Skip to content

Cisco Secure Web Appliance

Overview

The Cisco Web Security Appliance is a security device analyzing HTTP(S) traffic with malware detection and reputation filtering. Sending Cisco Web Security Appliance logs to Sekoia.io enables the discovering of potential network security threats. Spotted threats are contextualized by means of Sekoia.io's Cyber Threat Intelligence (CTI).

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Anti-virus Cisco Secure Web Appliance analyze the content of requests and reponses to prevent malware infection
Web proxy Cisco Secure Web Appliance logs provide information about the connected client and the requested resource
Web logs Cisco Secure Web Appliance logs provide information about the connected client and the requested resource

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category network, web
Type connection, denied

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "Info: 1649097617.352 7 1.2.3.4 TCP_MISS/302 779 HEAD http://example.g1.com/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3 - DIRECT/example.g1.com text/html DEFAULT_CASE_12-DefaultGroup-Internal_network-NONE-NONE-NONE-DefaultGroup-NONE <\"IW_infr\",6.8,1,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,\"IW_infr\",-,\"-\",\"Infrastructure and Content Delivery Networks\",\"-\",\"Unknown\",\"Unknown\",\"-\",\"-\",890.29,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\",-> - -",
    "event": {
        "category": [
            "network",
            "web"
        ],
        "duration": 7,
        "kind": "event",
        "start": "2022-04-04T18:40:17.352000Z"
    },
    "@timestamp": "2022-04-04T18:40:17.352000Z",
    "cisco_wsa": {
        "cache_status": "miss",
        "hierarchy_code": "DIRECT",
        "threat": {
            "category": "Not Set",
            "name": "-"
        },
        "url": {
            "category": "Infrastructure and Content Delivery Networks",
            "category_code": "IW_infr"
        }
    },
    "destination": {
        "address": "example.g1.com",
        "domain": "example.g1.com",
        "registered_domain": "g1.com",
        "subdomain": "example",
        "top_level_domain": "com"
    },
    "http": {
        "request": {
            "method": "HEAD"
        },
        "response": {
            "bytes": 779,
            "mime_type": "text/html",
            "status_code": 302
        }
    },
    "network": {
        "direction": "egress",
        "transport": "tcp"
    },
    "observer": {
        "product": "Cisco Web Security Appliances",
        "type": "proxy",
        "vendor": "Cisco"
    },
    "related": {
        "hosts": [
            "example.g1.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "url": {
        "domain": "example.g1.com",
        "original": "http://example.g1.com/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3",
        "path": "/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3",
        "port": 80,
        "registered_domain": "g1.com",
        "scheme": "http",
        "subdomain": "example",
        "top_level_domain": "com"
    }
}
{
    "message": "Info: 1278096903.150 97 172.10.11.22 TCP_MISS/200 8187 GET http://my.site.com/ - DIRECT/my.site.com text/plain DEFAULT_CASE_11-PolicyGroupName-Identity-OutboundMalwareScanningPolicy-DataSecurityPolicy-ExternalDLPPolicy-RoutingPolicy <IW_comp,6.9,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,IW_comp,-,\"-\",\"-\",\"Unknown\",\"Unknown\",\"-\",\"-\",198.34,0,-,[Local],\"-\",37,\"W32.CiscoTestVector\",33,0,\"WSA-INFECTED-FILE.pdf\",\"fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e\"> -",
    "event": {
        "category": [
            "network",
            "web"
        ],
        "duration": 97,
        "kind": "event",
        "start": "2010-07-02T18:55:03.150000Z"
    },
    "@timestamp": "2010-07-02T18:55:03.150000Z",
    "cisco_wsa": {
        "cache_status": "miss",
        "hierarchy_code": "DIRECT",
        "rule": {
            "policy": {
                "data_security": "DataSecurityPolicy",
                "external_dlp": "ExternalDLPPolicy",
                "name": "PolicyGroupName",
                "outbound_malware_scanning": "OutboundMalwareScanningPolicy",
                "routing": "RoutingPolicy"
            }
        },
        "threat": {
            "category": "Known Malicious and High-Risk Files",
            "category_code": 37,
            "name": "W32.CiscoTestVector",
            "reputation_score": 33
        },
        "url": {
            "category": "Computers and Internet",
            "category_code": "IW_comp"
        }
    },
    "destination": {
        "address": "my.site.com",
        "domain": "my.site.com",
        "registered_domain": "site.com",
        "subdomain": "my",
        "top_level_domain": "com"
    },
    "file": {
        "hash": {
            "sha256": "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e"
        },
        "name": "WSA-INFECTED-FILE.pdf"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "bytes": 8187,
            "mime_type": "text/plain",
            "status_code": 200
        }
    },
    "network": {
        "direction": "egress",
        "transport": "tcp"
    },
    "observer": {
        "product": "Cisco Web Security Appliances",
        "type": "proxy",
        "vendor": "Cisco"
    },
    "related": {
        "hash": [
            "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e"
        ],
        "hosts": [
            "my.site.com"
        ],
        "ip": [
            "172.10.11.22"
        ]
    },
    "rule": {
        "id": "DEFAULT_CASE_11",
        "ruleset": "Identity"
    },
    "source": {
        "address": "172.10.11.22",
        "ip": "172.10.11.22"
    },
    "url": {
        "domain": "my.site.com",
        "original": "http://my.site.com/",
        "path": "/",
        "port": 80,
        "registered_domain": "site.com",
        "scheme": "http",
        "subdomain": "my",
        "top_level_domain": "com"
    }
}
{
    "message": "Info: Completed aggregating export files (#files: DOMAINS_BY_APP_TYPE 2023-02-10-11-40 #files: 1 #rows: 2 #total rows 6698) #duration(s): 0.01 #rate: 156/s\n",
    "event": {
        "category": [
            "network",
            "web"
        ],
        "kind": "event"
    },
    "cisco_wsa": {
        "threat": {
            "category": "Not Set"
        }
    },
    "network": {
        "direction": "egress"
    },
    "observer": {
        "product": "Cisco Web Security Appliances",
        "type": "proxy",
        "vendor": "Cisco"
    },
    "sekoiaio": {
        "intake": {
            "parsing_warnings": [
                "No fields extracted from original event"
            ]
        }
    }
}
{
    "message": "Info: Completed writing export files to database (#counter_group: WEB_APPLICATION_TYPE_APPLICATION_NAME_DETAIL #interval 2023-02-10-11-40 #Serial number: 123456-789101112 #Time since data generated: 369\n",
    "event": {
        "category": [
            "network",
            "web"
        ],
        "kind": "event"
    },
    "cisco_wsa": {
        "threat": {
            "category": "Not Set"
        }
    },
    "network": {
        "direction": "egress"
    },
    "observer": {
        "product": "Cisco Web Security Appliances",
        "type": "proxy",
        "vendor": "Cisco"
    },
    "sekoiaio": {
        "intake": {
            "parsing_warnings": [
                "No fields extracted from original event"
            ]
        }
    }
}
{
    "message": "1278096903.150 97 172.10.11.22 TCP_MISS/200 8187 GET http://my.site.com/ - DIRECT/my.site.com text/plain DEFAULT_CASE_11-PolicyGroupName-Identity-OutboundMalwareScanningPolicy-DataSecurityPolicy-ExternalDLPPolicy-RoutingPolicy <IW_comp,6.9,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,IW_comp,-,\"-\",\"-\",\"Unknown\",\"Unknown\",\"-\",\"-\",198.34,0,-,[Local],\"-\",37,\"W32.CiscoTestVector\",33,0,\"WSA-INFECTED-FILE.pdf\",\"fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e\"> -",
    "event": {
        "category": [
            "network",
            "web"
        ],
        "duration": 97,
        "kind": "event",
        "start": "2010-07-02T18:55:03.150000Z"
    },
    "@timestamp": "2010-07-02T18:55:03.150000Z",
    "cisco_wsa": {
        "cache_status": "miss",
        "hierarchy_code": "DIRECT",
        "rule": {
            "policy": {
                "data_security": "DataSecurityPolicy",
                "external_dlp": "ExternalDLPPolicy",
                "name": "PolicyGroupName",
                "outbound_malware_scanning": "OutboundMalwareScanningPolicy",
                "routing": "RoutingPolicy"
            }
        },
        "threat": {
            "category": "Known Malicious and High-Risk Files",
            "category_code": 37,
            "name": "W32.CiscoTestVector",
            "reputation_score": 33
        },
        "url": {
            "category": "Computers and Internet",
            "category_code": "IW_comp"
        }
