Jun 07 2017 07:20 AM - last edited on Nov 30 2021 09:02 AM by Allen
Jun 07 2017 07:20 AM - last edited on Nov 30 2021 09:02 AM by Allen
Hi there,
I have a quick question about Microsoft Advanced Threat Analytics (ATA), How we can integrate ATA with Cisco ASA( Adaptive Security Appliance) Firewall Logs? and if it's possible what will be the implementation requirements for any organization?
Thanks in Advanced!
Jun 08 2017 09:14 AM
Hi,
ATA does not integrate with FW logs from any vendor. Today it only collects windows event logs from the DCs which can be captured using a supported SIEM or Windows Event Fowarding.
Jan 24 2018 07:19 AM
This is now possible. ATA can receive VPN accounting logs from Cisco ASA. It is using RADIUS accounting events forwarded to ATA.
See this article:
https://docs.microsoft.com/en-us/advanced-threat-analytics/vpn-integration-install-step
Feb 28 2018 08:07 PM
Hi Artom, to setup the integration between Cisco ASA and ATA as per the documentation, it stated the port 1813 on ATA Gateways and Ligthweight Gateways, what about the authentication port? Reason I ask because Cisco ASA not allow the authentication port left empty.
On the other note, ATA Ligthweight Gateways do not have the "1812" advertising/listening, hence would this cause the integration not working?
Jul 10 2018 09:49 AM
Jul 10 2018 09:50 AM
Jul 10 2018 10:47 AM
Jeffrey,
I'm not exactly familiar with Cisco ASA side of configuration, but ATA Gateway doesn't do the authentication, only reads the "accounting" info.
Here is the Cisco ASA guide on this. Read page 17:
Seems that you have to configure an AAA Sever Group.
Perhaps there a way to add both, the Radius Server and ATA Gateway to the AAA Server Group, and then configure appropriate Authentication port for the Radius server and set Accounting port to 1813 so that ATA Gateway will see that accounting info.
Cheers,
Art.
Jul 10 2018 10:49 AM
Hongtao,
Please see my post above with link to Cisco ASA config document.
Thanks,
Art.