Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.
This guide describes the steps required to configure Cisco Secure Firewall Threat Defense (FTD) (previously entitled Firepower Threat Defense) to send syslog to the Samurai XDR
Cisco Secure Firewall Management Center (FMC) is required.
1) Configure Samurai XDR application
- Complete the Cisco Firepower Threat Defense Integration
2) Configure Cisco Secure Firewall Management Center Console
- Security Event Syslog Messages from FTD Devices
Configure Samurai XDR Application
To complete the configuration to receive logs:
- Login to your Samurai XDR application tenant
- Click Telemetry > Integrations from the main menu
- Click Create
- In the Create Integration screen, find and select Cisco Secure Firewall (Firepower Threat Defense)
- The screen will show the Telemetry Collection and parameters.
- Make note of the IP Address and Port on the screen, they will be used in the device configuration below.
- Click on Finish
Configure Cisco Secure Firewall Management Center Console
Follow the "Steps" outlined within the Cisco documentation:
Default settings should be used unless otherwise specified in the listed parameters
You can also refer to Configure a Syslog Server if you have queries based on options available.
| Field Name | Parameter |
| IP Address | Samurai Secure Syslog Collector IP address |
| Protocol | TCP |
| Port | Samurai XDR Secure Syslog Collector port number |
| Security Zones or Named Interface | Select the interface/zone on which the Samurai XDR Secure Syslog Collector is reachable |
| Enable Secure Syslog | This option must be selected |
| Time Stamp Format | RFC 5424 (yy-MM-ddTHH:mm:ssZ) |
| Enable Syslog Device ID | Enabled (Host Name) |
| Send syslogs in EMBLEM format | Unchecked (This option is not available, since you would have selected TCP under "protocol".) |
Table 1: Syslog settings
| Field Name | Parameter |
| IPS Settings | Send Syslog Messages for IPS Events (Selected) |
| File and Malware Settings | Send Syslog messages for File and Malware events (Selected) |
Table 2: General logging settings
| Field Name | Parameter |
| Logging | Log at End of Connection (Selected) |
Table 3: Logging settings
Configure Certificate
To permit a secure connection between the device and Samurai XDR you must upload a valid certificate.
From the Firewall Management Center
- Select Devices > Certificates
- Select "Add New Certificate"
- Select the device you wish to add the certificate from the Device dropdown.
- From "Cert Enrollment" > "Select a certificate enrollment object", click on the plus (+)
- "Add Cert Enrollment" menu will appear.
- Provide a name e.g. "SamuraiXDR"
- Select the "CA Information" tab
- Enrollment Type: Select Manual
- Check the box "CA Only"
- Open the .PEM digital certificate in a text editor and paste in the "CA Certificate:" text box.
- In "Validation Usage", select the check box "SSL Server". All other boxes remain unchecked.
- Click on "Save"
- Complete the upload from the "Add New Certificate", it will show the device selected and the certificate names as entered in step 6 above.
- Click on "Add"
- Navigate to Deploy and Deployment. Select your device.
- The configuration is now complete.
Once you have completed the configuration of your firewall to send logs to Samurai XDR, your integration will automatically be discovered once Samurai XDR starts receiving logs from your firewall.