Stealthwatch Cloud API V3 Source ID Question

conard.richardson — Thu, 06 Jan 2022 21:40:30 GMT

https://developer.cisco.com/docs/stealthwatch/cloud/#!stealthwatch-cloud-api-version-3

When you pull back an observation, the source id of the object is what? I assumed it was a hostname ID, but that doesn't seem to line up. I said that because it doesn't find the hostname for the IDs I'm feeding it.

I feel like I must be missing something. What is that source id? And how do I query to get the actual source information, like the hostname and IP address.

For example, given this returned observation object ID, what is that source ID 38?

{
"id": 9831,
"time": "2022-01-06T11:25:36Z",
"creation_time": "2022-01-06T11:25:36Z",
"source": 38,
"observation_name": "New External Server",
"resource_name": "new_external_server_observation_v2",
"end_time": "2022-01-06T11:25:36Z",
"external_ip": "91.189.91.39",
"new_tag": "WebServer",
"new_ports": "80, 443, 8000, 8080, 8443",
"bytes_in": 10111562,
"bytes_out": 392364,
"external_ip_country_code": "US",
}

Re: Stealthwatch Cloud API V3 Source ID Question

conard.richardson — Tue, 11 Jan 2022 22:02:17 GMT

Got the answer. Had to reach out through our Cisco partner contacts. For anybody else that might come across this. The documentation is incomplete:

This should be the id of the device that was the source of the device.

You can get the device info from https://<tenant-id>.obsrvbl.com/v2/#/device/summary/?id=<source>, where <source> is the device id you get from the observation.

This https://<tenant-id>.obsrvbl.com/api/v3/sources/devicesource/<source> will provide a rich set of info.

topic Stealthwatch Cloud API V3 Source ID Question in Security Analytics

Stealthwatch Cloud API V3 Source ID Question

Re: Stealthwatch Cloud API V3 Source ID Question