https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4273989#M620 <P>Hi All,</P><P>&nbsp;</P><P>I have 2 devices and I would like to create an alert on Stealthwatch when there is another communication except between those 2 devices.</P><P>let say device A and Device B should communicate</P><P>and if Device A tries to communicate with Device C I would like to get an alert.</P><P>&nbsp;</P><P>does anyone know how to create such an alert in Stealthwatch?</P> Sun, 17 Jan 2021 12:09:08 GMT DmitryVolk83628 2021-01-17T12:09:08Z https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4273989#M620 <P>Hi All,</P><P>&nbsp;</P><P>I have 2 devices and I would like to create an alert on Stealthwatch when there is another communication except between those 2 devices.</P><P>let say device A and Device B should communicate</P><P>and if Device A tries to communicate with Device C I would like to get an alert.</P><P>&nbsp;</P><P>does anyone know how to create such an alert in Stealthwatch?</P> Sun, 17 Jan 2021 12:09:08 GMT https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4273989#M620 DmitryVolk83628 2021-01-17T12:09:08Z https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4274578#M622 <P>Hello,</P> <P>you can use either the relationship policies or the custom security events to track segmentation violation based on the specific use case you have. Please look at the Stealthwatch use cases if you want a list of examples.</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>Dario</P> Mon, 18 Jan 2021 14:12:28 GMT https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4274578#M622 dcavalla 2021-01-18T14:12:28Z https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4275002#M623 <P>&nbsp;</P><P>In version 7.3.0, in the SMC GUI go to Configure / Policy Management, and then select at the top right&nbsp; Create New Policy / Custom Security Event</P><P>Give it a Name, and optionally provide a Description.</P><P>Change the Status to ON</P><P>Click the plus sign +</P><P>Select from the dropdown list:&nbsp; &nbsp; &nbsp;</P><P>NOTES:</P><P>&nbsp; &nbsp;1) Items in the dropdown list described as "Subject" are the SOURCE items, and the ones described as "Peer" are the DESTINATION items,</P><P>&nbsp; &nbsp; 2) An item can be either a Host Group, a Host, or even Users, Devices, etc</P><P>&nbsp; &nbsp; 3) You can add one or more items as Subject or Peer.</P><P>STRATEGY: Create a Host Group "HGroup01" that includes device A AND device B, or you can reference the devices by separately. And then add into the Subject Host Group items like "Inside Hosts", "Outside Hosts", and any other Host Group you want to alarm that communicates with PEER "HGroup01" or the device A or device B referenced separately.</P><P>&nbsp;</P><P>At the end if device A and B are referenced separately the Policy should read something similar :&nbsp; "When any subject host group communicates with device A or device B, an alarm is raised"</P><P>&nbsp;</P><P>You may consider creating another Policy where the Subjects are the devices A and B, and the Peers are the&nbsp;"Inside Hosts" and "Outside Hosts"</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 19 Jan 2021 04:23:17 GMT https://community.cisco.com/t5/security-analytics/create-alert-base-on-host-and-peer-comminucation/m-p/4275002#M623 juanpablorivera 2021-01-19T04:23:17Z