Skip to content

Cisco Stealthwatch

Cisco Stealthwatch

About

Outsmart emerging threats in your digital business with industry-leading machine learning and behavioral modeling provided by Secure Network Analytics (formerly Stealthwatch). Know who is on the network and what they are doing using telemetry from your network infrastructure. Detect advanced threats and respond to them quickly. Protect critical data with smarter network segmentation. And do it all with an agentless solution that grows with your business.

Product Details

Vendor URL: Cisco Stealthwatch

Product Type: Log aggregator

Product Tier: Tier II

Integration Method: JSON

Integration URL: Configuration Guides

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Custom

Expected Normalization Rate: 90%

Data Label: CISCO_STEALTHWATCH

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
alarm_desc security_result.summary
Alarm_ID metadata.product_log_id
category metadata.product_event_type
ClientBytes network.sent_bytes
ClientIP principal.ip
ClientMAC principal.mac
ClientPort principal.port
description security_result.description
dest_ip target.ip
details security_result.description
dst target.hostname
FC_IP observer.ip
FC_Name observer.hostname
host.country principal.location.country_or_region
host.hostGroupNames about.group.group_display_name
host.ipAddress target.ip
hostBytes network.sent_bytes
hostname principal.hostname
hostname target.hostname
intermediary_app intermediary.application
intermediary_host intermediary.hostname
intermediary_pid intermediary.process.pid
ips_when_created target.ip
merit security_result.confidence_details
parent_pid principal.process.parent_pid
peer.country target.location.country_or_region
peer.hostGroupNames about.group.group_display_name
peerBytes network.received_bytes
pid principal.process.pid
priority security_result.priority_details
process principal.resource.name
Protocol network.ip_protocol
remote_ip target.ip
reportName metadata.product_event_type
retrieve_observations metadata.url_back_to_product
rules_matched security_result.rule_name
ServerBytes network.received_bytes
ServerIP target.ip
ServerMAC target.mac
ServerPort target.port
source_info.cloud_provider principal.cloud.environment
source_info.external_connections additional.external_connections
source_info.internal_connections additional.internal_connections
source_info.ips principal.ip
source_info.name security_resut.about.ip
source_info.namespace principal.namespace
src principal.hostname
src_ip principal.ip
summary metadata.product_event_type
text metadata.description
type metadata.product_event_type
username princiipal.user.userid
UserName principal.user.user_display_name
vendor_severity security_result.severity
vendor_severity security_result.severity_details

Product Event Types

summary UDM Event Classification
all others NETWORK_CONNECTION
all others when target blank GENERIC_EVENT
logged out USER_LOGOUT
Login successful USER_LOGIN
timed out USER_UNCATEGORIZED

Log Sample

2022-05-10T15:00:06-07:00 host1 AuditLogger[4948]:  svc-token-authority/1,4004,2022-05-10T15:00:05TZD+0000,user1|10.10.1.1,10.10.1.1,1,The user has logged out

Sample Parsing

metadata.event_timestamp = "2022-05-10T15:00:20.402058Z"
metadata.event_type = "USER_LOGOUT"
metadata.vendor_name = "Cisco"
metadata.product_name = "Cisco Stealthwatch"
metadata.product_event_type = "The user has logged out "
metadata.ingested_timestamp = "2022-05-10T15:00:20.402058Z"
principal.user.userid = "user1"
principal.process.pid = "4004"
principal.process.parent_pid = "1"
principal.resource.name = "svc-token-authority"
target.ip = "10.10.1.1"
target.asset.ip = "10.10.1.1"
intermediary.hostname = "host1"
intermediary.process.pid = "4948"
intermediary.application = "AuditLogger"
extensions.auth.type = "MACHINE"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon