...
The document includes the following topics:
...
Types of events
...
MDR Recommendation
...
Pre-requisites
...
| Table of Contents |
|---|
Types of events collected by Accenture MDR
Below are the different types of events which are collected by Accenture MDR from Sourcefire or Cisco Firepower
...
When sensor analyzes traffic as part of the ACP deployment, the connection event is logged only when it sees any matching Access control rule (ACR) in the ACP. Further the traffic is also sent for inspection and if the traffic matches any Intrusion rule the sensor will detect/block that traffic based on the Intrusion policy deployed. If there is no matching ACR the traffic will be passed on until it finds a matching rule else, it will be logged by Default intrusion policy.
MDR Recommendation
Our recommendation here is to reduce the noise from connection events without losing any security value in collection of other type of events from Sourcefire or Cisco Firepower events.
...
Once these rules are implemented, it just the connection events will not be logged by Cisco Firepower and other intrusion events will still be logged by FMC.
Pre-requisites
Before adding the rules in FMC please validate the following conditions:
...
NOTE: The sensor inspects traffic from top to bottom, its recommended to add the new rules above existing access control rules to Log/Disable connection events. If there are existing rules in Access Control Policy, we recommend disabling Connection Event Logging.
Rules Suggested for Implementation
Note: The rules which we have recommended does not have any impact on existing Firepower detection
Internal to Internal rule to exclude
| Anchor | ||||
|---|---|---|---|---|
|
On the Access control policy, click on Add Rule.
...
2. Select Allow from Action drop-down box.
3. Under Networks add RFC1918 and add any network variables which are internal to your organization to Source Networks and Destination Networks.
...
4. Choose intrusion policy under Inspection > Intrusion Policy.
5. Choose Variable set, Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).
...
6. Disable Connection Events by selecting Logging and unchecking Log at End of Connection , Log at Beginning of Connection and others that are selected.
...
7. Select Save.
Internal to External rule to collect Connection Events logs: (Recommended)
On the Access Control Policy, click on Add Rule.
...
2. Select Allow from Action drop-down box.
3. Under Networks add RFC1918 and add any network variables which are internal to your organization to Source Networks.
...
...
4. Add all 7 Geolocation s by navigating Networks > Geolocations > Add all 7 continents under Destination Network.
...
5. Choose intrusion policy under Inspection > Intrusion Policy.
6. Choose Variable set, Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).
...
7. Enable Connection Events log collection by Logging and select Log at End of Connection and Event Viewer.
8. Select Save.
...
External to Internal rule to collect Connection Events logs: (Recommended)
On the Access Control policy, click on Add Rule.
...
2. Select Allow from Action drop-down box.
3. Under Networks add all 7 Geolocations by navigating Networks > Geolocations > Add all 7 continents under Source Networks.
...
4. Under Networks add RFC1918 and add any network variables which are internal to your organization to Destination Networks.
...
5. Choose intrusion policy by navigating Inspection > Intrusion Policy.
6. Choose Variable set by navigating Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).
...
7. Enable Connection Events log collection by selecting Logging > select Log at End of Connection and Event Viewer.
8. Select Save.
...
Disable Connection Event Logging on Base policy
Click on
...
Edit next to the base policy.
...
2. Disable Connection events by unchecking Log at End of Connection, Log at Beginning of Connection and others that are selected.
...