Accenture MDR recommended logging configuration for Sourcefire eStreamer

This guide will help Accenture MDR customers to effectively reduce non-security events (Connection Events) that is generated by Sourcefire or Cisco Firepower. This logging configuration which we have recommended is to only filter Internal to Internal connection events while other intrusion events detected by Sourcefire will still be collected by our Log Collection Platform (LCP).

 

The document includes the following topics:

Types of events collected by Accenture MDR

Below are the different types of events which are collected by Accenture MDR from Sourcefire or Cisco Firepower

  1.  Connection Events -> Logs every connection in the network that is monitored by sensor. The Access control policy (ACP) allows us to enable connection events to be logged either at the beginning of a connection or at the end of the connection. So, whatever the network ranges/ variable sets defined in the ACP and for that range connection events will be logged.

  2. Security Intelligence Events -> Event is logged when a connection is matching a known blacklist of Security Intelligence feature

  3. Intrusion Events -> Inspects traffic for Intrusions or Exploits. These events will fire based on the intrusion policy enabled on the sensor, the policy will examine the traffic for attack pattern and can block or alert on malicious traffic.

  4. Malware Events -> Requires a separate malware license, Detects/Blocks malicious files, pdfs, documents, and others.

How Connection Events are Logged by Firepower?

When sensor analyzes traffic as part of the ACP deployment, the connection event is logged only when it sees any matching Access control rule (ACR) in the ACP. Further the traffic is also sent for inspection and if the traffic matches any Intrusion rule the sensor will detect/block that traffic based on the Intrusion policy deployed. If there is no matching ACR the traffic will be passed on until it finds a matching rule else, it will be logged by Default intrusion policy.

MDR Recommendation

Our recommendation here is to reduce the noise from connection events without losing any security value in collection of other type of events from Sourcefire or Cisco Firepower events.

The rules mentioned below about disabling connection events, does not mean that we are completely whitelisting the traffic and losing security value from Firepower device. Because the traffic will be inspected by the deployed Intrusion policy or the default policy and any intrusion detected by sensor will be collected by MDR for further correlation and used for security incident generation.

Once these rules are implemented, it just the connection events will not be logged by Cisco Firepower and other intrusion events will still be logged by FMC.

Pre-requisites

Before adding the rules in FMC please validate the following conditions:

  • Ensure valid variable set is defined (HOME_NET and EXTERNAL_NET) (Objects>Object Management>Variable Set>Edit the variable set created for the Org)

  • Mandatory to update VDB, Geo-Location and SRU’s for proper Firepower detection

NOTE: The sensor inspects traffic from top to bottom, its recommended to add the new rules above existing access control rules to Log/Disable connection events. If there are existing rules in Access Control Policy, we recommend disabling Connection Event Logging.

Rules Suggested for Implementation

Note: The rules which we have recommended does not have any impact on existing Firepower detection

Internal to Internal rule to exclude Connection Events logs : (Mandatory)

  1. On the Access control policy, click on Add Rule.

2. Select Allow from Action drop-down box.

3. Under Networks add RFC1918 and add any network variables which are internal to your organization to Source Networks and Destination Networks.

4. Choose intrusion policy under Inspection > Intrusion Policy.

5. Choose Variable set, Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).

6. Disable Connection Events by selecting Logging and unchecking Log at End of Connection , Log at Beginning of Connection and others that are selected.

7. Select Save.

Internal to External rule to collect Connection Events logs: (Recommended)

  1. On the Access Control Policy, click on Add Rule.

2. Select Allow from Action drop-down box.

3. Under Networks add RFC1918 and add any network variables which are internal to your organization to Source Networks.

4. Add all 7 Geolocation s by navigating Networks > Geolocations > Add all 7 continents under Destination Network.

5. Choose intrusion policy under Inspection > Intrusion Policy.

6. Choose Variable set, Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).

7. Enable Connection Events log collection by Logging  and select Log at End of Connection and Event Viewer.

8. Select Save.

 

External to Internal rule to collect Connection Events logs: (Recommended)

  1. On the Access Control policy, click on Add Rule.

2. Select Allow from Action drop-down box.

3. Under Networks add all 7 Geolocations by navigating Networks > Geolocations > Add all 7 continents under Source Networks.

 

4. Under Networks add RFC1918 and add any network variables which are internal to your organization to Destination Networks.

5. Choose intrusion policy by navigating Inspection > Intrusion Policy.

6. Choose Variable set by navigating Inspection > Variables set > Select variable set that was created for the sensor or Org (Objects>Object Management>Variable Set).

7. Enable Connection Events log collection by selecting Logging > select Log at End of Connection and Event Viewer.

8. Select Save.

Disable Connection Event Logging on Base policy

  1. Click on Edit next to the base policy.

2. Disable Connection events by unchecking Log at End of Connection, Log at Beginning of Connection and others that are selected.

 

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.