Skip to content

Cisco Stealthwatch

Cisco Stealthwatch


Outsmart emerging threats in your digital business with industry-leading machine learning and behavioral modeling provided by Secure Network Analytics (formerly Stealthwatch). Know who is on the network and what they are doing using telemetry from your network infrastructure. Detect advanced threats and respond to them quickly. Protect critical data with smarter network segmentation. And do it all with an agentless solution that grows with your business.

Product Details

Vendor URL: Cisco Stealthwatch

Product Type: Log aggregator

Product Tier: Tier II

Integration Method: CEF or JSON

Integration URL: Configuration Guides

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Custom

Expected Normalization Rate: 90%


UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
alarm_desc security_result.summary
Alarm_ID metadata.product_log_id
category metadata.product_event_type
ClientBytes network.sent_bytes
ClientIP principal.ip
ClientMAC principal.mac
ClientPort principal.port
description security_result.description
dest_ip target.ip
details security_result.description
dst target.hostname
FC_IP observer.ip
FC_Name observer.hostname principal.location.country_or_region
host.ipAddress target.ip
hostBytes network.sent_bytes
hostname principal.hostname
hostname target.hostname
intermediary_app intermediary.application
intermediary_host intermediary.hostname
ips_when_created target.ip
merit security_result.confidence_details
parent_pid principal.process.parent_pid target.location.country_or_region
peerBytes network.received_bytes
priority security_result.priority_details
Protocol network.ip_protocol
remote_ip target.ip
reportName metadata.product_event_type
retrieve_observations metadata.url_back_to_product
rules_matched security_result.rule_name
ServerBytes network.received_bytes
ServerIP target.ip
ServerMAC target.mac
ServerPort target.port
source_info.external_connections additional.external_connections
source_info.internal_connections additional.internal_connections
source_info.ips principal.ip security_resut.about.ip
source_info.namespace principal.namespace
src principal.hostname
src_ip principal.ip
summary metadata.product_event_type
text metadata.description
type metadata.product_event_type
username princiipal.user.userid
UserName principal.user.user_display_name
vendor_severity security_result.severity
vendor_severity security_result.severity_details

Product Event Types

summary UDM Event Classification
all others when target blank GENERIC_EVENT
logged out USER_LOGOUT
Login successful USER_LOGIN

Log Sample

<131>Jan 12 23:31:01 hostname1 Stealthwatch[233]: CEF:0|Cisco|Stealthwatch|7.3.2|Notification:40|Suspect Data Loss|4|msg=Indicates that an inside host has uploaded an abnormal amount of data to Outside hosts.:Observed 22.28M bytes. Expected 9.69M bytes, tolerance of 75 allows up to 21.25M bytes. dst= src= start=2023-01-12T23:15:00Z end=2023-01-12T23:20:00Z externalId=id cs3=groupname cs3Label=SourceHostGroups cs4= cs4Label=TargetHostGroups cs5=url1 cs5Label=Source_URL cs6=url2 cs6Label=Target_URL dpt= proto= dvchost=hostname2 dvc= dvcpid=133 deviceExternalId=hostname2 cs2= / / / cs2Label=label spt= destinationTranslatedAddress= destinationTranslatedPort= sourceTranslatedAddress= sourceTranslatedPort=

Sample Parsing

metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Cisco"
metadata.product_name = "Stealthwatch"
metadata.product_event_type = "Suspect Data Loss"
principal.ip = ""
target.ip = ""
intermediary.hostname = "hostname1" = "233"
intermediary.application = "Stealthwatch"
observer.hostname = "hostname2"
observer.ip = ""
security_result.action_details = "Alert"

Parser Alerting

This product currently does not have any Parser-based Alerting


Coming Soon