Wednesday, February 21, 2024
HomeCloud ComputingCisco Safe Firewall Integration with Amazon Safety Lake

Cisco Safe Firewall Integration with Amazon Safety Lake

Cisco is a companion of the Amazon Safety Lake, supporting the Open Cybersecurity Schema Framework

At AWS re:Invent 2022, Cisco was proud to be a launch companion for Amazon Safety Lake, a brand new AWS service that routinely centralizes a company’s safety information from cloud, on-premises, and customized sources right into a purpose-built information lake saved in a buyer’s account. With help for the Open Cybersecurity Schema Framework (OCSF) normal, the service can normalize and mix safety information from AWS and a broad vary of enterprise safety information sources. Amazon Safety Lake helps you analyze safety information, so you may get a extra full understanding of your safety posture throughout the complete group.

As a part of the Cisco Safe Technical Alliance, I had the chance to construct the Cisco Safe Firewall

integration into Amazon Safety Lake for the general public preview. With the final availability of Amazon Safety Lake, I up to date the help of OSCF and validated the mixing.

When you’ve by no means labored with Safe Firewall or eNcore, here’s a abstract:

Safe Firewall serves as a company’s centralized supply of safety data. It makes use of superior risk detection to flag and act on malicious ingress, egress, and east-west site visitors whereas its logging capabilities retailer data on occasions, threats, and anomalies. By integrating Safe Firewall with Amazon Safety Lake, by way of Safe Firewall Administration Heart, organizations will be capable of retailer firewall logs in a structured and scalable method.

What’s the eNcore Consumer

The eNcore consumer gives a technique to faucet into message-oriented protocol to stream occasions and host profile data from the Cisco Safe Firewall Administration Heart. The eNcore consumer can request occasion and host profile information from a Administration Heart, and intrusion occasion information solely from a managed system.  The eNcore software initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message circulation from the Administration Heart or managed system after streaming begins.

With eNcore you may entry to full listing of firewall occasion varieties and medata information, together with packet information, safety intelligence occasions, enhanced intrusion information, legacy occasions and extra.  In whole over 1000+ information varieties are supported by eStreamer, going again to inception of the Safe Firewall.  Extra particulars will be discovered within the full eStreamer specification.

eNcore runs on Python 3.6+ and helps Firepower Administration Heart model 6.0 and above, for extra particulars on the eNcore consumer please see our operations information.

What’s New with the Basic Availability?

With the Amazon Safety Lake launch, I enhanced the Cloud Formation deployment script for the eNcore consumer to automate extra options and make the set up course of simpler. Moreover, a consumer interface has been added for the eNcore consumer to handle and monitor firewall logs out and in of the Amazon Safety Lake . The Community Exercise OCSF schema mappings have been fine-tuned to match fields to the right class construction definition and help has been added for added firewall occasion varieties, together with malware and intrusion occasions.

The Purpose: Present Adaptable Framework to Evolve with OCSF 


The OCSF normal goals to supply a standard illustration of nested information buildings of safety information throughout all sources, distributors and functions. You’ll find an interactive schema that lets you drill down into the OCSF class buildings and information definitions.

Cisco launched an up to date model of the eNcore consumer that may stream firewall logs to a number of locations. The replace gives help for changing the logs into OCSF format. The Firewall information is represented within the Community Exercise occasions class and the logs are mapped to the varied attributes and information varieties below that class.

This integration builds a conveyable framework within the eNcore consumer that helps decode Safe Firewall information, interprets it into key worth pair information units primarily based on Python lessons that mirror the OCSF framework offering transformations that adapt Safe Firewall logs to Community Exercise occasions.  In brief, eNcore is the glue that maps uncooked Cisco Safe Firewall occasions right into a concise consumable format for the Amazon Safety Information Lake.

Validating OCSF Compliance

OCSF compliance was validated utilizing instruments offered by the OCSF schema such because the OCSF swagger API.

This API will assist decide if information matches the OCSF schema and its object hierarchy. It’s accessible below the OCSF server undertaking and is continutely up to date to help new information varieties and constructs, as of this writing the eNcore consumer helps the event model (v0.0.0) of the OCSF schema. Occasions from safe firewall are modeled towards the Community Exercise class construction, by executing the /api/lessons/NETWORK_ACTIVITY URI we are able to validate output in actual time to find out if the output construction matches the most recent OCSF normal.

The Design

The eNcore consumer gives a technique to faucet into message-oriented protocol to stream occasions and host profile data from the Cisco Safe Firewall Administration Heart. The eNcore consumer can request occasion and host profile information from a Administration Heart, and intrusion occasion information solely from a managed system. The eNcore software initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message circulation from the Administration Heart or managed system after streaming begins.

These messages are mapped to OCSF Community Exercise occasions utilizing a collection of transformations embedded within the eNcore code base, appearing as each writer and mapper personas within the OCSF schema workflow. As soon as validated with an inner OCSF schema, the messages are then written to 2 sources: first, a neighborhood JSON formatted file in a configurable listing path, and second, compressed parquet information partitioned by occasion hour within the S3 Amazon Safety Lake supply bucket. The S3 directories containing the formatted log are crawled hourly and the outcomes are saved in an Amazon Safety Lake database. From there we are able to get a visible of the schema definitions extracted by the AWS Glue Crawler, determine fieldnames, information varieties, and different metadata related together with your Community Exercise occasions. Occasion logs may also be queried utilizing Amazon Athena to visualise log information.

Get Began

To make the most of the eNcore consumer with Amazon Safety Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF department.

Obtain and run the cloud formation script eNcoreCloudFormation.yaml.

The Cloud Formation script will immediate for added fields wanted within the creation course of, they’re as follows:

Cidr Block:  IP Handle vary for the provisioned consumer, defaults to the vary proven under

Occasion Kind:  The ec2 occasion dimension, defaults to t4.giant

KeyName  A pem key file that may allow entry to the occasion

AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Information Lake S3 container.

FMC IP: IP or Area Identify of the Cisco Safe Firewall Administration Portal

After the Cloud Formation setup is full, it may well take wherever from 3-5 minutes to provision assets in your atmosphere. The cloud formation console gives an in depth view of all of the assets generated from the cloud formation script, as proven under.

As soon as the ec2 occasion for the eNcore consumer is prepared, we have to permit listing the consumer IP handle in our Safe Firewall Server and generate a certificates file for safe endpoint communication.


  1. Within the Safe Firewall Dashboard, navigate to Search->eStreamer, to search out the permit listing of Consumer IP Addresses which might be permitted to obtain information.
  2. Click on Add and provide the Consumer IP Handle that was provisioned for our ec2 occasion.
  3. Additionally, you will be requested to produce a password, click on Save to create a safe certificates file to your new ec2 occasion.

4. Obtain the Safe Certificates you simply created and replica it to the /eNcore listing in your ec2 occasion. Or add utilizing the eNcore GUI which is detailed within the subsequent part.

eNcore GUI

Now that now we have the certificates, we are able to use the eNcore GUI to add to the certificates, that is the brand new piece that we’ve added because the public preview again in December 2022. Customers can now management and configuration connectivity to the Firepower Administration Console (FMC) in a central location, versus putting in and operating complicated command line scripts. Though system directors and energy customers are greater than welcome to nonetheless use that technique.

To entry the eNcore GUI navigate to <Your EC2 Occasion IP Handle> – on this case http://52[.]207.21.3:8184. On this instance we run a safe SSL tunnel with port forwarding utilizing the AWS pem file to redirect site visitors from our ec2 occasion to our native host, relying your organizations community safety posture you might be able to entry the eNcore GUI straight and not using a SSL tunnel.  Port data will be substituted with any free port on native system, for extra particulars on how one can route ec2 situations to your localhost please see the AWS documentation.

ssh -i eNcore-ubuntu.pem -N -L

Click on on the Configuration part to see an overview of the steps wanted to execute the eNcore streaming course of. Since we used the AWS Cloud Formation Script, the primary two steps have already been accomplished as proven within the image above.  Subsequent, we are able to add the certificates file and supply the password within the discipline. It will create a key and cert file that shall be used to safe communication between the FMC and the EC2 occasion with the eNcore consumer.

Now that now we have our communication established, we are able to ship information to Amazon Safety Lake.  Click on on SEIM Integrations  AWS Information Lake hyperlink to see the lively connections. You will notice a listing populated with the FMC we laid out in our cloud formation script. Click on the Begin button to provoke information streaming.

It will start the info relay and ingestion course of. We will then navigate to the S3 Amazon Safety Lake bucket we configured earlier to see OCSF compliant logs formatted in gzip parquet information in a time-based listing construction.

We will confirm this by heading again to our AWS Information Lake repository to view the outcomes.  As we are able to see within the display under now we have new folders that conform to the partitioning required by the Amazon Safety Information Lake.  The information we configured earlier within the Cloud Formation script creates partitioning that allow the AWS Crawler to effectively devour and course of occasion information and tie to again to our customized information supply we outlined earlier, CISCOFIREWALL.

Occasion information is positioned into S3 buckets by occasion time, will rotate file creation primarily based on the scale with a maximium file dimension of 256MB.   The information are named in accordance the time which the final occasion was processed offering a primary hand take a look at how far lengthy the eNcore consumer is within the information streaming course of.

Amazon Safety Lake then runs a crawler process each hour, to parse and devour the logs information within the goal s3 listing, after which we are able to view the leads to Athena Question.  With Amazon Athena we are able to visible analytics in number of completely different software together with Amazon Grafana and Quicksight, sooner or later we plan to construct visualizations to showcase Firewall within the AWS Safety Lake.

Extra data on how one can configure and tune the eNcore eStreamer consumer will be discovered on our official web site. This contains particulars on how one can filter sure occasion varieties to focus your information retention coverage, and pointers for efficiency and different detailed configuration settings.

You’ll be able to take a look at the Amazon Consumer Information for extra data. I encourage you to try OCSF your self and see the way it would possibly assist the group within the quest for normalization.

We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels





Please enter your comment!
Please enter your name here

Most Popular

Recent Comments