Cisco Stealthwatch¶
About¶
Outsmart emerging threats in your digital business with industry-leading machine learning and behavioral modeling provided by Secure Network Analytics (formerly Stealthwatch). Know who is on the network and what they are doing using telemetry from your network infrastructure. Detect advanced threats and respond to them quickly. Protect critical data with smarter network segmentation. And do it all with an agentless solution that grows with your business.
Product Details¶
Vendor URL: Cisco Stealthwatch
Product Type: Log aggregator
Product Tier: Tier II
Integration Method: CEF or JSON
Integration URL: Configuration Guides
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Custom
Expected Normalization Rate: 90%
Data Label: CISCO_STEALTHWATCH
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| alarm_desc | security_result.summary |
| Alarm_ID | metadata.product_log_id |
| category | metadata.product_event_type |
| ClientBytes | network.sent_bytes |
| ClientIP | principal.ip |
| ClientMAC | principal.mac |
| ClientPort | principal.port |
| description | security_result.description |
| dest_ip | target.ip |
| details | security_result.description |
| dst | target.hostname |
| FC_IP | observer.ip |
| FC_Name | observer.hostname |
| host.country | principal.location.country_or_region |
| host.hostGroupNames | about.group.group_display_name |
| host.ipAddress | target.ip |
| hostBytes | network.sent_bytes |
| hostname | principal.hostname |
| hostname | target.hostname |
| intermediary_app | intermediary.application |
| intermediary_host | intermediary.hostname |
| intermediary_pid | intermediary.process.pid |
| ips_when_created | target.ip |
| merit | security_result.confidence_details |
| parent_pid | principal.process.parent_pid |
| peer.country | target.location.country_or_region |
| peer.hostGroupNames | about.group.group_display_name |
| peerBytes | network.received_bytes |
| pid | principal.process.pid |
| priority | security_result.priority_details |
| process | principal.resource.name |
| Protocol | network.ip_protocol |
| remote_ip | target.ip |
| reportName | metadata.product_event_type |
| retrieve_observations | metadata.url_back_to_product |
| rules_matched | security_result.rule_name |
| ServerBytes | network.received_bytes |
| ServerIP | target.ip |
| ServerMAC | target.mac |
| ServerPort | target.port |
| source_info.cloud_provider | principal.cloud.environment |
| source_info.external_connections | additional.external_connections |
| source_info.internal_connections | additional.internal_connections |
| source_info.ips | principal.ip |
| source_info.name | security_resut.about.ip |
| source_info.namespace | principal.namespace |
| src | principal.hostname |
| src_ip | principal.ip |
| summary | metadata.product_event_type |
| text | metadata.description |
| type | metadata.product_event_type |
| username | princiipal.user.userid |
| UserName | principal.user.user_display_name |
| vendor_severity | security_result.severity |
| vendor_severity | security_result.severity_details |
Product Event Types¶
| summary | UDM Event Classification |
|---|---|
| all others | NETWORK_CONNECTION |
| all others when target blank | GENERIC_EVENT |
| logged out | USER_LOGOUT |
| Login successful | USER_LOGIN |
| timed out | USER_UNCATEGORIZED |
Log Sample¶
<131>Jan 12 23:31:01 hostname1 Stealthwatch[233]: CEF:0|Cisco|Stealthwatch|7.3.2|Notification:40|Suspect Data Loss|4|msg=Indicates that an inside host has uploaded an abnormal amount of data to Outside hosts.:Observed 22.28M bytes. Expected 9.69M bytes, tolerance of 75 allows up to 21.25M bytes. dst=0.0.0.0 src=10.10.10.2 start=2023-01-12T23:15:00Z end=2023-01-12T23:20:00Z externalId=id cs3=groupname cs3Label=SourceHostGroups cs4= cs4Label=TargetHostGroups cs5=url1 cs5Label=Source_URL cs6=url2 cs6Label=Target_URL dpt= proto= dvchost=hostname2 dvc=10.10.0.2 dvcpid=133 deviceExternalId=hostname2 cs2= / / / cs2Label=label spt= destinationTranslatedAddress= destinationTranslatedPort= sourceTranslatedAddress= sourceTranslatedPort=
Sample Parsing¶
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Cisco"
metadata.product_name = "Stealthwatch"
metadata.product_event_type = "Suspect Data Loss"
principal.ip = "10.10.10.2"
target.ip = "0.0.0.0"
intermediary.hostname = "hostname1"
intermediary.process.pid = "233"
intermediary.application = "Stealthwatch"
observer.hostname = "hostname2"
observer.ip = "10.10.0.2"
security_result.action_details = "Alert"
Parser Alerting¶
This product currently does not have any Parser-based Alerting