    },
    "destination": {
        "address": "my.site.com",
        "domain": "my.site.com",
        "registered_domain": "site.com",
        "subdomain": "my",
        "top_level_domain": "com"
    },
    "file": {
        "hash": {
            "sha256": "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e"
        },
        "name": "WSA-INFECTED-FILE.pdf"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "bytes": 8187,
            "mime_type": "text/plain",
            "status_code": 200
        }
    },
    "network": {
        "direction": "egress",
        "transport": "tcp"
    },
    "observer": {
        "product": "Cisco Web Security Appliances",
        "type": "proxy",
        "vendor": "Cisco"
    },
    "related": {
        "hash": [
            "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e"
        ],
        "hosts": [
            "my.site.com"
        ],
        "ip": [
            "172.10.11.22"
        ]
    },
    "rule": {
        "id": "DEFAULT_CASE_11",
        "ruleset": "Identity"
    },
    "source": {
        "address": "172.10.11.22",
        "ip": "172.10.11.22"
    },
    "url": {
        "domain": "my.site.com",
        "original": "http://my.site.com/",
        "path": "/",
        "port": 80,
        "registered_domain": "site.com",
        "scheme": "http",
        "subdomain": "my",
        "top_level_domain": "com"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
cisco_wsa.cache_status keyword The Cache status for the given request (can be 'hit', 'miss' or 'denied')
cisco_wsa.hierarchy_code keyword The hierarchy used by Cisco Web Security Appliance for this connection. It indicates how the next-hop cache was selected
cisco_wsa.rule.policy.data_security keyword The name of the data security policy applied to the request
cisco_wsa.rule.policy.external_dlp keyword The name of the external dlp policy applied to the request
cisco_wsa.rule.policy.name keyword The name of the policy applied to the request
cisco_wsa.rule.policy.outbound_malware_scanning keyword The name of the outbound malware scanning policy applied to the request
cisco_wsa.rule.policy.routing keyword The name of the routing policy applied to the request
cisco_wsa.threat.category_code number The code of the category of the detected threat
cisco_wsa.threat.name keyword The name of the detected threat
cisco_wsa.threat.reputation_score number The reputation score from Advanced Malware Protection file scanning
cisco_wsa.url.category_code keyword The code of the category of the requested url
destination.domain keyword The domain name of the destination.
destination.ip ip IP address of the destination.
event.category keyword Event category. The second categorization field in the hierarchy.
event.duration long Duration of the event in nanoseconds.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.start date event.start contains the date when the event started or when the activity was first observed.
event.type keyword Event type. The third categorization field in the hierarchy.
file.hash.sha256 keyword SHA256 hash.
file.name keyword Name of the file including the extension, without the directory.
http.request.method keyword HTTP request method.
http.response.bytes long Total size in bytes of the response (body and headers).
http.response.mime_type keyword Mime type of the body of the response.
http.response.status_code long HTTP response status code.
network.direction keyword Direction of the network traffic.
network.transport keyword Protocol Name corresponding to the field iana_number.
observer.product keyword The product name of the observer.
observer.type keyword The type of the observer the data is coming from.
observer.vendor keyword Vendor name of the observer.
rule.id keyword Rule ID
rule.ruleset keyword Rule ruleset
source.ip ip IP address of the source.
url.original wildcard Unmodified original url as seen in the event source.
user.name keyword Short name or login of the user.
user_agent.original keyword Unparsed user_agent string.

Configure

Prerequisites

An internal log concentrator is required to collect and forward events to Sekoia.io.

Enable Syslog forwarding

Log on your Web Security appliance and follow this guide to create a log subscription with the retrieval method Syslog Push and the concentrator as the destination.

Create the intake

Go to the intake page and create a new intake from the format Cisco Secure Web Applicance.

Forward logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.

Further Readings