Configure Cisco Secure Email monitoring

Arctic Wolf® can monitor Cisco Secure Email® logs and alert you about suspicious or malicious activity.

Note:

  • Logs are forwarded from Cisco Secure Email to your Amazon Web Services (AWS)® Simple Storage Service (S3) bucket at 10-minute intervals.

  • There is no additional cost from Arctic Wolf to configure AWS monitoring for Cisco Secure Email.

These resources are required:

  • Access to the AWS Management Console

  • An Amazon Web Services (AWS)® user or AWS Identity and Access Management (IAM) role with administrator permissions or an equivalent IAM policy. This user must have permissions to create, update, and delete these stacks and dependent resources:

    • CloudFormation stacks

    • CloudTrail trails

    • Amazon CloudWatch Logs log groups

    • IAM roles and managed policies

    • Lambda functions and custom resources

    • Amazon Kinesis Data Firehose delivery streams

    • S3 buckets

    • SNS topics and topic policies

  • An AWS S3 bucket to store Cisco Secure Email logs.

    Note:
  • Contact your CST to verify that Arctic Wolf is processing logs from your Cisco Secure Email environment.

Obtain your AWS account number

Note: If you have already configured AWS monitoring with Arctic Wolf, proceed to Create the base stack.
  1. Sign in to the AWS Management Console.
  2. In the menu bar, click the question mark icon, and then click Support Center.
  3. Find your Account number in the navigation pane.
  4. Copy the Account number value, and then save it to a safe, encrypted location to provide to Arctic Wolf later.

Provide AWS credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Cisco Secure Email (S3 Ingestion).
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Account ID — Enter the AWS account number.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.

Create the base stack

  1. Complete Configure CloudTrail monitoring with no existing trails.
  2. When the stack has a status of CREATE_COMPLETE, search for and click CloudTrail.
  3. Select the newly created trail, and then delete it.
    The trail was only required to deploy Cisco Secure Email configurations, and it is no longer needed.

Launch the S3 CloudFormation stack

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudFormation.
  3. On the CloudFormation page, click Create stack > With new resources (standard).
  4. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  5. In a new browser tab, go to Arctic Wolf Unified Portal, and search for and copy the Simple Storage Service (S3) logs link.
  6. On the Create stack page, paste the Simple Storage Service (S3) logs link into the Amazon S3 URL field.
  7. Click Next.
  8. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.
    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.
  9. In the Parameters section, in the bucketName field, enter the name of the S3 bucket used to save logs.
  10. If the bucket is used for:
    • Storing security logs only — Keep the prefixPath field empty.
    • Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects. For example, myservice/logs.

      To lower AWS costs, only applicable data is forwarded to Arctic Wolf.

      Note: When entering the prefixPath value, do not include a trailing slash, /.
  11. Click Next.
  12. On the Review page, read the Capabilities section.
  13. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  14. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  15. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  16. Contact your CST to verify that Arctic Wolf is processing logs from your S3 bucket.

Confirm subscription to the Arctic Wolf SNS topic

Note: Only complete these steps for the primary region.
  1. Sign in to the AWS Management Console, and then click Services > All services > Simple Notification Service.
  2. In the navigation menu, click Topics.
  3. In the filter field, enter AWNSNSTopic to find the corresponding topic.
  4. In the Name column, click the link for the Arctic Wolf SNS topic.
  5. On the Subscriptions page, review the subscription Status. If the value is:
    • Confirmed — The SNS subscription is successfully confirmed.
    • Pending:

      1. Select the checkbox for the subscription, and then click Request confirmation.

        A message appears, indicating that the subscription confirmation was requested.

      2. Wait some minutes, and then refresh the page.

      3. If the Status continues to display Pending, contact your CST for assistance. Include your 12-digit AWS account number.

Create an IAM policy

  1. Sign in to the AWS IAM console.
  2. In the Access Management section, click Policies.
  3. Click Create policy.
  4. In the Select a service section, select S3.
  5. In the Access level section, click Write.
  6. Select the PutObject checkbox.
  7. In the Resources section, click Specific.
  8. Click Add Arn.
  9. Click either Visual or Text, and then enter the Amazon Resource Name (ARN) of the S3 bucket used to store Cisco Secure Email logs.
    Tip: For more information, see Amazon S3 resources.
  10. Click Add ARNs.
  11. Click Next.
  12. Enter details about the policy as needed. For example, a description or tags.
  13. Click Create Policy.

Create an IAM user

Note: You can and attach the policy that you created in Create an IAM policy to an existing IAM user. However, Arctic Wolf suggests creating a new IAM user to make sure that the user only has the permissions needed to configure Cisco Secure Email monitoring.
  1. Sign in to the AWS IAM console.
  2. In the Access Management section, click Users.
  3. Click Add users.
  4. Enter a name for the IAM user.
  5. Click Next.
  6. Select Attach policies directly, and then select the policy that you created in Create an IAM policy.
  7. Click Next.
  8. Click Create user.

Create an access key

  1. In the AWS IAM console, click Users.
  2. Click Preferences.
  3. Click the Access key ID toggle to the on position.
  4. Click Confirm.
  5. On the Users page, select the user that you created in Create an IAM user.
  6. Click Security credentials.
  7. In the Access keys section, click Create access key.
  8. Click Other.
  9. Click Next.
  10. Enter a description for the access key.
  11. Click Create access key.
  12. Copy the Access Key and Secret Access Key, and then save them to a safe, encrypted location to provide to Arctic Wolf later.
    Note: You can not access these keys after you close this screen.

Configure log forwarding from Cisco Secure Email

  1. Sign in to Security Cloud Sign On.
  2. Click System Administration > Log Subscriptions.
  3. Optional: If necessary, configure a log subscription for each Cisco Secure Email client that you want Arctic Wolf to monitor:
    1. Click Add Log Subscription.
    2. In the Log Type list, select Consolidated Event Logs.
    3. In the Log Name field, enter a name for the log directory.
    4. In the Log Fields section, select all fields in the Available Log Fields list, and then click Add >.
    5. In the Retrieval Method section, select the AWS S3 Push option, and then configure these settings:
      • S3 Bucket Name — Enter the name of the S3 bucket to forward logs to.
      • S3 Access Key — Enter the access key from Create an access key.
      • S3 Secret Key — Enter the secret key from Create an access key.
    6. Click Submit.
  4. On the Log Subscriptions page, select the log subscriptions that you want Arctic Wolf to monitor.
  5. Click Commit Changes > Submit Changes.