Where to find those vulnerable browsers from Firepower report?

db1 · ‎06-16-2020

Hi, My weekly Network Risk Report from Firepower shows me the information below. How do I go about actually finding the 3 hosts running IE10 or 6 hosts running Firefox 35? Where do I click? I spent 20 minutes looking and cannot find this info.

Marvin Rhoads · ‎06-16-2020

Go under Analysis > Connections > Events. Switch to the "Table View of Connection Events".

Then search for only events with a browser name in the client field.

Like this:

In the results window then go in and tweak the many available fields down to the few you care about. Tell it to sort - first by client and then by version. You may want to tweak the maximum results and time window to suit as well. Here I am selecting only time of first packet, Initiator IP, Client and Client Version:

Click OK and then Save and Generate the report. It should look something like this (addresses redacted for public display):

You may need to iterate with your search excluding the current versions. Note that discovery of client versions is passive so you don't always get 100% accurate results but it's pretty good.

db1 · ‎06-18-2020

Thanks, It looks like that is what i am looking for, but I cannot confirm yet because searching for Internet Explorer events for the last week is taking 10 minutes already ;-)

Marvin Rhoads · ‎06-18-2020

If you're able to upgrade your FMC to 6.6 you will find it is much faster at searches - there's a new database engine under the hood (monetdb).

If you're running a VM they do increase the memory required quite a bit though - 28 GB is the new requirement.