• Support
  • Forums
  • Blogs

How to generate reports related to configuration changes in firewall

SankarakumarSankarakumar

New Life Form
How do we create a custom reports properly to get the configuration changes events from the firewall on daily basis.

could you please suggest any idea 

Thanks!

Share post:

Best Answer

  • Answer ✓
    @kr1spy84,

       Specifying a "Device_Type" allows the Reporting Module to query additional information that may not be queried otherwise. It is just as possible that your firewall's logs are successfully being parsed by the respective Plugin, and your information is being able to be queried in the Reports. Thus, not requiring you to specify a Device_Type. Many times, (such as VPN events on a Firewall), you may need to specify that your Firewall is also a VPN endpoint. 

       To answer Sankarakumar's question directly, I don't believe we have a report that will show "configuration changes events from the firewall". This would need to be a custom Report_Module. 

       Regards,

    - kratos
    Sankarakumar

Answers

  • Here are the steps for a Cisco ASA Firewall - you would have to change steps 1 and 5 around for a different firewall


    1) Create a DS Group that incorporates the event that records the changes to the firewall.  For a Cisco ASA the SID you're looking for is 111008 and 111010
    2) When the view is created go into the Analysis -> SIEM and put it on that Data Source group
    3) Click Change View -> Edit Current View
    4) Remove any unnecessary fields like sensor, OTX, etc.
    5) Add in fields that you would like such as Extradata Username (user who made the change) and Userdata2 (command that was run)
    6) Change the name of the view and click save as.
    7) Once the SIEM view reloads verify that this is the information you want (changes would be made by going back to step 3)
    8) Click Change View -> Edit Current View and click "Save as Remote Module"
    9) Click on Reports -> Custom Reports
    10) Click on Actions -> Create Report
    11) Change the title, and set the date range to either Yesterday or Today depending on when you want this report to run. 
    12) Add the Custom Security Events module you just created - it should be titled "Custom Security Events - [view name - see step 6]".  Click Next
    13) If you want to limit it to specific select the assets and click Next (I will leave mine on all Assets)
    14) Set the # of events you want reported on.  I am going to put mine at 500 but that number will change based on the size of your environment.
    15) Click Save and Run

    At this point you just set that report to run at a speicfic time daily and if you want it to retain a history of the reports.
    Sankarakumar
  • Thanks a lot for the update answers kr1spy84  brother. 

    Just need one more things do we have any plugin id for juniper srx firewall
  • I'm not super familiar with how Juniper SRX firewalls log this.  I dont see anything obvious from the name inside of the datasource properties within Alienvault.

    Doing a little bit of googling it looks like the event that it should be translating is something like this:

    UI_CFG_AUDIT_OTHER or
    UI_CFG_AUDIT_SET

    [Source: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/user-configuration-change-tracking.html]

    Because i dont see events for those if i were you I would:

    1) verify that those events are correct - you can check by looking at generic messages within Alienvault or looking through the raw logs for the event types i list above.

    2) if they are there and they are being parsed wrong or too generically you will need to create a cfg.local file to parse the files with your customized rules or submit to Alienvault for them to build the cfg changes for you

    https://www.alienvault.com/documentation/usm-appliance/plugin-management/request-plugin.htm


  • That's a nice write up @kr1spy84.  I'll have to look into setting up to run this report when I get into the office tomorrow.
  •     All great answers. Additionally, please ensure that you are going to your Asset, Editing it, and applying an "Asset Type". Specifying what "type" of device your Asset is will allow the USM to query information from your Assets when running Reports. 

       For example, if you have a Firewall that is also handling VPN traffic, you can see valid "VPN" details in specific Reports, if you add "VPN Device" as a "Device_Type" to your Firewall ((or if you have a stand-alone VPN device)). 


    Screen Shot 2018-01-12 at 4.50.11 PM


       Regards,

    - kratos
  • @kratos

    I'm confused on what that does.  Does it speed up the query?  When i typed up the steps above my report worked fine even though my devices were not flagged from the asset level - device type.

  • @kratos

    Is there any additional documentation about "Device_Type"

    I'm curious to see what other devices this would help mine information from.

    Thanks.
  • Hello @kr1spy84,

       At this time, there is no direct documentation specifying the data collected with Event_Types. I would be more than happy to file a Documentation_Request for the different values collected with from specifying Event_Types. 

       Regards,

    - kratos
  • Thanks @kratos that would be helpful.
Sign In or Register to comment.