Skip to content

Cisco Ironport Integration Guide🔗

Cisco IronPort Web Security Appliances (WSA) should be configured to send logs to the Taegis™ XDR Collector via syslog by following the logging instructions below.

Connectivity Requirements🔗

Source Destination Port/Protocol
Cisco IronPort WSA XDR Collector (mgmt IP) UDP/514

Data Provided from Integration🔗

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Cisco IronPort Auth HTTP

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration Instructions🔗

To configure Cisco IronPort to send logs to Secureworks® Taegis™ XDR via syslog, follow these instructions.

Web Security Appliances🔗

Follow the instructions provided by Cisco to add or edit log subscriptions using the syslog push retrieval method for the following log types:

  • CLI Audit Logs — Records a historical audit of command line interface activity.
  • FTP Server Logs — Records all files uploaded to and downloaded from the WSA using FTP.
  • GUI Logs — Records history of page refreshes in the web interface.
  • Data Security Logs — Records client history for upload requests that are evaluated by the IronPort DSFs.
  • McAfee Logs — Records the status of anti-malware scanning activity from the McAfee scanning engine.
  • AnyConnect Secure Mobility Daemon Logs — Records the interaction between the Web Security appliance and the AnyConnect client, including the status check.
  • Default Proxy Logs — Records errors related to the Web Proxy.
  • Sophos Logs — Records the status of anti-malware scanning activity from the Sophos scanning engine.
  • System Logs — Records DNS, error, and commit activity.
  • W3C Logs — Using a custom format, the data gathered by this type supersedes the default Access log type format (Squid).

W3C Logs🔗

Create a new W3C Log type subscription to forward http/https access logs to XDR using a custom format. Consider the following requirements while following the configuration steps:

  • Log Name — TDR_W3C
  • Log Type — W3C
  • Log Fields — Add the following fields in this order:
    • date
    • time
    • c-ip
    • c-port
    • s-ip
    • s-port
    • cs(X-Forward-For)
    • cs-username
    • sc-result-code
    • sc-http-status
    • cs-method
    • cs-url cs-version
    • cs-mime-type
    • cs(User-Agent)
    • cs(Referer)
    • x-acltag
    • x-result-code

Syslog Push Configuration🔗

Consider the following requirements for the syslog push retrieval method configuration for each of the preceding log type subscriptions:

  • Hostname — The IP address of the XDR Collector
  • Protocol — UDP
  • Facility — Local2

Note

Make sure to commit or push your changes to all of the IronPorts you wish XDR to receive logs from.