Integrate ATA with Cisco ASA firewall logs

%3CLINGO-SUB%20id%3D%22lingo-sub-75718%22%20slang%3D%22en-US%22%3EIntegrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-75718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20there%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20a%20quick%20question%20about%20Microsoft%20Advanced%20Threat%20Analytics%20(ATA)%2C%20How%20we%20can%20integrate%20ATA%20with%20Cisco%20ASA(%26nbsp%3BAdaptive%20Security%20Appliance)%20Firewall%20Logs%3F%20and%20if%20it's%20possible%20what%20will%20be%20the%20implementation%20requirements%20for%20any%20organization%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20Advanced!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-75718%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213952%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213952%22%20slang%3D%22en-US%22%3E%3CP%3EHongtao%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20see%20my%20post%20above%20with%20link%20to%20Cisco%20ASA%20config%20document.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EArt.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213950%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213950%22%20slang%3D%22en-US%22%3E%3CP%3EJeffrey%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20exactly%20familiar%20with%20Cisco%20ASA%20side%20of%20configuration%2C%20but%20ATA%20Gateway%20doesn't%20do%20the%20authentication%2C%20only%20reads%20the%20%22accounting%22%20info.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20Cisco%20ASA%20guide%20on%20this.%20Read%20page%2017%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fasa%2Fasa91%2Fasdm71%2Fgeneral%2Fasdm_71_general_config%2Faaa_radius.pdf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fasa%2Fasa91%2Fasdm71%2Fgeneral%2Fasdm_71_general_config%2Faaa_radius.pdf%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeems%20that%20you%20have%20to%20configure%20an%20AAA%20Sever%20Group.%3C%2FP%3E%3CP%3EPerhaps%20there%20a%20way%20to%20add%20both%2C%20the%20Radius%20Server%20and%20ATA%20Gateway%20to%20the%20AAA%20Server%20Group%2C%20and%20then%20configure%20appropriate%20Authentication%20port%20for%20the%20Radius%20server%20and%20set%20Accounting%20port%20to%201813%20so%20that%20ATA%20Gateway%20will%20see%20that%20accounting%20info.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EArt.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213899%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213899%22%20slang%3D%22en-US%22%3EHi%20Jeffrey%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20got%20it%20fixed%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213898%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213898%22%20slang%3D%22en-US%22%3EHi%20Artom%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20article%20is%20for%20the%20windows%20side%20configuration%2C%20do%20you%20have%20a%20reference%20for%20the%20ASA%20end%20configuration%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166604%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166604%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Artom%2C%20to%20setup%20the%20integration%20between%20Cisco%20ASA%20and%20ATA%20as%20per%20the%20documentation%2C%20it%20stated%20the%20port%201813%20on%20ATA%20Gateways%20and%20Ligthweight%20Gateways%2C%20what%20about%20the%20authentication%20port%3F%20Reason%20I%20ask%20because%20Cisco%20ASA%20not%20allow%20the%20authentication%20port%20left%20empty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20other%20note%2C%20ATA%20Ligthweight%20Gateways%20do%20not%20have%20the%20%221812%22%20advertising%2Flistening%2C%20hence%20would%20this%20cause%20the%20integration%20not%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148360%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148360%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20now%20possible.%20ATA%20can%20receive%26nbsp%3BVPN%20accounting%20logs%20from%20Cisco%20ASA.%20It%20is%20using%20RADIUS%20accounting%20events%20forwarded%20to%20ATA.%3C%2FP%3E%0A%3CP%3ESee%20this%20article%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fvpn-integration-install-step%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fvpn-integration-install-step%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76257%22%20slang%3D%22en-US%22%3ERe%3A%20Integrate%20ATA%20with%20Cisco%20ASA%20firewall%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76257%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EATA%20does%20not%20integrate%20with%20FW%20logs%20from%20any%20vendor.%20Today%20it%20only%20collects%20windows%20event%20logs%20from%20the%20DCs%20which%20can%20be%20captured%20using%20a%20supported%20SIEM%20or%20Windows%20Event%20Fowarding.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi there,

I have a quick question about Microsoft Advanced Threat Analytics (ATA), How we can integrate ATA with Cisco ASA( Adaptive Security Appliance) Firewall Logs? and if it's possible what will be the implementation requirements for any organization?

 

Thanks in Advanced!

 

 

7 Replies
Highlighted

Hi,

ATA does not integrate with FW logs from any vendor. Today it only collects windows event logs from the DCs which can be captured using a supported SIEM or Windows Event Fowarding.

Highlighted

This is now possible. ATA can receive VPN accounting logs from Cisco ASA. It is using RADIUS accounting events forwarded to ATA.

See this article:

https://docs.microsoft.com/en-us/advanced-threat-analytics/vpn-integration-install-step

 

Highlighted

Hi Artom, to setup the integration between Cisco ASA and ATA as per the documentation, it stated the port 1813 on ATA Gateways and Ligthweight Gateways, what about the authentication port? Reason I ask because Cisco ASA not allow the authentication port left empty.

 

On the other note, ATA Ligthweight Gateways do not have the "1812" advertising/listening, hence would this cause the integration not working?

Highlighted
Hi Artom,

the article is for the windows side configuration, do you have a reference for the ASA end configuration?
Highlighted
Hi Jeffrey,

Have you got it fixed?
Highlighted

Jeffrey,

 

I'm not exactly familiar with Cisco ASA side of configuration, but ATA Gateway doesn't do the authentication, only reads the "accounting" info.

 

Here is the Cisco ASA guide on this. Read page 17:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/aaa_r...

 

Seems that you have to configure an AAA Sever Group.

Perhaps there a way to add both, the Radius Server and ATA Gateway to the AAA Server Group, and then configure appropriate Authentication port for the Radius server and set Accounting port to 1813 so that ATA Gateway will see that accounting info.

 

Cheers,

 

Art.

Highlighted

Hongtao,

 

Please see my post above with link to Cisco ASA config document.

 

Thanks,

 

Art.