Cisco Safe Firewall Integration with Amazon Safety Lake

Cisco is a accomplice of the Amazon Safety Lake, supporting the Open Cybersecurity Schema Framework

At AWS re:Invent 2022, Cisco was proud to be a launch accomplice for Amazon Safety Lake, a brand new AWS service that robotically centralizes a company’s safety knowledge from cloud, on-premises, and customized sources right into a purpose-built knowledge lake saved in a buyer’s account. With assist for the Open Cybersecurity Schema Framework (OCSF) normal, the service can normalize and mix safety knowledge from AWS and a broad vary of enterprise safety knowledge sources. Amazon Safety Lake helps you analyze safety knowledge, so you will get a extra full understanding of your safety posture throughout your complete group.

As a part of the Cisco Safe Technical Alliance, I had the chance to construct the Cisco Safe Firewall

integration into Amazon Safety Lake for the general public preview. With the overall availability of Amazon Safety Lake, I up to date the assist of OSCF and validated the mixing.

If you happen to’ve by no means labored with Safe Firewall or eNcore, here’s a abstract:

Safe Firewall serves as a company’s centralized supply of safety info. It makes use of superior menace detection to flag and act on malicious ingress, egress, and east-west visitors whereas its logging capabilities retailer info on occasions, threats, and anomalies. By integrating Safe Firewall with Amazon Safety Lake, via Safe Firewall Administration Middle, organizations will be capable to retailer firewall logs in a structured and scalable method.

What’s the eNcore Consumer

The eNcore consumer gives a method to faucet into message-oriented protocol to stream occasions and host profile info from the Cisco Safe Firewall Administration Middle. The eNcore consumer can request occasion and host profile knowledge from a Administration Middle, and intrusion occasion knowledge solely from a managed gadget.  The eNcore utility initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message move from the Administration Middle or managed gadget after streaming begins.

With eNcore you possibly can entry to full record of firewall occasion sorts and medata information, together with packet information, safety intelligence occasions, enhanced intrusion knowledge, legacy occasions and extra.  In complete over 1000+ information sorts are supported by eStreamer, going again to inception of the Safe Firewall.  Extra particulars might be discovered within the full eStreamer specification.

eNcore runs on Python 3.6+ and helps Firepower Administration Middle model 6.0 and above, for extra particulars on the eNcore consumer please see our operations information.

What’s New with the Normal Availability?

With the Amazon Safety Lake launch, I enhanced the Cloud Formation deployment script for the eNcore consumer to automate extra options and make the set up course of simpler. Moreover, a consumer interface has been added for the eNcore consumer to handle and monitor firewall logs out and in of the Amazon Safety Lake . The Community Exercise OCSF schema mappings have been fine-tuned to match fields to the correct class construction definition and assist has been added for added firewall occasion sorts, together with malware and intrusion occasions.

The Objective: Present Adaptable Framework to Evolve with OCSF 


The OCSF normal goals to supply a typical illustration of nested knowledge constructions of safety knowledge throughout all sources, distributors and purposes. Yow will discover an interactive schema that permits you to drill down into the OCSF class constructions and knowledge definitions.

Cisco launched an up to date model of the eNcore consumer that may stream firewall logs to a number of locations. The replace gives assist for changing the logs into OCSF format. The Firewall knowledge is represented within the Community Exercise occasions class and the logs are mapped to the varied attributes and knowledge sorts beneath that class.

This integration builds a transportable framework within the eNcore consumer that helps decode Safe Firewall knowledge, interprets it into key worth pair knowledge units primarily based on Python courses that mirror the OCSF framework offering transformations that adapt Safe Firewall logs to Community Exercise occasions.  Briefly, eNcore is the glue that maps uncooked Cisco Safe Firewall occasions right into a concise consumable format for the Amazon Safety Information Lake.

Validating OCSF Compliance

OCSF compliance was validated utilizing instruments offered by the OCSF schema such because the OCSF swagger API.

This API will assist decide if knowledge matches the OCSF schema and its object hierarchy. It’s accessible beneath the OCSF server undertaking and is continutely up to date to assist new knowledge sorts and constructs, as of this writing the eNcore consumer helps the event model (v0.0.0) of the OCSF schema. Occasions from safe firewall are modeled towards the Community Exercise class construction, by executing the /api/courses/NETWORK_ACTIVITY URI we will validate output in actual time to find out if the output construction matches the most recent OCSF normal.

The Design

The eNcore consumer gives a method to faucet into message-oriented protocol to stream occasions and host profile info from the Cisco Safe Firewall Administration Middle. The eNcore consumer can request occasion and host profile knowledge from a Administration Middle, and intrusion occasion knowledge solely from a managed gadget. The eNcore utility initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message move from the Administration Middle or managed gadget after streaming begins.

These messages are mapped to OCSF Community Exercise occasions utilizing a sequence of transformations embedded within the eNcore code base, performing as each writer and mapper personas within the OCSF schema workflow. As soon as validated with an inner OCSF schema, the messages are then written to 2 sources: first, a neighborhood JSON formatted file in a configurable listing path, and second, compressed parquet information partitioned by occasion hour within the S3 Amazon Safety Lake supply bucket. The S3 directories containing the formatted log are crawled hourly and the outcomes are saved in an Amazon Safety Lake database. From there we will get a visible of the schema definitions extracted by the AWS Glue Crawler, determine fieldnames, knowledge sorts, and different metadata related together with your Community Exercise occasions. Occasion logs may also be queried utilizing Amazon Athena to visualise log knowledge.

