Overview

Cisco have several network appliances that allow network monitoring and inspection, protecting corporate networks and data centers, such as Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense.

Integrating your Cisco Firewall logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.

Supported Data Types

  • Cisco ASA Firewall - Network connections logs by Cisco ASA (see more details here).

  • Cisco FTD Firewall - events logged by the Firepower component by Cisco (see more details here).

Hunters Integration

In order to integrate your Cisco Firewall logs into Hunters, the logs need to be collected from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters. The collection of the logs should be done via syslog (more details here).

The expected format of the logs is the raw message format as exported by Cisco ASA. The expected timestamp format is %b %d %Y %H:%M:%S, where timestamps are in UTC.

For example:

Cisco ASA Firewall Log Sample

Dec 25 2021 23:59:56 10.1.2.3 : %ASA-6-305011: Built dynamic TCP translation from outside:10.1.2.3/12345(LOCAL\fuser123) to outside:10.2.4.6/54321

Cisco FTD Firewall Log Sample

"Jun 09 2022 16:27:37 10.1.2.3 : %FTD-6-305011: Built dynamic UDP translation from INTERNAL:10.5.5.5/57641 to EXTERNAL:8.8.8.8/53"