Showing results for 
Search instead for 
Did you mean: 

Stealthwatch Concern Indexes and Actions

Level 1
Level 1

I am trying to proof of concept setting up alerts using concern index in stealthwatch.  I'm doing a simple test for POC.  I setup an alert to have stealthwatch increase the concern index of a test PC if it receives ICMP packets.  I'd then like to throttle the ICMPs or maybe shutdown the port if SW has the CI of a device go above some threshold.  I have the alert setup in stealthwatch - just not sure how I apply the actions mentioned above.

Say for example i want to throttle traffic - to/from a PC if I detect the pings, in my example, - can i have stealthwatch issue some command on the device - switch it is connected to - or maybe the router providing the SVI for the subnet?  Or can SW simply alert me and i have to use some other mechanism to take action?  

1 Reply 1

Cisco Employee
Cisco Employee

Hi WannabCCIE ,


SNA itself provides the ability to automatically respond or share alarms by using the Response Manager.

The Response Management  module allows you to configure how SNA responds to alarms.

Cisco Stealthwatch Response Management



In your scenario, you can achieve shutdown on SW port :

- (ISE + SNA): By triggering SNA Response Management "ISE ANC policy " action based on triggered CI alarms as the condition in the rule.

- (ISE + SNA + Securex): Same action as above but this time Securex can send actions/instructions/commands to ISE based on the workflow created to identify a CI alarm that can be received by Securex through Webhook.


Cisco SNA and SecureX Integration (Guide)
About Securex Webhooks



You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources

to view the latest schedule for upcoming sessions, as well as useful references, e.g. online guides, FAQs etc.



Review Cisco Networking for a $25 gift card