SIEM & UEBA

Expand all | Collapse all

CISCO ASA RULES OR USE CASE

  • 1.  CISCO ASA RULES OR USE CASE

    Posted 10 days ago

    Hi Guys,

    I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

    It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.



  • 2.  RE: CISCO ASA RULES OR USE CASE

    GROUP ADMIN
    Posted 10 days ago
    Hi Muhammad,

    There are some specific rules where we mention ASA events by name.

    • Successful VPN Logon From Outside My Country
    • Startup Config Change: with login
    • Running Config Change: with login info
    • Heavy TCP Port Scan: Single Destination
    • Permitted Blacklisted Source
    • Denied Blacklisted Source
    • Permitted Blacklisted Destination
    • Denied Blacklisted Destination

    FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------



  • 3.  RE: CISCO ASA RULES OR USE CASE

    Posted 8 days ago

    Hi Daniel,

    Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.




  • 4.  RE: CISCO ASA RULES OR USE CASE

    Posted 8 days ago
    Muhammad,  

    You can create a Rule that notifies you when people change Rules.  Helpful for finding when things have been modified:
    IF System Event Category = 2 AND Event Type IN PH_AUDIT_OBJECT_CREATED, PH_AUDIT_OBJECT_DELETED, PH_AUDIT_OBJECT_UPDATED AND OS Object Type = Rule
    WHERE COUNT(Matched Events) >= 1
    GROUPBY User,Object Name,Organization Name