USM Anywhere™

Cisco FireSIGHT

When you configure Cisco FireSIGHT integration to send log data to USM Anywhere, you can use the FireSIGHT plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Centralized Policy, Event, and Device Management
Connection type syslog
Vendor link

Cisco FireSIGHT Integration

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

As part of configuring Cisco FireSIGHT to send log data over syslog to USM Anywhere, you must configure it to send the following alerts:

  • Intrusion alerts
  • Health alerts
  • Impact flag, discover event, and malware alerts

Sending Intrusion Alerts

To generate an alert, use this intrusion policy in the Access Control rule.

If no Access Control rule exists, configure this intrusion policy to be the default action of the Access Control policy, then reapply the Access Control policy. Should an intrusion event occur, it triggers an alert to be sent to the syslog server configured on the intrusion policy.

To configure Cisco FireSIGHT to send log data to USM Anywhere

  1. After logging into the web interface of your FireSIGHT Management Center, go to Policies > Intrusion > Intrusion Policy.
  2. Click Edit next to the policy you want to apply.
  3. In the left-hand navigation pane, select Advanced Settings.
  4. Locate Syslog Alerting in the list:

    1. Set it to Enabled.
    2. Click Edit.
  5. In the Syslog Alerting dialog, enter the IP address of the USM Anywhere Sensor in the Logging Hosts field.
  6. Expand the Facility and Severity lists, and select appropriate values.

    Alternatively, you may accept the default values unless the syslog server was configured to accept alerts for a specific facility at a specific severity level.

  7. At the top of the left navigation pane, select Policy Information.
  8. Click Commit Changes.
  9. Reapply your intrusion policy.

Sending Health Alerts

Sending health alerts consists of two parts:

Creating syslog Alerts

This procedure configures syslog alerts.

To configure syslog alerts

  1. From the web interface of FireSIGHT Management Center, go to Policies > Actions > Alerts.
  2. On the right side of the page, click Create Alert to expand the list of alerts and select Create Syslog Alert.
  3. In the Configuration dialog, provide the following values:

    1. Name — Alert name
    2. Host — IP address of your USM Anywhere Sensor
    3. Port — 514
    4. Facility — Select the appropriate facility.
    5. Severity — Select the appropriate severity.
  4. Click Save.

    This returns you to the Alerts page.

  5. To enable the alert, under Create Alert, select Enabled.

Creating Health Monitor Alerts

This procedure configures Health Monitor Alerts that use the syslog alert you just created.

To configure health monitor alerts

  1. Go to Policies > Actions > Alerts and select Health Monitor Alerts, which is near the top of the page.
  2. Give the health alert a name.
  3. Select a severity level.

    Note: To select multiple severity levels, push the CTRL key at the same time you select the level.

  4. From the Module column, select those health modules, for example, disk usage, that you want the USM Anywhere Sensor to receive.
  5. Select the previously created syslog alert from the Alerts column.
  6. Click Save.

Sending Impact Flag, Discover Event, and Malware Alerts

To send alerts with for specific types of Impact Flag, Discover, and Malware Alert events

  1. Complete Creating syslog Alerts.
  2. Configure the type of events that you want to send to USM Anywhere.

    1. Go to Policies > Actions > Alerts.
    2. Selecting the tab for the desired alert type.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • destination_address
  • destination_port
  • destination_zone
  • event_action
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • priority
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • source_address
  • source_port
  • source_username
  • source_zone
  • timestamp_occurred
  • timestamp_received

  • transport_protocol


For troubleshooting, refer to the vendor documentation: