<update custom field, e.g., Cisco Confidential or Cisco Highly Confidential>. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version.

Cisco Firepower Dashboard for QRadar

Operations Guide August 20, 2017

Version 1.1 Cisco Systems, Inc. Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 Toll Free: 800 553-NETS (6387) Fax: 408 526-4100

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 2 of 13

Contents

CONTENTS.....................................................................................................................................................2ABOUTTHISOPERATIONSGUIDE..................................................................................................................3

REVISIONHISTORY..................................................................................................................................................31INTRODUCTION..........................................................................................................................................4

1.1DOCUMENTPURPOSE........................................................................................................................................41.2APPLICATIONSUMMARY.....................................................................................................................................4

2OPERATIONS..............................................................................................................................................52.1PRE-REQUISITE..................................................................................................................................................52.2INSTALLATION...................................................................................................................................................52.3CONFIGURATION...............................................................................................................................................5

2.3.1FMCeStreamerCertificateCreation......................................................................................................52.3.2QradarConfiguration............................................................................................................................72.3.3ConfiguringalogsourceforCiscoFireSIGHTManagementCenterevents...........................................8

2.4CISCOSUPPORT..............................................................................................................................................103APPENDIXA:ACRONYMLISTING..............................................................................................................11TRADEMARKSANDDISCLAIMERS................................................................................................................13

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 3 of 13

About This Operations Guide

Author Corey Holland Change Authority Cisco Systems Advanced Services, Security & Collaboration IDT,

Implementation Americas Project ID 868408

Revision History Revision Date Name or User ID Comments

1.0 08/20/2017 Corey Holland Initial operations guide. 1.1 08/22/2017 Puja Shourie Added Qradar configuration 1.2 12/19/2017 Puja Shourie Added Troubleshooting Section

1 Introduction

1.1 Document Purpose The purpose of this document is to outline the operations of the Cisco Firepower Dashboard for QRadar and may be used to assist users with installation and execution.

1.2 Application Summary IBM QRadar consolidates log source event data from thousands of device endpoints and applications distributed throughout a network. Cisco Firepower Management Center (FMC) is the administrative nerve center for managing critical Cisco network security solutions. By configuring Cisco FMC to deliver log events to QRadar, it is possible to leverage QRadar to provide deep insight into network security. The Cisco Firepower Dashboard for QRadar provides data visualization for malware and intrusion events collected by Cisco FMC.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 5 of 13

2 Operations

2.1 Pre-requisite The Cisco Firepower Dashboard for QRadar requires IBM QRadar version 7.2.6 or higher.

2.2 Installation The Cisco Firepower Dashboard for QRadar is available from the IBM Security App Exchange at:

https://exchange.xforce.ibmcloud.com/hub

2.3 Configuration This is a two-step configuration.

2.3.1 FMC eStreamer Certificate Creation Steps to generate an eStreamer client certificate are as follows. Navigate to the web interface of the FMC – https://fmc-ip-address and log in with your FMC credentials. In the FMC 6.x GUI, navigate to System > Integration > eStreamer

Figure 1: FMC eStreamer Certificate Creation

Click Create Client. Provide the Hostname and password.

Note: This should be the IP of the client, which will be collecting the event data from the FMC. This password will be required when you first execute eStreamer eNcore.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 6 of 13

Please note that the IP address you enter here must be the IP address of the eStreamer-eNcore client from the perspective of the FMC. In other words, if the client is behind a NAT device, then the IP address must be that of the upstream NAT interface.

Figure 2: Create Client Hostname and Password Screen

Click Save.

Figure 3: Create Client Save Screen

Download the pkcs12 file.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 7 of 13

Figure 4: Download Screen

Copy the pkcs12 file to the desired location in the target device.

2.3.2 Qradar Configuration • Log in to your QRadar Console or Event Collector as the root user. • Copy the pkcs12 certificate from your FireSIGHT Management Center appliance to the

following directory:

• To import your pkcs12 file, type the following command and any extra parameters:

Parameter Description -f Identifies the file name of the pkcs12 files to import.

-o

Overrides the default Estreamer name for the keystore and truststore files. Use the -oparameter when you integrate multiple FireSIGHT Management Center devices. For example, /opt/qradar/bin/estreamer-cert-import.pl -f <file name> -o 192.168.1.100 The import script creates the following files:

1. /opt/qradar/conf/192.168.0.100.keystore /opt/qradar/conf/192.168.0.100.truststore

-d Enables verbose mode for the import script. Verbose mode is intended to display error messages for

/opt/qradar/bin/

/opt/qradar/bin/estreamer-cert-import.pl -f pkcs12_file_name options

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 8 of 13

troubleshooting purposes when pkcs12 files fail to import properly.

-p Specifies a password if a password was accidentally provided when you generated the pkcs12 file.

-v Displays the version information for the import script. -h Displays a help message on using the import script.

• The import script creates a keystore and truststore file in the following locations:

/opt/qradar/conf/estreamer.keystore /opt/qradar/conf/estreamer.truststore

2.3.3 Configuring a log source for Cisco FireSIGHT Management Center events

You must configure a log source because QRadar® does not automatically discover Cisco FireSIGHT Management Center events.

• Log in to QRadar. • Click the Admin tab. • On the navigation menu, click Data Sources. • Click the Log Sources icon.

• Click Add.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 9 of 13

• From the Log Source Type list, select Cisco FireSIGHT Management Center. • From the Protocol Configuration list, select Cisco Firepower eStreamer.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 10 of 13

• Click Save • Deploy the configuration

• Check log Events and you should receive the events

2.4 Cisco Support Please contact fp-qradar-apps@cisco.com for support requests and troubleshooting.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 11 of 13

3 Troubleshooting

3.1 Connection refused on deploying log source configuration

Please check following if there is above error

1. Check the keystore/truststore has the correct path in the log source configuration 2. The port is correct 3. The port 8302 is opened on the network 4. Make sure you have deployed the “full configuration” after making changes to log

source.

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 12 of 13

4 Appendix A: Acronym Listing

Term Definition

FMC Cisco Firepower Management Center

August 20, 2017 Operations Guide Cisco Confidential. All printed copies and duplicate soft copies are considered uncontrolled

and the original online version should be referred to for the latest version. Page 13 of 13

Trademarks and Disclaimers

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THIRD PARTY SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THIRD PARTY SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. ©2017 Cisco Systems, Inc. All rights reserved.