FTD Pipeline Design

Pipeline design for ingesting, transforming, and routing Cisco FTD/FMC logs to Microsoft Sentinel.

FTD logs are sent via syslog only. Monad does not have a native eStreamer connector - all FTD data comes through syslog forwarding from FMC.

CHLA FTD Environment

Components

Component	Role	Log Method
FMC	Firepower Management Center	Syslog forwarding (aggregates all FTD logs)
FTD Sensors	Firewall/IPS sensors	Logs sent to FMC, then forwarded via syslog

Component

Role

Log Method

FMC

Firepower Management Center

Syslog forwarding (aggregates all FTD logs)

FTD Sensors

Firewall/IPS sensors

Logs sent to FMC, then forwarded via syslog

FTD Log Categories

Category	Description	Security Value	Volume
Connection Events	Allow/deny decisions for traffic	MEDIUM	VERY HIGH
Intrusion Events	IPS/Snort detections	CRITICAL	LOW
Malware Events	AMP file disposition	CRITICAL	LOW
File Events	File type detection	MEDIUM	MEDIUM
Security Intelligence	IP/URL/DNS blacklist hits	HIGH	LOW
Health Events	Device health alerts	LOW	LOW

Pipeline Architecture

Syslog Message Format

FTD syslog messages follow Cisco ASA-style format:

%FTD-1-430002: EventPriority: High, DeviceUUID: uuid,
AccessControlRuleName: Block-Malware, AccessControlRuleAction: Block,
SrcIP: 10.50.10.100, DstIP: 203.0.113.50, SrcPort: 52341, DstPort: 443,
Protocol: tcp, IngressInterface: inside, EgressInterface: outside,
...

Key Fields

Field Description

Field	Description
`%FTD-N-NNNNNN`	Severity level and message ID
`AccessControlRuleAction`	Allow, Block, Trust, Monitor
`SrcIP` / `DstIP`	Source and destination IPs
`IngressInterface` / `EgressInterface`	Traffic direction
`EventPriority`	High, Medium, Low
`IntrusionPolicy`	IPS policy name (intrusion events)
`FileDisposition`	Clean, Malware, Unknown (AMP events)

%FTD-N-NNNNNN

Severity level and message ID

AccessControlRuleAction

Allow, Block, Trust, Monitor

SrcIP / DstIP

Source and destination IPs

IngressInterface / EgressInterface

Traffic direction

EventPriority

High, Medium, Low

IntrusionPolicy

IPS policy name (intrusion events)

FileDisposition

Clean, Malware, Unknown (AMP events)

Transform Chain

Step 1: Parse Syslog

{
  "operation": "jq",
  "arguments": {
    "query": ".message | split(\", \") | map(split(\": \") | {(.[0]): .[1]}) | add"
  }
}

Step 2: Normalize Field Names

{"operation": "rename", "arguments": {"from": "SrcIP", "to": "source_ip"}}
{"operation": "rename", "arguments": {"from": "DstIP", "to": "destination_ip"}}
{"operation": "rename", "arguments": {"from": "SrcPort", "to": "source_port"}}
{"operation": "rename", "arguments": {"from": "DstPort", "to": "destination_port"}}
{"operation": "rename", "arguments": {"from": "AccessControlRuleAction", "to": "action"}}

Step 3: Add Metadata

{"operation": "add", "arguments": {"key": "log_source", "value": "cisco-ftd"}}
{"operation": "timestamp", "arguments": {"key": "monad_ingest_time", "format": "rfc3339"}}

Step 4: Drop Noise

{
  "operation": "drop_record_where_value_equal",
  "arguments": {
    "key": "action",
    "value": "Allow"
  }
}

Dropping all "Allow" events is aggressive. Consider sampling instead for high-volume environments.

Routing Configuration

Route 1: Security Events → Analytics

{
  "operator": "or",
  "conditions": [
    {"type": "equals", "key": "action", "value": "Block"},
    {"type": "key_exists", "key": "IntrusionPolicy"},
    {"type": "equals", "key": "FileDisposition", "value": "Malware"},
    {"type": "equals", "key": "EventPriority", "value": "High"},
    {"type": "contains", "key": "message", "value": "Security Intelligence"}
  ]
}

Route 2: All Events → Basic

{
  "operator": "always",
  "conditions": []
}

FTD Event Types - Routing Matrix

Event Type	Security Value	Volume	Route To
Connection Block	HIGH	Medium	Analytics
Connection Allow	LOW	Very High	Basic (or sample)
Intrusion Event	CRITICAL	Low	Analytics
Malware Event	CRITICAL	Low	Analytics
File Event (clean)	LOW	Medium	Basic
Security Intelligence	HIGH	Low	Analytics
Health Event	LOW	Low	DROP or Basic

Event Type

Security Value

Volume

Route To

Connection Block

HIGH

Medium

Analytics

Connection Allow

LOW

Very High

Basic (or sample)

Intrusion Event

CRITICAL

Low

Analytics

Malware Event

CRITICAL

Low

Analytics

File Event (clean)

LOW

Medium

Basic

Security Intelligence

HIGH

Low

Analytics

Health Event

LOW

Low

DROP or Basic

FMC Syslog Configuration

Configure FMC to forward logs to Monad:

Devices → Platform Settings → Syslog
Add Monad syslog endpoint
Select event types to forward:
- Connection Events (be selective - high volume)
- Intrusion Events
- Malware Events
- Security Intelligence Events

Consider using FMC’s built-in filtering to reduce volume before sending to Monad.

Volume Considerations

FTD connection events can be extremely high volume. Strategies:

FMC-side filtering - Only forward blocks, not allows
Monad drop transform - Filter out allows in pipeline
Sampling - Route 10% of allows to Basic tier
Aggregation - (If Monad supports) Aggregate connection counts

Testing Checklist

Verify FMC syslog connectivity to Monad
Confirm message parsing extracts all fields
Test intrusion event routing (should → Analytics)
Test malware event routing (should → Analytics)
Validate connection allow volume management
Confirm both outputs receive expected data

Open Questions

Volume estimation: What’s the connection event EPS from FTD?
FMC filtering: Can we filter at FMC to reduce Monad load?
eStreamer alternative: Should we push for native connector in future?