Messages