Hello,

Yes, it's possible to monitor changes to Firepower rules and policies. Firepower Management Center (FMC) logs these events, and you can forward them to Splunk for monitoring.

To achieve this, you'll need to enable the FMC to send audit log events to your Splunk instance. Here's a high-level overview of the steps you should follow:

1. Configure Splunk to receive syslog messages from FMC. You can do this by setting up a new data input in Splunk for UDP or TCP, depending on your preference. Make a note of the port number you choose for this input.

2. In the FMC, navigate to System ) Integration ) External Logging. Click on the "Add External Log" button.

3. In the "Add External Log" window, configure the following settings:
- Name: Enter a name for the external log configuration.
- Syslog Server: Enter the IP address or hostname of your Splunk instance.
- Port: Enter the port number you chose in step 1.
- Protocol: Select UDP or TCP, matching your choice in step 1.
- Facility: Choose a syslog facility (e.g., Local0).
- Type: Select "Audit Log".

4. Click "Save" to create the new external log configuration. FMC will now send audit log events to your Splunk instance.

5. In Splunk, you may want to create custom searches, reports, or alerts based on the audit log data to monitor changes to Firepower rules and policies specifically.

With this setup, you'll be able to monitor changes to Firepower rules and policies in Splunk using the data forwarded from FMC.

Please let me know if you need any further assistance or clarification.

Cisco Virtual Engineer