This procedure helps you to connect your Cisco FirePower via SIEM to the Expel Workbench. The procedure is to port in logs by creating a new Syslog source, configuring that source in Workbench, then configure your Cisco FirePower via SIEM device in Workbench.
Note
Some steps in this procedure vary greatly depending upon the SIEM-based technology you use.
Quick Start
Step 1: Logging Cisco FirePower to a desired SIEM
Refer to your SIEM documentation or work with your SIEM representative to port in Cisco FirePower logs. You can also refer to the following web references for creating a new Syslog source:
Step 2: Configure the SIEM in Workbench
This link opens the Expel Knowledge Base section for connecting SIEM-based technology to Workbench. Follow the applicable article to configure your SIEM-based tech and confirm that Cisco FirePower logs are flowing through and available.
Step 3: Configure Cisco FirePower via SIEM in Workbench
-
In a new browser tab, go to https://workbench.expel.io/settings/security-devices.
-
Click +Add Security Device.
-
Find and select Cisco FirePower (via SIEM).
-
Fill in the device fields like this:
-
For SIEM, select the SIEM that was onboarded in Step 2.
-
For Name, type the host name of the Cisco FirePower device.
-
For Location, type the geographic location of the device.
-
-
Fill in the Connection Settings fields based on the SIEM you selected:
-
For Index, type in the SIEM index.
-
For Source type, type the Splunk source type for this device.
-