Any good guides/tips to creating usable reports in FMC? Network Risk, Attacks and Advanced Malware reports are cute - but so unhelpful it hurts. Maybe it configuration-based, but when an attack report says there is one relevant attack, then later in the report says there were network Trojan events and one DoS event, it contradicts itself. FMC is great for the protection it provides - but its correlation to the business is hard to decipher.
For reporting and correlation of events on a Firepower Management Center (FMC), you may find the following two documents useful:
If the events are generated by the Advanced Malware Protection (AMP) system, then you can find some directions from this document as well. Depending on your support entitlement level, you may get direct assistance from the Cisco TAC for false positive analysis. In that case, you will be requested to provide the related packets (PCAP files) to the Cisco TAC. This document provides instruction on how to collect them.
As a side note, Cisco also offers advanced services to prepare, manage, detect, and respond to any network threats. The following programs provide that level of in-person assistance:
Hoping, the above links are helpful.
I think the challenge is that internal to Cisco we are seeing this only as a security device and focusing on the IPS/sec event reporting, but 90% of the time it's NetOps doing NGFW admin and they don't need to see all that. They need to create widgets, dashboards, reports for visibility and troubleshooting the network and connectivity etc. Those are the tips and tricks we are lacking.
Love Cisco for its documentation...and hate Cisco for its documentation. FMC has plenty of dashboards, and even though it can be very confusing drilling into an event to find what you need, it is there - it's the reporting/compliance side that falls WAY short. The canned reports make circular references, references to things it doesn't list at all, and doesn't make it easy for a Compliance office to see "100 attacks happened today, 100 attacks were blocked, click here for more detail". When they state 100 attacks happened and 98 were blocked, the natural question is "What wasn't?" and then your lost trying to find them...
Can we have other templates that gives an executive type of report but going deeper thant the 3 assesments already availalble ?
Is there at least a way that we could modifiy existing templates?
I have a client that deals with different firewalls (customer's firewalls)needs help with report generation and has a specific requirement.
>> when they fetch out report for intrusion they just get the intrusion rule id for every intrusion attempt but not the CVE-ID associated with it, for which client has to manually add the CVE-ID for each intrusion/vulnerability using intrusion policy's database (snort database in intrusion policy).
That has become a hectic task to map every vulnerability and its CVE-ID. so user just need a solution which can map the event and its cve-id.
>> second query that he has is if above mentioned functionality is not possible is there any way he can import all vulnerability database and CVE-ID from FMC to use it later.
Sir your response would be appreciated