This guide will help Accenture MDR customers to effectively reduce non-security events (Connection Events) that is generated by Sourcefire or Cisco Firepower. This logging configuration which we have recommended is to only filter Internal to Internal connection events while other intrusion events detected by Sourcefire will still be collected by our Log Collection Platform (LCP).
The document includes the following topics:
Types of events
MDR Recommendation
Pre-requisites
Rules suggested for Implementation
Types of events collected by Accenture MDR
Below are the different types of events which are collected by Accenture MDR from Sourcefire or Cisco Firepower
Connection Events -> Logs every connection in the network that is monitored by sensor. The Access control policy (ACP) allows us to enable connection events to be logged either at the beginning of a connection or at the end of the connection. So, whatever the network ranges/ variable sets defined in the ACP and for that range connection events will be logged.
Security Intelligence Events -> Event is logged when a connection is matching a known blacklist of Security Intelligence feature
Intrusion Events -> Inspects traffic for Intrusions or Exploits. These events will fire based on the intrusion policy enabled on the sensor, the policy will examine the traffic for attack pattern and can block or alert on malicious traffic.
Malware Events -> Requires a separate malware license, Detects/Blocks malicious files, pdfs, documents, and others.
How Connection Events are Logged by Firepower?
When sensor analyzes traffic as part of the ACP deployment, the connection event is logged only when it sees any matching Access control rule (ACR) in the ACP. Further the traffic is also sent for inspection and if the traffic matches any Intrusion rule the sensor will detect/block that traffic based on the Intrusion policy deployed. If there is no matching ACR the traffic will be passed on until it finds a matching rule else, it will be logged by Default intrusion policy.
MDR Recommendation
Our recommendation here is to reduce the noise from connection events without losing any security value in collection of other type of events from Sourcefire or Cisco Firepower events.
The rules mentioned below about disabling connection events, does not mean that we are completely whitelisting the traffic and losing security value from Firepower device. Because the traffic will be inspected by the deployed Intrusion policy or the default policy and any intrusion detected by sensor will be collected by MDR for further correlation and used for security incident generation.
Once these rules are implemented, it just the connection events will not be logged by Cisco Firepower and other intrusion events will still be logged by FMC.
Pre-requisites
Before adding the rules in FMC please validate the following conditions:
Ensure valid variable set is defined (HOME_NET and EXTERNAL_NET) (Objects>Object Management>Variable Set>Edit the variable set created for the Org)
Mandatory to update VDB, Geo-Location and SRU’s for proper Firepower detection
NOTE: The sensor inspects traffic from top to bottom, its recommended to add the new rules above existing access control rules to Log/Disable connection events. If there are existing rules in Access Control Policy, we recommend disabling Connection Event Logging.
Rules Suggested for Implementation
Note: The rules which we have recommended does not have any impact on existing Firepower detection
Internal to Internal rule to exclude Connection Events logs : (Mandatory)
On the Access control policy, click on Add Rule.
2. Select Allow from Action drop-down box.
3. Under Networks add RFC1918 and add any network variables which are internal to your organization to Source Networks and Destination Networks.
4. Choose intrusion policy under Inspection > Intrusion Policy.
5. Choose Variable set, Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).
6. Disable Connection Events by selecting Logging and unchecking Log at End of Connection , Log at Beginning of Connection and others that are selected.
7. Select Save.
Internal to External rule to collect Connection Events logs: (Recommended)
On the Access Control Policy, click on Add Rule.
2. Select Allow from Action drop-down box.
3. Under Networks add RFC1918 and add any network variables which are internal to your organization to Source Networks.
4. Add all 7 Geolocation s by navigating Networks > Geolocations > Add all 7 continents under Destination Network.
5. Choose intrusion policy under Inspection > Intrusion Policy.
6. Choose Variable set, Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).
7. Enable Connection Events log collection by Logging and select Log at End of Connection and Event Viewer.
8. Select Save.
External to Internal rule to collect Connection Events logs: (Recommended)
On the Access Control policy, click on Add Rule.
2. Select Allow from Action drop-down box.
3. Under Networks add all 7 Geolocations by navigating Networks > Geolocations > Add all 7 continents under Source Networks.
4. Under Networks add RFC1918 and add any network variables which are internal to your organization to Destination Networks.
5. Choose intrusion policy by navigating Inspection > Intrusion Policy.
6. Choose Variable set by navigating Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).
7. Enable Connection Events log collection by selecting Logging > select Log at End of Connection and Event Viewer.
8. Select Save.
Disable Connection Event Logging on Base policy
Click on Edit next to the base policy.
2. Disable Connection events by unchecking Log at End of Connection, Log at Beginning of Connection and others that are selected.