Get Began

To make the most of the eNcore consumer with Amazon Safety Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF department.

Obtain and run the cloud formation script eNcoreCloudFormation.yaml.

The Cloud Formation script will immediate for added fields wanted within the creation course of, they’re as follows:

Cidr Block:  IP Handle vary for the provisioned consumer, defaults to the vary proven beneath

Occasion Sort:  The ec2 occasion dimension, defaults to t4.massive

KeyName  A pem key file that may allow entry to the occasion

AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Information Lake S3 container.

FMC IP: IP or Area Title of the Cisco Safe Firewall Administration Portal

After the Cloud Formation setup is full, it will possibly take wherever from 3-5 minutes to provision sources in your atmosphere. The cloud formation console gives an in depth view of all of the sources generated from the cloud formation script, as proven beneath.

As soon as the ec2 occasion for the eNcore consumer is prepared, we have to enable record the consumer IP tackle in our Safe Firewall Server and generate a certificates file for safe endpoint communication.


  1. Within the Safe Firewall Dashboard, navigate to Search->eStreamer, to search out the enable record of Consumer IP Addresses which can be permitted to obtain knowledge.
  2. Click on Add and provide the Consumer IP Handle that was provisioned for our ec2 occasion.
  3. Additionally, you will be requested to provide a password, click on Save to create a safe certificates file to your new ec2 occasion.

4. Obtain the Safe Certificates you simply created and duplicate it to the /eNcore listing in your ec2 occasion. Or add utilizing the eNcore GUI which is detailed within the subsequent part.

eNcore GUI

Now that we now have the certificates, we will use the eNcore GUI to add to the certificates, that is the brand new piece that we’ve added for the reason that public preview again in December 2022. Customers can now management and configuration connectivity to the Firepower Administration Console (FMC) in a central location, versus putting in and operating complicated command line scripts. Though system directors and energy customers are greater than welcome to nonetheless use that technique.

To entry the eNcore GUI navigate to <Your EC2 Occasion IP Handle> – on this case http://52[.]207.21.3:8184. On this instance we run a safe SSL tunnel with port forwarding utilizing the AWS pem file to redirect visitors from our ec2 occasion to our native host, relying your organizations community safety posture you might be able to entry the eNcore GUI straight with no SSL tunnel.  Port info might be substituted with any free port on native system, for extra particulars on find out how to route ec2 cases to your localhost please see the AWS documentation.

ssh -i eNcore-ubuntu.pem -N -L

Click on on the Configuration part to see a top level view of the steps wanted to execute the eNcore streaming course of. Since we used the AWS Cloud Formation Script, the primary two steps have already been accomplished as proven within the image above.  Subsequent, we will add the certificates file and supply the password within the discipline. This can create a key and cert file that shall be used to safe communication between the FMC and the EC2 occasion with the eNcore consumer.

Now that we now have our communication established, we will ship knowledge to Amazon Safety Lake.  Click on on SEIM Integrations  AWS Information Lake hyperlink to see the energetic connections. You will notice an inventory populated with the FMC we laid out in our cloud formation script. Click on the Begin button to provoke knowledge streaming.

This can start the info relay and ingestion course of. We will then navigate to the S3 Amazon Safety Lake bucket we configured earlier to see OCSF compliant logs formatted in gzip parquet information in a time-based listing construction.

We will confirm this by heading again to our AWS Information Lake repository to view the outcomes.  As we will see within the display screen beneath we now have new folders that conform to the partitioning required by the Amazon Safety Information Lake.  The info we configured earlier within the Cloud Formation script creates partitioning that allow the AWS Crawler to effectively devour and course of occasion knowledge and tie to again to our customized knowledge supply we outlined earlier, CISCOFIREWALL.

Occasion knowledge is positioned into S3 buckets by occasion time, will rotate file creation primarily based on the dimensions with a maximium file dimension of 256MB.   The information are named in accordance the time which the final occasion was processed offering a primary hand have a look at how far lengthy the eNcore consumer is within the knowledge streaming course of.

Amazon Safety Lake then runs a crawler activity each hour, to parse and devour the logs information within the goal s3 listing, after which we will view the leads to Athena Question.  With Amazon Athena we will visible analytics in number of totally different software together with Amazon Grafana and Quicksight, sooner or later we plan to construct visualizations to showcase Firewall within the AWS Safety Lake.

Extra info on find out how to configure and tune the eNcore eStreamer consumer might be discovered on our official web site. This contains particulars on find out how to filter sure occasion sorts to focus your knowledge retention coverage, and tips for efficiency and different detailed configuration settings.

You possibly can take a look at the Amazon Consumer Information for extra info. I encourage you to check out OCSF your self and see the way it may assist the group within the quest for normalization.

We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels



Leave a Reply

Your email address will not be published. Required fields are marked *