topic Re: cisco security suite setup bug? in Security

cisco security suite setup bug?

djhoskins — Tue, 29 Sep 2020 19:07:23 GMT

I have recently set up CIsco Security suite and I'm confused as to what happened in the setup. I have an ASA firewall sending data to splunk. During the setup, it asked which type of firewall logs were being used, I selected ASA (triple checked). I see that I have files coming in from the ASA (using the search app) but are not coming in on the dashboard. When I hover over the yellow ! I see that it is looking for eventtype: cisco_esa_authentication, esa_email and esa_proxy. Did I miss a step? It seemed pretty straight forward. I do not have the esa add-on installed, but do have the asa add-on installed. Should I change the eventtype in /apps/Splunk_ciscoSecuritySuite/default/eventtypes.conf? I see the eventtype of my incoming data is cisco_connection, perhaps that is something I need to look in to as well. Please advise.

Re: cisco security suite setup bug?

p_gurav — Wed, 18 Apr 2018 05:51:20 GMT

Which dashboard you are looking for ASA data?

Re: cisco security suite setup bug?

djhoskins — Wed, 18 Apr 2018 12:53:21 GMT

I was using the overview dashboard. After I posted this, I realized I should've been more clear. I like the look and feel of the overview dashboard. I can see the network security/firewall event search dashboard be populated.

For example, I see the search strings used in the map. How would I get the ASA firewall data to the overview portion? Cisco-security-events is the eventtype the map is looking for. Am I looking for a way that the eventtype is changed or am I needing to change what eventtype the map is looking for?