We have just completed a Clients full upgrade from old ASA's to new 5555-x with full features of FireSIGHT and FirePOWER on ASA, while everything is working as designed we have one issue,
This client wanted a single unit to do his URL/AMP and IPS and SourceFire can do this, but the reporting is horrible.
They had used Ironport WSA report and loved it, and SourceFire is nowhere close to this clean interface.
My question, has anyone produced templets or came close to a unified reporting between Ironport WSA and the SourceFire URL features.
Or know of any Cisco or 3rd party tool that can migrate the reports?
For us the most popular request have been,
1) Total Browsing time per User with break down by Business Relevance vs Non Business
2) Bandwidth Saved by Blocking
3) Blocked by Web Reputation
4) Top Users Blocked or Warned Transactions
This is just some of the most popular reports that our clients are asking us to mimic in FireSIGHT now.
Is it possible to get a simple report that indicates total web hits (via url not IP) where we can set the user we want to look at? It would be great to have a summary of all web hits in a given time period and then have a detailed report that shows the detail (timestamp, etc) of those web hits.
HR or a manager could use this information to determine the heavy internet users and their usage, create a baseline of their activity, match to others for comparison, and have very useful data to correct behavior, change the access control policy when needed to limit certain web activities based on behaviors, etc.
The report I achieved (after a lot of trials) was about the detailled activity of a user for a period of time.
But my problem is that Sourcefire databases are really small and in my case they collect events information for only a couple of days. I would also need an external 3rd party server to export the events database for creating extensive reports.
Screenshots are the way I configured the report. In the "field" you can select the most interesting information you need.
Hi, about expoting the data.
I was reading a little about an add-on for Splunk, but information is not clear for me, I never worked with Splunk and it seems not easy
Anyway, if I was able to export data to Spluk I´m not sure if I could use it in the way I'm interested for long term detailled reporting. I can not find any clear information.
I tried the Splunk route. It is really centered around correlating intrusion data. At the moment I am unable to actually see connection logs in the same fashion I see them on the appliance. Also the user's seem to be showing up as a numerical ID, not the actual username.
On top of that this is a community supported plugin so neither Cisco nor Splunk are going to be of much help.
I'm at the point where I might have to either pay someone to write me a custom report or look at a supplementary solution just for monitoring and reporting on traffic.
It's a real shame considering that all of the data is there.
I just keep getting the run around. The update still hasn't been issued but there is apparently a hotfix if you call Cisco that will get you the username field in text. However from what I have been told that is not for the latest version of FireSight which has the rate limiting feature I have been looking for.
The move to CX and ultimately FirePower has been polarizing to say the least. Every time I get one thing that I was looking for I have to sacrifice something that I had.
We also tried the splunk route but the Syslog messages do not provide all the same fields as the connection_log table. They don't provide first_packet_sec, last_packet_sec, and many other. It would be better suited for reporting if they provided more fields in the syslog messages. I've attached an example of one.
You can customize the search editing the field "Search", take a look the Captura-1 and Captura-2 screenshots uploaded. And you can choose any of the details as if you were in "Analisys --> Connection --> Events" (username, initiator IP, application....)
You can also edit the "Fields" to show only the information you are interested in.
Coming from Cisco, the only way to archive data to a database is going to be a using a custom eStreamer client. There is an SDK written in Perl which Cisco supports which you can use to develop one if you are savvy enough.
I used this open source python library (https://github.com/spohara79/estreamer) and wrote a MSSQL plugin for it (included in the example code). If you're capable of modifying python code, this is a good option. We use it now.
If Cisco could provide more templates that would be awesome.
Also, the virtual appliance version of FireSight is limited to 10M events.
This is way too small. I'm able to review 2 weeks of events before the old events are purged.
I need a way to track user activity for reporting. IP Address to User Name reports that go back more than one day would be a great start.