Cisco Stealthwatch¶
About¶
Outsmart emerging threats in your digital business with industry-leading machine learning and behavioral modeling provided by Secure Network Analytics (formerly Stealthwatch). Know who is on the network and what they are doing using telemetry from your network infrastructure. Detect advanced threats and respond to them quickly. Protect critical data with smarter network segmentation. And do it all with an agentless solution that grows with your business.
Product Details¶
Vendor URL: Cisco Stealthwatch
Product Type: Log aggregator
Product Tier: Tier II
Integration Method: JSON
Integration URL: Configuration Guides
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Custom
Expected Normalization Rate: 90%
Data Label: CISCO_STEALTHWATCH
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| alarm_desc | security_result.summary |
| Alarm_ID | metadata.product_log_id |
| category | metadata.product_event_type |
| ClientBytes | network.sent_bytes |
| ClientIP | principal.ip |
| ClientMAC | principal.mac |
| ClientPort | principal.port |
| description | security_result.description |
| dest_ip | target.ip |
| details | security_result.description |
| dst | target.hostname |
| FC_IP | observer.ip |
| FC_Name | observer.hostname |
| host.country | principal.location.country_or_region |
| host.hostGroupNames | about.group.group_display_name |
| host.ipAddress | target.ip |
| hostBytes | network.sent_bytes |
| hostname | principal.hostname |
| hostname | target.hostname |
| intermediary_app | intermediary.application |
| intermediary_host | intermediary.hostname |
| intermediary_pid | intermediary.process.pid |
| ips_when_created | target.ip |
| merit | security_result.confidence_details |
| parent_pid | principal.process.parent_pid |
| peer.country | target.location.country_or_region |
| peer.hostGroupNames | about.group.group_display_name |
| peerBytes | network.received_bytes |
| pid | principal.process.pid |
| priority | security_result.priority_details |
| process | principal.resource.name |
| Protocol | network.ip_protocol |
| remote_ip | target.ip |
| reportName | metadata.product_event_type |
| retrieve_observations | metadata.url_back_to_product |
| rules_matched | security_result.rule_name |
| ServerBytes | network.received_bytes |
| ServerIP | target.ip |
| ServerMAC | target.mac |
| ServerPort | target.port |
| source_info.cloud_provider | principal.cloud.environment |
| source_info.external_connections | additional.external_connections |
| source_info.internal_connections | additional.internal_connections |
| source_info.ips | principal.ip |
| source_info.name | security_resut.about.ip |
| source_info.namespace | principal.namespace |
| src | principal.hostname |
| src_ip | principal.ip |
| summary | metadata.product_event_type |
| text | metadata.description |
| type | metadata.product_event_type |
| username | princiipal.user.userid |
| UserName | principal.user.user_display_name |
| vendor_severity | security_result.severity |
| vendor_severity | security_result.severity_details |
Product Event Types¶
| summary | UDM Event Classification |
|---|---|
| all others | NETWORK_CONNECTION |
| all others when target blank | GENERIC_EVENT |
| logged out | USER_LOGOUT |
| Login successful | USER_LOGIN |
| timed out | USER_UNCATEGORIZED |
Log Sample¶
2022-05-10T15:00:06-07:00 host1 AuditLogger[4948]: svc-token-authority/1,4004,2022-05-10T15:00:05TZD+0000,user1|10.10.1.1,10.10.1.1,1,The user has logged out
Sample Parsing¶
metadata.event_timestamp = "2022-05-10T15:00:20.402058Z"
metadata.event_type = "USER_LOGOUT"
metadata.vendor_name = "Cisco"
metadata.product_name = "Cisco Stealthwatch"
metadata.product_event_type = "The user has logged out "
metadata.ingested_timestamp = "2022-05-10T15:00:20.402058Z"
principal.user.userid = "user1"
principal.process.pid = "4004"
principal.process.parent_pid = "1"
principal.resource.name = "svc-token-authority"
target.ip = "10.10.1.1"
target.asset.ip = "10.10.1.1"
intermediary.hostname = "host1"
intermediary.process.pid = "4948"
intermediary.application = "AuditLogger"
extensions.auth.type = "MACHINE"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon