Analysis of Cisco device logs using Splunk Cisco Security Suite
Cisco and Splunk are partners, and both Cisco uses Splunk in its work and Splunk modernizes its solutions so that its customers can easily work with data generated by Cisco devices.
As part of a partnership between Cisco and Splunk, more than five dozen solutions have been implemented that allow you to quickly obtain valuable information from data generated by Cisco devices. In this article, we want to talk about the Cisco Security Suite application., with which you can analyze real-time information security events coming from various Cisco devices. Cisco Security Suite integrates Cisco ASA, PIX, and FWSM firewall event monitoring panels, Cisco Web Security Appliance (WSA), IPS, Cisco Email Security Appliance (ESA), Cisco Identity Services Engine (ISE), and Cisco Advanced Malware Protection / Sourcefire.
To collect data that will be further processed in the Cisco Security Suite application, you need to install special applications — add-ons that are responsible for collecting data of a certain type. In order to take full advantage of the application, the following add-ons are required: Cisco ASA , ESA , Identity Services , IPS , WSA, and eStreamer .
Cisco Security Overview
The Cisco Security Overview dashboard looks at all Cisco add-ins, shows real-time events as they occur, and provides an overview of sources and target IP addresses.
The Email Security panel builds analytics based on data generated by the Cisco Email Security Appliance (ESA). The quantitative characteristics of incoming and outgoing messages are calculated, grouped by message types: spam, infected and ordinary messages, graphs are built by message volume, etc.
The Web Security section works based on the Cisco WSA, and allows you to get information about the nature of traffic, the main threats and their sources.
And also there are dashboards analyzing data on the acceptability of traffic for different purposes of use.
This section presents dashboards with the results of the firewall and eStreamer service. The Firewall Overview dashboard shows the number of blocked / missed events, the reasons for blocking, the sources and destination of events.
For the eStreamer service, several dashboards have been created where you can find information on policies, hosts, sensors, streams, etc.
Cisco Identity Services is a platform for managing identification and access control processes. Thanks to real-time data from networks, from users and devices, it is possible to make proactive access decisions. All access provisioning events are divided into wired network segments, wireless network segments and remote access connections.
In fact, the application (in the full “bundle”) includes more than 50 dashboards, so we have brought far from all screenshots. To learn more about this application, you can additionally watch a special demo video .
Thank you for your time!
If you are interested in this topic or Splunk as a whole, then write comments, we will be happy to answer you. Also in our blog there are many other articles that relate to Splunk and can help you learn a lot about the implemented cases, functionality and much more. Subscribe to our VK group and Telegram channel if you want to keep abreast of new articles. You can also write us a request through the form on our website .