1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. Cisco

Cisco ASA (via SIEM) Setup for Workbench

Setting up this integration requires you to create one security device in Workbench for the SIEM (you will find a link to those instructions in this guide), and a separate security device for the Cisco ASA integration (that device will reference the SIEM's device).

Scope and Limitations

When choosing to set up this integration, remember the following:

  1. You must use a supported SIEM to set up this type of connection. This integration's supported SIEMs include:
    • Exabeam New-Scale SIEM
    • Splunk
    • Sumo Logic
  2. Custom detection rules cannot be used for a via SIEM connection.
  3. If you are using the Sumo Logic Data Lake SKU:
    • You may onboard a via SIEM integration while using the Sumo Logic Data Lake SKU, but this may result in unexpected usage spikes and potential license overages.
    • These via SIEM integrations run predefined queries designed for the Sumo Logic Cloud SIEM SKU, which may consume significant search capacity.
    • There is currently no mechanism to prevent this behavior during self-service onboarding.

Prerequisites

  1. For Sumo Logic Data Lake, we strongly recommend verifying your Sumo SKU before proceeding. Please consult your internal admin or Sumo Logic representative if you have any questions.

  2.  If you are subject to Sumo Logic’s Flex pricing, you will need to provide a comma-separated list of indexes you wish for us to query when you set up the security device in Workbench.

Quick Links

  1. Set Up Logging
  2. Set Up the SIEM
  3. Add Cisco ASA (via SIEM) as a Security Device in Workbench 

Step 1: Set Up Logging

You must first confirm that your SIEM's data sources are logging properly, and then specify which logs the SIEM should ingest, where they should be stored, and any other data quality information that should be included.

You should work with your SIEM representative or refer to your SIEM's documentation if you need help with this step. The following web resources are also available:

Note

Before continuing to Step 2, note the SIEM index where the logs are located (you will need it in a later step). If you are using Sumo Logic, also note the source category. If you are using Splunk, also note the source type.

Step 2: Set Up the SIEM

You must set up the SIEM as its own security device before you can configure this integration's security device, since you are using it as a connection. Select the link below to go to your SIEM's setup guide, then return to this page when you have completed it:

Important

Be sure to confirm the SIEM's security device in Workbench is connected and logs are flowing before continuing to Step 3 in this guide.

Step 3: Add Cisco ASA (via SIEM) as a Security Device in Workbench

When you set up this device, you will choose the security device you created in Step 2 as the SIEM (this will enable the via SIEM connection). Before you begin, make sure you have your saved values from Step 1. If you are using Sumologic and are subject to its Flex pricing, make sure you also have the comma-separated list of indexes you want us to query.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Cisco” and then select the Cisco ASA (via SIEM) integration.
  5. Complete the fields as follows:
    • SIEM - select the SIEM's device from Step 2.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName CiscoASA”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Source type - enter the Splunk source type, if applicable.
    • Source category - enter the Sumo Logic source category, if applicable.
    • Index - enter the SIEM index where the logs are located.
    • Sumologic query indices - for Sumo Logic Flex pricing only, enter the comma-separated list of indexes you wish us to query (all other Sumo Logic users should leave this field blank).
    • Select Save.
  6. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles