Skip to main content

 

 

Cisco Defense Orchestrator

Report Groups

Defense Orchestrator provides several reports that you can use to analyze the impact of your security policies on the traffic going through your ASA FirePOWER or Firepower Threat Defense (FTD) device. Report groups cannot be generated for the traffic running through ASA devices. 

Users can create report groups which bundle together a time period, one or more report types, and one or more devices. You can create many report groups in Defense Orchestrator and compare the results between them over different time periods. 

Important: The data used in traffic-related reports is collected from access control rules that enable connection or file logging, and other security policies that allow logging. The reports do not reflect traffic that matches rules for which no logging is enabled. Ensure that you configure your rules to log the information that matters to you. 

Defense Orchestrator polls devices every hour to collect logging information that can be used in the reports. 

Prerequisites

To add report groups to the reports dashboard of an ASA FirePOWER device, you must ensure that Device Reporting is enabled when you onboard the device. See Onboard an ASA FirePOWER Module for more information. 

Add Report Groups to the Reports Dashboard

  1. From the Defense Orchestrator navigation bar, click Reports reports_button.png.
  2. Click Add Report Group and the device for which you are adding the report group.
  3. Select the time range for the reports: Last 24 Hours, Last 7 Days, or Last 30 Days. If you want, click Customize and move the blue circles on the time line to adjust the time period for the report. 
  4. Click Add Device to select the device(s) to be added to the report group.
  5. Click Add Report to select the report type(s) you want to add to the report group.
  • Top Applications: This is an FTD device and FirePOWER services module report. This report shows the top applications, such as HTTP, that are being used in the network. The information is available only for connections that are inspected. Connections are inspected if they match an “allow” rule, or a "block" rule that uses criteria other than zone, address, and port. Thus, application information is not available if the connection is trusted or blocked prior to hitting any rule that requires inspection. You can further specify, that this report display information from all connections, allowed connections, denied connections, or by data usage. Only a Firepower Basic license is required.
  • Top Attackers: This is an FTD device and FirePOWER services module report. This report shows the top source of connections that trigger intrusion events. You must configure intrusion policies on access rules to see this information. Intrusion policies require a Firepower Threat license. 
  • Top Destinations:  This is an FTD device and FirePOWER services module report. Shows the top destinations for network traffic. The initial access rule can provide some insight into traffic, including policies, destinations, and security zones. You can further specify, that this report display information from all connections, allowed connections, denied connections, or by data usage. Only a Firepower Basic license is required.
  • Top Targets: This is an FTD device and FirePOWER services module report. Shows the top targets of intrusion events, which are the victims of an attack. You must configure intrusion policies on access rules to see this information. Intrusion policies require a Firepower Threat license. 
  • Top Threats: This is an FTD device and FirePOWER services module report. Shows the top intrusion rules that have been triggered. You must configure intrusion policies on access rules to see this information. Intrusion policies require a Firepower Threat license. 
  • Web Categories: This is a FirePOWER device report. This report shows which categories of web sites, such as gambling, advertisements, or search engines and portals are being used in the network based on the categorization of web sites visited. Use this information to help identify the top categories visited by users and to determine whether your access control policies are sufficiently blocking undesired categories.
  1. Within each report, you can select how the information is displayed by clicking the blue bar-graph report_bargraph_button.png button.
  2. To remove a report from the report group, click the "X" icon in the upper-right corner of the report.
  • Was this article helpful?