☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Cisco ASA Integration Guide

Secureworks® Taegis™ XDR can be configured to accept data from the Cisco ASA Firewall using the Taegis™ XDR Collector. Please follow the instructions below to configure the ASA logging, keeping in mind that syslog_IP may be the IP address of the XDR Collector. Furthermore, the following steps provide monitoring by Secureworks.

Data Provided from Integration ⫘

	Antivirus	Auth	DHCP	DNS	Email	Encrypt	File	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Cisco ASA Firewall		D	Y	D				D	Y	D	V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Add Cisco ASA Integration ⫘

To set up the integration directly in XDR, do the following:

Follow the instructions to configure an On-Premises Data Collector found at On-Premises Data Collector. You can use the On-Premises Data Collector in your environment to collect and forward data from your Cisco ASA Firewall to XDR. If you have a XDR Collector already set up, you can use it for Cisco integrations, or you can set up another one.
Once you have the XDR Collector set up, you must configure your Cisco ASA Firewall to forward its logs to XDR. For more information, see Log Forwarding below.

Log Forwarding ⫘

This section provides the necessary actions and steps to configure log forwarding on Cisco firewalls.

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Firewall_*interface	XDR Collector	UDP/514

*The source interface of the log messages is the adjacent interface to the XDR Collector. This may be your DMZ interface if the XDR Collector is in your DMZ.

Disable Names Feature ⫘

The names feature of Cisco ASA should be disabled if you are forwarding syslog data to XDR. The names feature allows IP addresses to be assigned a common name (alias) on the ASA. When this feature is used, the alias is displayed in log messages in lieu of the IP address. This feature negatively impacts XDR’s ability to effectively monitor the firewall and should be disabled. In the following example, the names feature is disabled:

ciscoasa(config)# show names
no names
ciscoasa(config)#

If this feature is currently enabled for your Cisco ASA Firewall, it can be disabled by issuing the no names command.

Log the Hostname of the Firewall ⫘

Because the syslog message does not contain the hostname or IP address of the originating firewall, you must run the logging device-id hostname command so you can distinguish which ASA log belongs to which firewall.

Configure Logging for Standalone or Active/Standby ⫘

The following template demonstrates the commands to enable logging on a standalone or active/standby pair of firewalls. If your Cisco ASA is running multiple contexts, please see Configure Logging with Multiple Contexts.

Configuration Notes ⫘

The no logging hide username command is a new feature for ASA Version 9.3(3) and up, but is not available in 9.4(1).
The logging standby command is an optional setting and is only applicable if this is an Active/Standby HA pair. This feature provides logs for invalid login attempts on the standby device and will lessen the chance of losing logs in the event of a failover. It should be noted that this will result in nearly twice the number of logs to be received by the firewall pair as logs are duplicated from the primary to the standby.
Log message IDs 302015 and 302013 must not be disabled. These log messages can impact XDR’s ability to properly generate netflow data. In the following example, these log message IDs were manually disabled:

ciscoasa(config)# sh run log
logging enable
no logging hide username
no logging console
logging buffered informational
logging trap informational
logging host inside 192.168.1.55
no logging message 302015
no logging message 302013
logging device-id hostname
ciscoasa(config)#

If these log messages were manually disabled, they must be re-enabled by issuing the logging message 302015 and logging message 302013 commands. For example:

ciscoasa(config)# logging message 302015
ciscoasa(config)# logging message 302013

Configure Logging with Multiple Contexts ⫘

The following template demonstrates the commands to enable logging on a multiple context implementation:

ciscoasa(config)# logging enable
ciscoasa(config)# no logging console
ciscoasa(config)# no logging hide username
ciscoasa(config)# logging host <interface> <XDR Collector IP>
ciscoasa(config)# logging buffered informational
ciscoasa(config)# logging trap informational
ciscoasa(config)# logging standby

Configuration Notes ⫘

Each security context includes its own logging configuration and generates its own messages. Make sure to enable logging on each context that you wish to monitor.
Syslog messages generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space.
The no logging hide username command is a new feature for ASA Version 9.3(3) and up, but is not available in 9.4(1).
The logging standby command is an optional setting and is only applicable if this is an Active/Standby HA pair. This feature provides logs for invalid login attempts on the standby device and will lessen the chance of losing logs in the event of a failover. It should be noted that this will result in nearly twice the number of logs to be received by the firewall pair as logs are duplicated from the primary to the standby.
Log message IDs 302015 and 302013 must not be disabled. These log messages can impact XDR’s ability to properly generate netflow data. In the following example, these log message IDs were manually disabled:

ciscoasa(config)# sh run log
logging enable
no logging hide username
no logging console
logging buffered informational
logging trap informational
logging host inside 192.168.1.55
no logging message 302015
no logging message 302013
ciscoasa(config)#

You can configure the ASA to include the context name with each message, which helps you differentiate context messages that are sent to a single syslog server. This feature also helps you to determine which messages are from the admin context and which are from the system; messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID.

ciscoasa(config)# logging device-id <context-name>

More Information ⫘

For more on Cisco ASA software and hardware compatibility, see Cisco ASA Compatability Matrices.

Cisco ASA Integration Guide

Data Provided from Integration ⫘

Add Cisco ASA Integration ⫘

Log Forwarding ⫘

Connectivity Requirements ⫘

Disable Names Feature ⫘

Log the Hostname of the Firewall ⫘

Configure Logging for Standalone or Active/Standby ⫘

Configuration Notes ⫘

Configure Logging with Multiple Contexts ⫘

Configuration Notes ⫘

More Information ⫘

On this page: