Further Contributor: Apaar Sanghi
Cisco Safe Firewall (CSF) is constantly including new options and integrations, with many latest enhancements involving logging and Splunk. One space of integration between CSF and Splunk that we labored on at Cisco Stay Melbourne concerned Enterprise Safety Content material Replace (ESCU) detections in Splunk Enterprise Safety (ES). On this weblog submit we’ll check out what Splunk ESCU detections are, some modifications we made to get these detections to work with our SOC logging configuration, and take a look at an instance of how we used these ESCU detections in our SOC workflows.
Splunk ES has round two dozen ESCU detections for Cisco Safe Firewall. These will be accessed from ES by navigating to Safety Content material > Content material Management after which trying to find ‘Safe Firewall’.
All ESCU detections for Safe Firewall reference the identical macro, ‘cisco_secure_firewall’.
The default configuration for this macro references the eStreamer shopper, which is widespread for knowledge ingest from CSF. Nonetheless, Cisco now recommends syslog for brand new deployments, as syslog can ship higher ingest efficiency over eStreamer, and plenty of enhancements to syslog output are included in our 10.0 launch and highway mapped for future releases.
Within the Cisco SOC, we attempt to keep on the reducing fringe of configuration in order that we are able to take a look at new options, detections, and integrations. We transitioned our firewall log export to syslog a number of conferences in the past, and in Melbourne we determined to check the ESCU detections with syslog.
There are a number of methods we are able to do that.
- We will modify the prevailing ESCU detections to level to a brand new macro.
- We will clone the prevailing ESCU detections and set a brand new macro on the clones.
- we are able to go away the entire ESCU detections alone and easily change the underlying macro they reference.
We opted for possibility 3 (although we did additionally do some customization by way of cloning). This required altering the macro pictured above by navigating to Settings > Superior Search after which clicking ‘Search macros’.
Trying to find the macro from the ESCU detections will present the Definition is about to sourcetype=”cisco:sfw:streamer”.
We will change this with the sourcetype for our syslog, and we additionally have to outline the index for our syslog. For the Melbourne SOC, our index is se_network_ftd.
With this setting, the macro utilized by the entire Safe Firewall ESCU detections will now level on the index and sourcetype for our syslog occasions. The searches related to the ESCU detections will nonetheless work after switching from eStreamer to syslog as a result of the Cisco Safety TA makes use of Splunk’s schema-on-read method to supply the identical occasion schema throughout question for each eStreamer and syslog occasions.
Be aware: for organizations transitioning from eStreamer to syslog, the macro will be configured to drag from both eStreamer or syslog by utilizing an ‘or’ situation. For our index, this could appear to be the next:
index=se_network_ftd AND (sourcetype=cisco:ftd:estreamer OR
sourcetype=cisco:ftd:syslog)Within the SOC we don’t decrypt attendee visitors on goal, so Encrypted Visibility Engine (EVE) occasions are extremely useful as an Indicator of Compromise (IoC). One of many Splunk ESCU detections that we used entails EVE occasions instantly.
By default, this ESCU detection will match on a Safe Firewall connection occasion with EVE menace confidence above 80. Nonetheless, this detection will use the EVE occasion as an Intermediate Discovering, which raises the chance ranking of the concerned supply IP with out producing a full incident.
This would be the proper name for a lot of environments, however on the SOC we’ve a low sufficient quantity of excessive confidence EVE occasions and place sufficient worth on them to warrant selling them to full incidents. We opted to vary the setting to Discovering, so {that a} single Safe Firewall connection occasion with a excessive EVE menace confidence rating will generate a Discovering by itself.
With the Discovering setting in place, all excessive confidence EVE occasions had been routinely promoted to Incidents in Splunk ES, making certain we noticed them shortly and will reply with an investigation.
Whereas we run numerous our incident investigations via Cisco XDR on the SOC, the benefit of use of this workflow and the Splunk ESCU detection capabilities proved to be a useful software that we are going to broaden at future conferences.
Try the opposite blogs by my colleagues within the Cisco Stay APJC 2026 SOC.
We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
