Integrate ATA with Cisco ASA firewall logs

Occasional Visitor

Hi there,

I have a quick question about Microsoft Advanced Threat Analytics (ATA), How we can integrate ATA with Cisco ASA( Adaptive Security Appliance) Firewall Logs? and if it's possible what will be the implementation requirements for any organization?

 

Thanks in Advanced!

 

 

7 Replies

Hi,

ATA does not integrate with FW logs from any vendor. Today it only collects windows event logs from the DCs which can be captured using a supported SIEM or Windows Event Fowarding.

This is now possible. ATA can receive VPN accounting logs from Cisco ASA. It is using RADIUS accounting events forwarded to ATA.

See this article:

https://docs.microsoft.com/en-us/advanced-threat-analytics/vpn-integration-install-step

 

Hi Artom, to setup the integration between Cisco ASA and ATA as per the documentation, it stated the port 1813 on ATA Gateways and Ligthweight Gateways, what about the authentication port? Reason I ask because Cisco ASA not allow the authentication port left empty.

 

On the other note, ATA Ligthweight Gateways do not have the "1812" advertising/listening, hence would this cause the integration not working?

Hi Artom,

the article is for the windows side configuration, do you have a reference for the ASA end configuration?
Hi Jeffrey,

Have you got it fixed?

Jeffrey,

 

I'm not exactly familiar with Cisco ASA side of configuration, but ATA Gateway doesn't do the authentication, only reads the "accounting" info.

 

Here is the Cisco ASA guide on this. Read page 17:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/aaa_r...

 

Seems that you have to configure an AAA Sever Group.

Perhaps there a way to add both, the Radius Server and ATA Gateway to the AAA Server Group, and then configure appropriate Authentication port for the Radius server and set Accounting port to 1813 so that ATA Gateway will see that accounting info.

 

Cheers,

 

Art.

Hongtao,

 

Please see my post above with link to Cisco ASA config document.

 

Thanks,

 

Art.

www.000webhost.com