Analysis of Cisco device logs using Splunk Cisco Security Suite

Cisco and Splunk are partners, and both Cisco uses Splunk in its work and Splunk modernizes its solutions so that its customers can easily work with data generated by Cisco devices.

As part of a partnership between Cisco and Splunk, more than five dozen solutions have been implemented that allow you to quickly obtain valuable information from data generated by Cisco devices. In this article we want to talk about the Cisco Security Suite application, which can be used to analyze information security events in real time, coming from various Cisco devices. Cisco Security Suite integrates Cisco ASA, PIX, and FWSM firewall event monitoring panels, Cisco Web Security Appliance (WSA) proxies, IPS, Cisco Email Security Appliances (ESA), Cisco Identity Services Engine (ISE), and Cisco Advanced Malware Protection / Sourcefire.

Data collection

To collect data that will be further processed in the Cisco Security Suite application, you need to install special applications — add-ons that are responsible for collecting data of a particular type. In order to take full advantage of the application, the following add-ons are required: Cisco ASA , ESA , Identity Services , IPS , WSA, and eStreamer .

Visualization

Cisco Security Overview

The Cisco Security Overview Dashboard looks at all Cisco add-ins, shows real-time events as they occur, and provides an overview of sources and target IP addresses.





Email Security

The Email Security panel builds analytics based on data generated by the Cisco Email Security Appliance (ESA). Quantitative characteristics of incoming and outgoing messages are calculated, grouped by message types: spam, infected and ordinary messages, graphs are constructed by message volume, etc.








Web security

The Web Security section is based on the Cisco WSA, and allows you to get information about the nature of the traffic, the main threats and their sources.







And also there are dashboards analyzing data on the acceptability of traffic for different purposes of use.




Network security

This section presents dashboards with the results of the firewall and the eStreamer service. The Firewall Overview dashboard shows the number of blocked / missed events, the reasons for blocking, the sources and destination of events.



For the eStreamer service, several dashboards have been created in which you can find information on policies, hosts, sensors, streams, etc.





Identity Services

Cisco Identity Services is a platform for managing identification and access control processes. Thanks to real-time data from networks, from users and devices, it is possible to make proactive access decisions. All access provisioning events are divided into wired network segments, wireless network segments and remote access connections.

Conclusion

In fact, the application (in the full “bundle”) includes more than 50 dashboards, so we have brought far from all screenshots. To learn more about this application, you can additionally watch a special demo video .

Thank you for your time!

If you are interested in this topic or Splunk as a whole, then write comments, we will be happy to answer you. Also in our blog there are many other articles that relate to Splunk and can help you learn a lot of interesting things about implemented cases, functionality and much more. Subscribe to our VK group and Telegram channel if you want to keep abreast of new articles. You can also write us a request through the form on our website .