Integrating Cisco Secure Endpoint with Wazuh
In this blog post, we combine the capabilities of Cisco Secure Endpoint with the versatility of Wazuh, a unified XDR and SIEM platform. Cisco Secure Endpoint offers cloud-delivered endpoint detection and response. We forward logs from Cisco Secure Endpoint to Wazuh, enabling you to streamline the collection, analysis, and alerting of security logs.
We begin by creating API credentials on Cisco Secure Endpoint, laying the foundation for communication with the platform. We then create an event stream, a conduit for real-time security event data. This event stream forms the bridge between Cisco Secure Endpoint and Wazuh, ensuring that valuable log data flows uninterrupted. We create a Python script to connect to this event stream and gather logs from Cisco Secure Endpoint. This script collects and forwards log data to the Wazuh server for analysis and timely alerting.
Below, we provide a step-by-step guide on how to perform this integration to enhance your cybersecurity posture.
Requirements
- A pre-built, ready-to-use Wazuh OVA 4.6.0 that includes the Wazuh core components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow the Virtual Machine (OVA) – Installation guide to download and set up the Wazuh virtual machine.
- A subscription on Cisco Secure Endpoint, and a user with administrator privileges to create API credentials.
- Install the Cisco Secure Endpoint agent on a test Windows 11 endpoint to test the integration.
Create an API credential on the Cisco Secure Endpoint dashboard
Perform the following actions on the Cisco Secure Endpoint dashboard to create the API credentials necessary for starting an event stream.
1. Navigate to Admin > API Credentials on the Cisco Secure Endpoint dashboard.
2. Select New API Credential to create a new API credential.
3. Enter the Application name, grant the credential Read & Write access, and click Create.
4. Copy out the API credential. We will use this to create the event stream.
Configure the Wazuh server to integrate with Cisco Secure Endpoint
Perform the following steps on the Wazuh server to create the event stream, and then collect and analyze the logs from the stream.
1. Run the following command to create an event stream on Cisco Secure Endpoint. Replace <API_CLIEND_ID> and <API_KEY> with the API credentials generated on the Cisco Secure Endpoint dashboard. Also, replace <URL> depending on the hostname of the region where your Cisco Secure Endpoint is running.
# curl -u <API_CLIENT_ID>:<API_KEY> -H "Content-Type: application/json" -d '{"name": "WAZUH_EVENT_STREAM"}' <URL>
Note: Possible replacements for <URL> are:
- North America:
https://api.amp.cisco.com/v1/event_streams - Europe:
https://api.eu.amp.cisco.com/v1/event_streams - Asia Pacific:
https://api.apjc.amp.cisco.com/v1/event_streams
The output contains credentials needed for connecting to the event stream. Save the output securely.
Example output:
{"version":"v1.2.0","metadata":{"links":{"self":"https://api.amp.cisco.com/v1/event_streams"}},"data":{"id":3440,"name":"WAZUH_EVENT_STREAM","amqp_credentials":{"user_name":"3440-b1fcf7259811656da5b2","queue_name":"event_stream_3440","password":"58a9dfbf585997710ea88ca43b595018abed8d84","host":"export-streaming.amp.cisco.com","port":"443","proto":"amqps"}}}
We can extract the following values from the example output:
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/event_streams"
}
},
"data": {
"id": 3440,
"name": "WAZUH_EVENT_STREAM",
"amqp_credentials": {
"user_name": "<STREAM_USERNAME>",
"queue_name": "<STREAM_QUEUE_NAME>",
"password": "<STREAM_PASSWORD>",
"host": "<STREAM_HOSTNAME>",
"port": "<STREAM_PORT>",
"proto": "amqps"
}
}
}
2. Create a Python script at /var/ossec/integrations/cisco_secure_endpoint.py to connect to the event stream and listen for Cisco logs. Replace the values of the user_name, queue_name, password, host, and port variables with the appropriate streaming credentials generated in step 1 above.
Warning: We recommend you use a secret management solution to store the values of the user_name, queue_name, and password variables instead of hardcoding them in the script. Use the script as it is only for testing purposes. You can modify the script to extract the credentials from your secret management solution when using it in production.
#!/var/ossec/framework/python/bin/python3
import pika
import ssl
from socket import socket, AF_UNIX, SOCK_DGRAM
user_name = "<STREAM_USERNAME>"
queue_name = "<STREAM_QUEUE_NAME>"
password = "<STREAM_PASSWORD>"
host = "<STREAM_HOSTNAME>"
port = "<STREAM_PORT>"
socket_addr = '/var/ossec/queue/sockets/queue'
def send_event(msg):
string = '1:ciscoendpoint:{"ciscoendpoint":' + msg.decode('utf-8') + '}'
sock = socket(AF_UNIX, SOCK_DGRAM)
sock.connect(socket_addr)
sock.send(string.encode())
sock.close()
return True
def callback(channel, method, properties, body):
try:
send_event(body)
channel.basic_ack(delivery_tag=method.delivery_tag)
print("Cisco Secure Endpoint log sent to Wazuh")
except Exception as e:
print("Failed to send Cisco Secure Endpoint log to Wazuh")
amqp_url = f"amqps://{user_name}:{password}@{host}:{port}"
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
amqp_ssl = pika.SSLOptions(context)
params = pika.URLParameters(amqp_url)
params.ssl_options = amqp_ssl
connection = pika.BlockingConnection(params)
channel = connection.channel()
channel.basic_consume(
queue_name,
callback,
auto_ack = False
)
channel.start_consuming()
3. Set the ownership and permissions of the /var/ossec/integrations/cisco_secure_endpoint.py file:
# chown root:wazuh /var/ossec/integrations/cisco_secure_endpoint.py # chmod 750 /var/ossec/integrations/cisco_secure_endpoint.py
4. Install the Python pika module, a requirement for running the cisco_secure_endpoint.py script.
# /var/ossec/framework/python/bin/pip3 install pika
5. Create a new rules file /var/ossec/etc/rules/cisco_endpoint_rules.xml and add the following rules to alert all events received from Cisco Secure Endpoint:
<group name="ciscoendpoint,">
<rule id="110010" level="3">
<location>ciscoendpoint</location>
<description>Cisco Secure Endpoint: $(ciscoendpoint.event_type).</description>
</rule>
<rule id="110011" level="6">
<if_sid>110010</if_sid>
<field name="ciscoendpoint.severity">Low</field>
<description>Cisco Secure Endpoint: $(ciscoendpoint.event_type).</description>
</rule>
<rule id="110012" level="9">
<if_sid>110010</if_sid>
<field name="ciscoendpoint.severity">Medium</field>
<description>Cisco Secure Endpoint: $(ciscoendpoint.event_type).</description>
</rule>
<rule id="110013" level="12">
<if_sid>110010</if_sid>
<field name="ciscoendpoint.severity">High</field>
<description>Cisco Secure Endpoint: $(ciscoendpoint.event_type).</description>
</rule>
<rule id="110014" level="15">
<if_sid>110010</if_sid>
<field name="ciscoendpoint.severity">Critical</field>
<description>Cisco Secure Endpoint: $(ciscoendpoint.event_type).</description>
</rule>
</group>
- Rule
110010is the base rule to alert all events received from Cisco Secure Endpoint via this integration. - Rule
110011triggers alerts for events flagged as “Low” severity by Cisco Secure Endpoint. - Rule
110012triggers alerts for events flagged as “Medium” severity by Cisco Secure Endpoint. - Rule
110013triggers alerts for events flagged as “High” severity by Cisco Secure Endpoint. - Rule
110014triggers alerts for events flagged as “Critical” severity by Cisco Secure Endpoint.
6. Restart the Wazuh manager service to apply the rules:
# systemctl restart wazuh-manager
7. Create a systemd service at /lib/systemd/system/wazuh-ciscoendpoint.service to manage the integration script and ensure resilience in case of failure:
[Unit] Description=Wazuh Cisco Secure Endpoint integration Wants=network-online.target After=network.target network-online.target [Service] ExecStart=/var/ossec/framework/python/bin/python3 /var/ossec/integrations/cisco_secure_endpoint.py Restart=on-failure [Install] WantedBy=multi-user.target
8. Reload systemd, enable and start the wazuh-ciscoendpoint service:
# systemctl daemon-reload # systemctl enable wazuh-ciscoendpoint.service # systemctl start wazuh-ciscoendpoint.service
9. Check the status of the wazuh-ciscoendpoint service to verify that it is running:
# systemctl status wazuh-ciscoendpoint.service
Test the integration
To test the integration, download an anti malware test file on a test endpoint where a Cisco Secure Endpoint agent is running. This will trigger alerts that will immediately appear on the Wazuh dashboard. We performed the integration on the Wazuh server, hence the reason why the agent name wazuh-server and the agent ID 000 in the alert data correspond to the Wazuh server.
Below, we show the full alert data of one of the events received from Cisco Secure Endpoint.
{
"agent": {
"name": "wazuh-server",
"id": "000"
},
"manager": {
"name": "wazuh-server"
},
"data": {
"ciscoendpoint": {
"date": "2023-10-16T10:31:18+00:00",
"severity": "Medium",
"detection": "ZIP.INV.2546DCFF.CAE.Talos",
"group_guids": [
"45160b2d-65f9-42d0-aa0a-b7be190ce757"
],
"event_type_id": "1090519054",
"timestamp_nanoseconds": "633000000",
"computer": {
"hostname": "Windows11",
"network_addresses": [
{
"ip": "192.168.132.141",
"mac": "00:0c:29:dd:5a:c2"
},
{
"ip": "192.168.223.128",
"mac": "00:0c:29:dd:5a:b8"
}
],
"connector_guid": "81eeab44-2c4b-4146-aab6-5fe03cfbdc40",
"active": "true",
"links": {
"computer": "https://api.amp.cisco.com/v1/computers/81eeab44-2c4b-4146-aab6-5fe03cfbdc40",
"trajectory": "https://api.amp.cisco.com/v1/computers/81eeab44-2c4b-4146-aab6-5fe03cfbdc40/trajectory",
"group": "https://api.amp.cisco.com/v1/groups/45160b2d-65f9-42d0-aa0a-b7be190ce757"
},
"user": "User@WINDOWS11",
"external_ip": "xx.xx.xx.xx"
},
"event_type": "Threat Detected",
"file": {
"file_path": "\\\\?\\C:\\Users\\User\\Downloads\\cf1dfa49-0f1a-4549-baaa-c71dc8789d63.tmp",
"parent": {
"process_id": "3656",
"disposition": "Unknown",
"file_name": "msedge.exe",
"identity": {
"sha1": "ec2e76bf2047ef629a98d4ea4775016b79fe66ee",
"sha256": "b99374fb71f72fb3fdd32f93c73b0d29321cf529c1589e69b9dff62a45b76b8d",
"md5": "25ac5fb4f45f573b8d8679e11efb1f70"
}
},
"disposition": "Malicious",
"file_name": "cf1dfa49-0f1a-4549-baaa-c71dc8789d63.tmp",
"identity": {
"sha1": "d27265074c9eac2e2122ed69294dbc4d7cce9141",
"sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
"md5": "6ce6f415d8475545be5ba114f208b0ff"
}
},
"connector_guid": "81eeab44-2c4b-4146-aab6-5fe03cfbdc40",
"id": "7290502020530700288.000000",
"detection_id": "7290502020530700312",
"timestamp": "1697452278"
}
},
"rule": {
"firedtimes": 3,
"mail": false,
"level": 9,
"description": "Cisco Secure Endpoint: Threat Detected.",
"groups": [
"ciscoendpoint"
],
"id": "110012"
},
"decoder": {
"name": "json"
},
"full_log": "{\"ciscoendpoint\":{\"id\":7290502020530700345,\"timestamp\":1697452278,\"timestamp_nanoseconds\":633000000,\"date\":\"2023-10-16T10:31:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"ZIP.INV.2546DCFF.CAE.Talos\",\"detection_id\":\"7290502020530700312\",\"connector_guid\":\"81eeab44-2c4b-4146-aab6-5fe03cfbdc40\",\"group_guids\":[\"45160b2d-65f9-42d0-aa0a-b7be190ce757\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"81eeab44-2c4b-4146-aab6-5fe03cfbdc40\",\"hostname\":\"Windows11\",\"external_ip\":\"xx.xx.xx.xx\",\"user\":\"User@WINDOWS11\",\"active\":true,\"network_addresses\":[{\"ip\":\"192.168.132.141\",\"mac\":\"00:0c:29:dd:5a:c2\"},{\"ip\":\"192.168.223.128\",\"mac\":\"00:0c:29:dd:5a:b8\"}],\"links\":{\"computer\":\"https://api.amp.cisco.com/v1/computers/81eeab44-2c4b-4146-aab6-5fe03cfbdc40\",\"trajectory\":\"https://api.amp.cisco.com/v1/computers/81eeab44-2c4b-4146-aab6-5fe03cfbdc40/trajectory\",\"group\":\"https://api.amp.cisco.com/v1/groups/45160b2d-65f9-42d0-aa0a-b7be190ce757\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"cf1dfa49-0f1a-4549-baaa-c71dc8789d63.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\User\\\\Downloads\\\\cf1dfa49-0f1a-4549-baaa-c71dc8789d63.tmp\",\"identity\":{\"sha256\":\"2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad\",\"sha1\":\"d27265074c9eac2e2122ed69294dbc4d7cce9141\",\"md5\":\"6ce6f415d8475545be5ba114f208b0ff\"},\"parent\":{\"process_id\":3656,\"disposition\":\"Unknown\",\"file_name\":\"msedge.exe\",\"identity\":{\"sha256\":\"b99374fb71f72fb3fdd32f93c73b0d29321cf529c1589e69b9dff62a45b76b8d\",\"sha1\":\"ec2e76bf2047ef629a98d4ea4775016b79fe66ee\",\"md5\":\"25ac5fb4f45f573b8d8679e11efb1f70\"}}}}}",
"input": {
"type": "log"
},
"@timestamp": "2023-10-16T10:31:20.938Z",
"location": "ciscoendpoint",
"id": "1697452280.433862",
"timestamp": "2023-10-16T13:31:20.938+0300",
"_id": "qTkKOIsByUthJ9hfXuOc"
}
Conclusion
Our integration of Cisco Secure Endpoint and Wazuh offers a centralized log management and alerting solution. Organizations can streamline data collection and analysis by integrating both platforms to allow data flow and a holistic approach to security. Take advantage of this alliance to fortify your digital assets and maintain operational integrity.
Wazuh is an open source security monitoring platform that provides a unified security management approach across various IT assets. It provides capabilities such as security analytics, intrusion detection, file integrity monitoring, vulnerability detection, incident response, and more. To learn more about Wazuh, please check out our other blog posts and official guides.
References