Overview
Log360 supports Cisco Firepower by ingesting its logs to centralize and analyze security data from your network. This enables organizations to gain actionable insights from Cisco Firepower events by leveraging Log360’s powerful log management, correlation, and alerting capabilities.
How Log360 collects and analyzes Firepower logs
Log360 collects Cisco Firepower logs using the Syslog protocol. Firepower devices can be configured to forward logs over UDP, TCP, or TLS. Once received, Log360 parses, categorizes, and enriches these logs to enable comprehensive security analysis.
Types of logs collected:
- Connection logs: Covers allowed and denied traffic through the firewall.
- Intrusion logs: Includes logs generated by the IDS or IPS engine.
- Web activity logs: Captures access to websites and URLs.
- Authentication logs: Records successful and failed login attempts.
- System logs: Includes device-level events and severity-tagged messages.
Monitoring capabilities
Log360 leverages real-time log analysis, correlation, and reporting to provide advanced monitoring of Cisco Firepower events:
- Traffic flow analysis: Monitors connection events—including source and destination IPs, ports, protocols, access control policy actions, and connection states—to profile allowed versus denied traffic patterns.
- Intrusion event detection: Parses Snort-based IDS and IPS alerts, capturing signature IDs, attack categories, severity levels, and affected assets. Enables mapping of intrusion attempts to MITRE ATT&CK® techniques.
- Access policy auditing: Tracks rule-based access hits, alerting on policy violations, shadowed rules, or unauthorized traffic flows through fine-grained ACL match data.
- Web access monitoring: Analyzes outbound HTTP and HTTPS traffic to detect suspicious web access attempts, categorize destination domains, and flag traffic to blocklisted or high-risk websites.
- Device state and severity mapping: Collects and monitors system-level messages from Firepower with severity tagging (Emergency to Debug) to surface hardware, software, or policy misconfigurations.
- User activity correlation: Associates logon events and VPN session data with traffic behavior for identity-aware threat detection.
Critical events monitored
- Firewall allowed or denied traffic
- Logons via Cisco VPN or remote access
- Website accessed through firewall
- Intrusion attempts and IDS and IPS signatures triggered
- Device status changes with severity levels
Key benefits
- Centralized security monitoring: Correlate Firepower logs with logs from other devices in one unified console.
- Operational insights: Understand firewall usage trends, top denied rules, and access control violations.
- Granular threat detection: Log360 enables the detection of lateral movement, command-and-control attempts, and brute-force activity by correlating Firepower intrusion events with user activity and traffic flow.
Addressing Cisco Firepower security challenges
| Challenge |
How Log360 solves it |
| Lack of centralized correlation for IDS and IPS logs |
Parses Firepower intrusion logs and correlates with user behavior and traffic metadata. |
| Limited visibility into access rule effectiveness |
Tracks hit counts per rule and flags rarely used or overlapping rules for optimization. |
| Inability to detect identity-based anomalies |
Maps IP sessions to AD users and flags deviations from typical user access patterns. |
| Insufficient response to critical firewall events |
Enables real-time alerting with severity thresholds and automated ticketing and notifications. |
