Configure Cisco Secure Email monitoring

Arctic Wolf can monitor Cisco Secure Email® logs and alert you about suspicious or malicious activity.

Requirements

• An Amazon Web Services (AWS) S3 bucket to store Cisco Secure Email logs.

  Note: If you have already configured Cisco Secure Email to forward logs to this S3 bucket, contact your Concierge Security Team® (CST) for assistance.

Before you begin

• If you do not have AWS monitoring configured with Arctic Wolf, complete the steps in AWS Monitoring for Cisco Secure Email before proceeding to configure Cisco Secure Email monitoring.

Steps

1. Deploy a CloudFormation stack.
2. Create an IAM policy.
3. Create an IAM user.
4. Create an access key.
5. Configure log forwarding from Cisco Secure Email.

Step 1: Deploy a CloudFormation stack

1. Sign in to the AWS console as an AWS user or IAM role that has AdministratorAccess or an equivalent IAM policy.

2. Select the region where your S3 bucket was created.

   Arctic Wolf recommends using US West (Oregon) or US East (N. Virginia), known as us-west-2 and us-east-1 respectively, to ensure that all recommended AWS services are available. See Supported AWS regions for a complete list of supported regions.

3. Navigate to the CloudFormation Service page.

4. Click Create stack > With new resources.

5. Select these options:

   • Prepare template — Template is ready
   • Template Source — Amazon S3 URL

6. In a new tab, go to the Arctic Wolf® Unified Portal to retrieve the AWS stack link.

7. Copy and paste the Simple Storage Service (S3) Logs stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.

8. Under Specify stack details, enter a name in the Stack name field for the S3 log forwarding stack, such as ArcticWolf-S3LogForward.

   Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf, so make sure that it is unique.

9. Under Parameters, in the bucketName field, enter the name of the S3 bucket that will be used to store logs.

10. If the bucket is used for:

    • Storing security logs only — Leave the prefixPath field empty.

    • Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects, such as <myservice>/logs.

      This ensures that only relevant data is forwarded to Arctic Wolf, controlling your AWS costs.

      Note: When entering the prefixPath value, do not include a trailing slash, /.

11. If the logs sent to the bucket:

    • Use standard SSE-S3 encryption — Leave the kmsKey field empty.

    • Have SSE-KMS encryption that encrypts them with a KMS key — Enter the ARN of the KMS key in the kmsKey field.

      For more information about the KMS key ARN, see Configure GuardDuty to Export Logs in the Amazon GuardDuty Monitoring configuration guide.

12. Click Next to proceed to the Configure stack options page. Do not make any changes on this page.

13. Click Next to proceed to the Review page.

14. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

15. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

16. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

Step 2: Create an IAM policy

1. In the AWS IAM console, under Access Management, click Policies.

2. Click Create policy.

3. Under Select a service, search for and select S3.

4. Under Access level, expand the Write section.

5. Select the PutObject checkbox.

6. Under Resources, click Specific.

7. Click Add Arn.

8. Click either Visual or Text, and enter the Amazon Resource Name (ARN) of the S3 bucket that will be used to store Cisco Secure Email logs.

   Tip: For more information about the ARN format, see Amazon S3 resources.

9. Click Add ARNs.

10. Click Next.

11. Fill in any details about the policy as needed, such as a description or tags.

12. Click Create Policy.

Step 3: Create an IAM user

1. In the AWS IAM console, under Access Management, click Users.
2. Click Add users.
3. Enter a name for the IAM user.
4. Click Next.
5. Select Attach policies directly and choose the policy that you created in Create an IAM policy.
6. Click Next.
7. Click Create user.

Step 4: Create an access key

1. In the AWS IAM console, click Users.

2. Click Preferences.

3. Click the Access key ID toggle to the on position.

4. Click Confirm.

5. On the Users page, click the user that you created in Create an IAM user.

6. Click Security credentials.

7. In the Access keys section, click Create access key.

8. Click Other.

9. Click Next.

10. Enter a description for the access key.

11. Click Create access key.

12. Make a note of the access key and the secret access key for later use in Configure log forwarding from Cisco Secure Email.

    Note: You cannot view the access keys again once you leave this screen.

Step 5: Configure log forwarding from Cisco Secure Email

1. Sign in to the Cisco Secure Email Cloud Gateway.
2. Select System Administration > Log Subscriptions.
3. For each Cisco Secure Email client that you want Arctic Wolf to monitor:
   1. If you:
      • Have a log subscription configured — Select the name of the subscription from the list.
      • Do not have a log subscription configured — Click Add Log Subscription.
   2. Select Consolidated Event Logs from the Log Type dropdown.
   3. In the Log Fields section, select all Available Log Fields and click Add >.
   4. Select AWS S3 Push for the Retrieval Method.
   5. Enter the name of the S3 bucket to forward logs to.
   6. Enter the secret key and access key from Create an access key.
   7. Click Submit to save your changes.
4. Click Commit Changes > Submit Changes.

Next steps

• Contact your CST to confirm that Arctic Wolf is processing logs from your Cisco Secure Email environment.