{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"2"},"_parentId":{"value":"120918986"},"type":{"value":"flat"}},"macroMetadata":{"macroId":{"value":"4a7c0f57-709b-42c4-a35e-d1ca7cba1005"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"03e421da-76de-4fdf-b53c-f6b17ad5e563"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Service description","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Cisco Event Streamer","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.cisco.com/c/en/us/td/docs/security/firepower/660/api/eStreamer/EventStreamerIntegrationGuide_660.pdf"}}]},{"text":" (also known as Cisco eStreamer) allows you to stream Firepower System events to external client applications. You can stream host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection data from a Management Center and you can stream intrusion data from 7000 and 8000 series devices.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Data source description","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"paragraph","content":[{"text":"Currently, the Cisco eStreamer collector generates host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection events. The collector processes the eStreamer responses and sends them to the Devo platform, which will categorize all the information received on the following tables:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"d0a7d42a-700b-420f-9d04-de41aa5e56bd"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Group name","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Data tables","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Metadata","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Context information for codes and numeric identifiers in the event records","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.metadata","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Packet","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Packets associated with intrusion events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.packet","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Intrusion","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Intrusion events generated by managed devices","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.intrusion","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"File malware","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Malware events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.file_malware","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Correlation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Correlation and allow list events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.correlation","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Connection","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Connection events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.connection","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"RNA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Realtime Network Awareness events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.rna","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"RUA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Realtime User Awareness events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#555555"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.rua","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Event","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"Additional data for intrusion events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[226.67]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.event","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"For more info about the Cisco eStreamer, visit the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"Firepower System Event Streamer Integration Guide","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}},{"type":"link","attrs":{"href":"https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer/EventStreamerIntegrationGuide/Intro.html"}}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Setup","type":"text"}]},{"type":"paragraph","content":[{"text":"The Cisco eStreamer data collector works over the Cisco FMC (Firepower Management Center) devices. To start receiving data from the eStreamer protocol, you need to set up the eStreamer service in the FMC.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Setting up eStreamer","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access the FMC web console.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to ","type":"text"},{"text":"System → Integration → eStreamer","type":"text","marks":[{"type":"strong"}]},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":3828,"id":"3120ef2e-79c5-49a2-a8aa-dafded9d47ed","collection":"contentId-120918986","type":"file","height":748}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the events that you want to receive and save the changes.","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":3822,"id":"886793b8-d021-40ff-a19f-3f7c2efed54b","collection":"contentId-120918986","type":"file","height":1120}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a new client and save the certificate (and password/passphrase if configured) to be used later in the collector.","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":3822,"id":"2a5af537-f2f6-46d5-8533-d8a38dbd3290","collection":"contentId-120918986","type":"file","height":1120}}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Run the collector","type":"text"}]},{"type":"paragraph","content":[{"text":"Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (","type":"text"},{"text":"Cloud collector","type":"text","marks":[{"type":"underline"}]},{"text":"), or deploy and host the collector in your own machine using a Docker image (","type":"text"},{"text":"On-premise collector","type":"text","marks":[{"type":"underline"}]},{"text":").","type":"text"}]},{"type":"bodiedExtension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-ui-tabs-macro","parameters":{"macroParams":{"_parentId":{"value":"120918986"}},"macroMetadata":{"macroId":{"value":"5ce2abf1-fed9-4901-824b-a95d554ed8d5"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://d1bgdtsfe1sjdg.cloudfront.net/refinedtheme-for-cloud/macro-icons/tabs.png"}}],"title":"UI Tabs"}},"localId":"07ab2cd0-9648-424a-98c9-caaa1794ecc3"},"content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-tab","parameters":{"macroParams":{"_parentId":{"value":"120918986"},"title":{"value":"Cloud collector"}},"macroMetadata":{"macroId":{"value":"7958d4a471e74cf85658d0bfa9829434"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://d1bgdtsfe1sjdg.cloudfront.net/refinedtheme-for-cloud/macro-icons/tab.png"}}],"title":"UI Tab"}},"localId":"b5e1deba-5102-401e-ab87-d1752d1f073c"}},{"type":"paragraph","content":[{"text":"We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, ","type":"text"},{"text":"get in touch with us","type":"text","marks":[{"type":"link","attrs":{"href":"mailto:support@devo.com"}}]},{"text":" and we will guide you through the configuration.","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-tab","parameters":{"macroParams":{"_parentId":{"value":"120918986"},"title":{"value":"On-premise collector"}},"macroMetadata":{"macroId":{"value":"9dac797660507674036a630be347239a"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://d1bgdtsfe1sjdg.cloudfront.net/refinedtheme-for-cloud/macro-icons/tab.png"}}],"title":"UI Tab"}},"localId":"396eb10a-9d2d-4666-9d0f-54dc825dae71"}},{"type":"paragraph","content":[{"text":"This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Structure","type":"text"}]},{"type":"paragraph","content":[{"text":"The following directory structure should be created for being used when running the Cisco eStreamer collector:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n└── devo-collectors/\n └── cisco/\n ├── certs/\n │ ├── chain.crt\n │ ├── .key\n │ └── .crt\n └── config/ \n └── config-cisco.yaml","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Devo credentials","type":"text"}]},{"type":"paragraph","content":[{"text":"In Devo, go to ","type":"text"},{"text":"Administration → Credentials → X.509 Certificates","type":"text","marks":[{"type":"strong"}]},{"text":", download the ","type":"text"},{"text":"Certificate","type":"text","marks":[{"type":"strong"}]},{"text":", ","type":"text"},{"text":"Private key","type":"text","marks":[{"type":"strong"}]},{"text":" and ","type":"text"},{"text":"Chain CA","type":"text","marks":[{"type":"strong"}]},{"text":" and save them in ","type":"text"},{"text":"/devo-collectors/cisco/certs","type":"text","marks":[{"type":"code"}]},{"text":". Learn more about security credentials in Devo ","type":"text"},{"text":"here","type":"text","marks":[{"type":"link","attrs":{"href":"https://devodocs.atlassian.net/wiki/pages/createpage.action?spaceKey=NDT5&title=Security%20credentials"}}]},{"text":".","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":1840,"id":"1232c48e-9eed-413e-9cc4-7daf1be77bf2","collection":"contentId-120918986","type":"file","height":414}}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Editing the config-cisco.yaml file","type":"text"}]},{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"config-cisco.yaml","type":"text","marks":[{"type":"strong"}]},{"text":" file, replace the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":" and","type":"text","marks":[{"type":"code"}]},{"text":" ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" values and enter the ones that you got in the previous steps. In the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" placeholder, enter the value that you choose.","type":"text"}]},{"type":"codeBlock","content":[{"text":"globals:\n debug: false\n id: not_used\n name: cisco_col\n persistence:\n type: filesystem # File system persistence ON\n config:\n directory_name: state # Directory where the persistence will be saved in case of using filesystem\noutputs:\n devo_1:\n type: devo_platform\n config:\n address: collector-eu.devo.io # Cloud Devo config EU (for US use collector-eu.devo.io)\n port: 443\n type: SSL\n chain: chain.crt\n cert: .crt\n key: .key\ninputs:\n cisco_estreamer:\n id: # The value of this field will be used internally for having independent persistence areas\n enabled: true\n requests_per_second: 5 # Setup how many request API por second\n services: # Services available\n event_estreamer:\n request_period_in_seconds: 300 # Setting up time interval between API requests.\n servers:\n server1: \n start_time: 2020-01-01T00:00:00 # Collector Initial time. Must follow the format showed in the sample\n #force_start_time: true # OPTIONAL. Forces to retrieve the data from the given start_time\n host: 192.168.0.1 # Firewall Management Center IP\n pkcs12Filepath: credentials/ # eStreamer client certificate. Must be in \"credentials\" folder\n #pkcs12base64: credentials_in_base64 # Base64 client certificate string. Optional field\n pkcs12Password: mysecurepassword # Client certificate password/passphrase\n port: 8302 # eStreamer port\n tlsVersion: 1.2 # Used TLS version","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"start_time","type":"text","marks":[{"type":"code"}]},{"text":" value must have the following format:","type":"text"}]},{"type":"paragraph","content":[{"text":"“start_time” format: 0000-00-00T00:00:00","type":"text","marks":[{"type":"code"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Download the Docker image","type":"text"}]},{"type":"paragraph","content":[{"text":"The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"9b296c2c-10d6-474d-97b0-45c3720cb4d5"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[340.0]},"content":[{"type":"paragraph","content":[{"text":"Collector Docker image","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[340.0]},"content":[{"type":"paragraph","content":[{"text":"SHA-256 hash","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[340.0]},"content":[{"type":"paragraph","content":[{"text":"collector-cisco-docker-image-1.1.2.tgz","type":"text","marks":[{"type":"link","attrs":{"href":"https://drive.google.com/file/d/1UWqceM-spuoCr-gHwRn04Yx47sSlAIUm/view?usp=sharing"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[340.0]},"content":[{"type":"paragraph","content":[{"text":"94970496996a1c6fa4f5d3e578975127271e3a9aa308b093bb325bf41cc659b6","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Use the following command to add the Docker image to the system:","type":"text"}]},{"type":"codeBlock","content":[{"text":"gunzip -c collector-cisco-docker-image-.tgz | docker load","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with a proper value.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"The Docker image can be deployed on the following services:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Docker","type":"text"}]},{"type":"paragraph","content":[{"text":"Execute the following command on the root directory ","type":"text"},{"text":"/devo-collectors/cisco/","type":"text","marks":[{"type":"code"}]}]},{"type":"codeBlock","content":[{"text":"docker run \\\n--name collector-cisco \\\n--volume $PWD/certs:/devo-collector/certs \\\n--volume $PWD/credentials:/devo-collector/credentials \\\n--volume $PWD/config:/devo-collector/config \\\n--volume $PWD/state:/devo-collector/state \\\n--env CONFIG_FILE=config-cisco.yaml \\\n--rm -it docker.devo.internal/collector/cisco_collector:","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with a proper value.","type":"text"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Docker Compose","type":"text"}]},{"type":"paragraph","content":[{"text":"The following Docker Compose file can be used to execute the Docker container. It must be created in the ","type":"text"},{"text":"/devo-collectors/cisco/","type":"text","marks":[{"type":"code"}]},{"text":" directory.","type":"text"}]},{"type":"codeBlock","content":[{"text":"version: '3'\nservices:\n collector-cisco:\n image: docker.devo.internal/collector/cisco_collector:${IMAGE_VERSION:-latest}\n container_name: collector-cisco\n volumes:\n - ./certs:/devo-collector/certs\n - ./config:/devo-collector/config\n - ./credentials:/devo-collector/credentials\n - ./state:/devo-collector/state\n environment:\n - CONFIG_FILE=${CONFIG_FILE:-config-cisco.yaml}","type":"text"}]},{"type":"paragraph","content":[{"text":"To run the container using docker-compose, execute the following command from the ","type":"text"},{"text":"/devo-collectors/cisco/","type":"text","marks":[{"type":"code"}]},{"text":" directory:","type":"text"}]},{"type":"codeBlock","content":[{"text":"IMAGE_VERSION= docker-compose up -d","type":"text"}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}],"version":1}

Browser not supported