Cisco Ironport Integration Guide
Cisco IronPort Web Security Appliances (WSA) should be configured to send logs to the Taegis™ XDR Collector via syslog by following the logging instructions below.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| Cisco IronPort WSA | XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cisco IronPort | Y | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration Instructions ⫘
To configure Cisco IronPort to send logs to Secureworks® Taegis™ XDR via syslog, follow these instructions.
Web Security Appliances ⫘
Follow the instructions provided by Cisco to add or edit log subscriptions using the syslog push retrieval method for the following log types:
- CLI Audit Logs — Records a historical audit of command line interface activity.
- FTP Server Logs — Records all files uploaded to and downloaded from the WSA using FTP.
- GUI Logs — Records history of page refreshes in the web interface.
- Data Security Logs — Records client history for upload requests that are evaluated by the IronPort DSFs.
- McAfee Logs — Records the status of anti-malware scanning activity from the McAfee scanning engine.
- AnyConnect Secure Mobility Daemon Logs — Records the interaction between the Web Security appliance and the AnyConnect client, including the status check.
- Default Proxy Logs — Records errors related to the Web Proxy.
- Sophos Logs — Records the status of anti-malware scanning activity from the Sophos scanning engine.
- System Logs — Records DNS, error, and commit activity.
- W3C Logs — Using a custom format, the data gathered by this type supersedes the default Access log type format (Squid).
W3C Logs ⫘
Create a new W3C Log type subscription to forward http/https access logs to XDR using a custom format. Consider the following requirements while following the configuration steps:
- Log Name — TDR_W3C
- Log Type — W3C
- Log Fields — Add the following fields in this order:
- date
- time
- c-ip
- c-port
- s-ip
- s-port
- cs(X-Forward-For)
- cs-username
- sc-result-code
- sc-http-status
- cs-method
- cs-url cs-version
- cs-mime-type
- cs(User-Agent)
- cs(Referer)
- x-acltag
- x-result-code
Syslog Push Configuration ⫘
Consider the following requirements for the syslog push retrieval method configuration for each of the preceding log type subscriptions:
- Hostname — The IP address of the XDR Collector
- Protocol — UDP
- Facility — Local2
Note
Make sure to commit or push your changes to all of the IronPorts you wish XDR to receive logs from.