I also could use some help. We are wanting to have a weekly report that would include the following:

1) level 1 IOC's

2) Malware seen on network

3) Security intelligence events.

thanks

-mikgruff

Same situation here. I need to be able to run reports on 12-18 months worth of data.   

We finally got everything patched on the FireSight side and I now have the reports and retention that I need in Splunk using the eStreamer plugin from Splunkbase. It took my senior engineer with no Splunk experience about 1 workday to create a report showing website traffic associated to Active Directory users. 

If you go that route Splunk is cake to set up. eStreamer requires Linux but if you can follow directions you don't need any real experience with the OS. 

We are paying about 8k a year for 10GB of daily logs, we average about 6. 

Thanks for the update.

Good to know it can be done but too bad it's not 'out of the box' with FirePOWER Management Center. This request is a common one that customers have.

Can you share how many connection events does your 6 GB of daily logs equate to on the FMC side? Are you running FMC as a VM?

3773568 rows of connection events equated to 3.748GB of logs. 

We run FMC as a VM. I had the highest end FMC physical appliance quoted out and it did not hit my retention goals. 

It would be nice if it were an option from Cisco. Even if event archival and reporting came at a premium we would have paid for it. 

I am hoping there will be in 6.3, it will be a big plus for us also.

[@nrunge1@cvtc.edu]  ,

Thanks for that info. It's a great data point.

I am hearing similar desires from my customers and will continue to press the issue with Cisco. 

I spent time getting JDBC connection established with Firepower. I am using Crystal Reports and the data that I query on comes in to Crystal reports horrible to say the least. I don't understand why Cisco doc would point me in direction of Crystal Reports when from my initial experience I am finding to be quite worthless and garbage. 

Is there any guide that you followed, or any particular setup instructions you have?  Or maybe can you export any reports that others can utilize?

Sorry Splunk noob here, so I dont really know anything about how to use it at this point.

Personally, the two I would like to do more than anything, are:

1) time spent on various websites, per user

2) top x users spending time online, and how much time was spent by them

I am not sure if this is even possible, as it seems to be connection based for FirePOWER in the reports I have seen, but what we used in the past (websense) was essentially when a connection was made, it determined that the users was there for up to 3 minutes, unless another connection was made, or something along those lines.

These are the same reports we need as well. It's really a shame they don't exist. There is no field which records browsing time

I have these requirements as well.  My supervisor would like to see a user report that details how long an end user spent on something like Facebook or Twitter, etc. during their workday.