Cisco Ironport Integration Guide
Cisco IronPort Web Security Appliances (WSA) should be configured to send logs to the Taegis™ XDR Collector via syslog by following the logging instructions below.
Connectivity Requirements ⫘
|Cisco IronPort WSA
|Taegis™ XDR Collector (mgmt IP)
Data Provided from Integration ⫘
Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration Instructions ⫘
To configure Cisco IronPort to send logs to Secureworks® Taegis™ XDR via syslog, follow these instructions.
Web Security Appliances ⫘
- CLI Audit Logs — Records a historical audit of command line interface activity.
- FTP Server Logs — Records all files uploaded to and downloaded from the WSA using FTP.
- GUI Logs — Records history of page refreshes in the web interface.
- Data Security Logs — Records client history for upload requests that are evaluated by the IronPort DSFs.
- McAfee Logs — Records the status of anti-malware scanning activity from the McAfee scanning engine.
- AnyConnect Secure Mobility Daemon Logs — Records the interaction between the Web Security appliance and the AnyConnect client, including the status check.
- Default Proxy Logs — Records errors related to the Web Proxy.
- Sophos Logs — Records the status of anti-malware scanning activity from the Sophos scanning engine.
- System Logs — Records DNS, error, and commit activity.
- W3C Logs — Using a custom format, the data gathered by this type supersedes the default Access log type format (Squid).
W3C Logs ⫘
Create a new W3C Log type subscription to forward http/https access logs to Secureworks® Taegis™ XDR using a custom format. Consider the following requirements while following the configuration steps:
- Log Name — TDR_W3C
- Log Type — W3C
- Log Fields — Add the following fields in this order:
- cs-url cs-version
Syslog Push Configuration ⫘
Consider the following requirements for the syslog push retrieval method configuration for each of the preceding log type subscriptions:
- Hostname — The IP address of the Taegis™ XDR Collector
- Protocol — UDP
- Facility — Local2
Make sure to commit or push your changes to all of the IronPorts you wish Secureworks® Taegis™ XDR to receive logs from.