Accenture MDR Quick Start Guide for Cisco® IronPort Web Security
- KM (Unlicensed)
- KS
This quick start guide will help Accenture MDR customers configure Cisco® IronPort Web Security to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | TCP Port | Description |
Cisco IronPort Proxy | LCP | 21 (TCP) | FTP port for log upload |
Configuring Cisco IronPort Security
To configure the IronPort Web Security device, follow the steps below.
1.Login to the Ironport Web Security web interface.
2. Go to System Administration > Log Subscriptions. The Log Subscriptions page appears.
3 .On the Log Subscriptions page, click Add Log Subscription. The new Log Subscription page appears.
Note: The username should be ciscoironport only. With any other name, logs will be processed via the Universal FTP collector.
4. On the new Log Subscription page, do the following:
Table 1-2: Log Subscription Fields
Information | Description |
Log Type | Select W3C Logs, as the collector works only with W3C compatible logs. |
Log Name | You must enter a log name. This log name is used for the log directory which stores log files for the subscription. |
Log Fields | From the Available Log Fields list, select the required fields and then click Add. The selected fields will be added to the Selected Log Fields list. For the recommended log fields, refer Recommended fields. You can re-order the fields using the Move Up and Move Down buttons. If you want to remove a field from the Selected Log Fields list, select the field and click Remove. Note: You can add the fields in any order. |
Rollover by File Size | Specify the maximum file size to which the current log file can grow before it is archived and a new log file started. Note: The maximum recommended file size of the FTP log is 500 MB. But this size can be reduced as per the device logging status. |
Rollover by Time | Specify the maximum time interval before the current log file is archived and a new log file started. |
File Name | Enter a name for the log file. |
Log Compression | Specifies whether or not rolled over files are compressed. Note: Although gzip compression is supported, it is recommended not to enable this field as the file size may reach GB after decompression, which leads to slow processing of logs by the LCP. |
Log Exclusions (Optional) | Allows you to specify HTTP status codes (4xx or 5xx only) to exclude the associated transactions from a W3C access log. Note: You can provide multiple status code with comma (,) separated values. |
Retrieval Method | Specifies where rolled over log files are stored and how they are retrieved for reading. You must transfer the logs to the configured folder of the machine where the collector is installed. Select FTP on Remote Server and enter the following information: FTP Host: Enter the lcp_ip_address Directory: Provide directory as “/” Username: Provide username as ciscoironport always. Passphrase: You can keep it blank. |
Note: File transfer via SCP is not supported.
5. Click Submit. The details appear in the Log Subscriptions page, and the Commit Changes button is enabled at the top-right corner.
6. Click Commit Changes to save the changes. The Uncommitted Changes page appears.
7. Optionally, you can rollover the logs by selecting the check box under the Rollover field and clicking Rollover Now.
8. Enter a comment in the Comment field and click Commit Changes. After successful commit, a message, "Your changes have been committed.", appears.
Recommended Log Fields
Note: Arrange the Log Fields using below sequence.
Cisco(R) Ironport Web Security |
timestamp |
c-ip |
c-port |
cs(Referer) |
cs(User-Agent) |
cs(X-Forwarded-For) |
cs-auth-group |
cs-method |
cs-mime-type |
cs-uri |
cs-url |
cs-username |
cs-version |
date |
time |
s-hierarchy |
s-hostname |
s-ip |
s-port |
sc-http-status |
sc-result-code |
sc-result-code-denial |
cs-bytes |
sc-bytes |
x-acltag |
x-elapsed-time |
x-mcafee-av-virustype |
x-mcafee-scanverdict |
x-mcafee-virus-name |
x-result-code |
x-webcat-code-full |
x-webroot-scanverdict |
x-webroot-spyid |
x-webroot-threat-name |
x-amp-verdict |
x-amp-malware-name |
x-amp-score |
x-amp-upload |
x-amp-filename |
x-amp-sha |
LCP Configuration Parameters
Table 1-3: The Cisco IronPort event collector (FTP - 3798) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Port Number
| 21 | The default port number for FTP. |
Hostnames/IP Addresses | Cisco IronPort Proxy SG IP Address | Logging device IP Address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR On-boarding team. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.