Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
5
Helpful
1
Replies

Stealthwatch Concern Indexes and Actions

wannabCCIE
Level 1
Level 1

‎08-24-2022 12:21 PM

I am trying to proof of concept setting up alerts using concern index in stealthwatch.  I'm doing a simple test for POC.  I setup an alert to have stealthwatch increase the concern index of a test PC if it receives ICMP packets.  I'd then like to throttle the ICMPs or maybe shutdown the port if SW has the CI of a device go above some threshold.  I have the alert setup in stealthwatch - just not sure how I apply the actions mentioned above.

Say for example i want to throttle traffic - to/from a PC if I detect the pings, in my example, - can i have stealthwatch issue some command on the device - switch it is connected to - or maybe the router providing the SVI for the subnet?  Or can SW simply alert me and i have to use some other mechanism to take action?  

Labels:
0 Helpful
1 Reply 1

srigovi2
Cisco Employee
Cisco Employee

‎10-10-2022 08:29 AM

Hi WannabCCIE ,

 

SNA itself provides the ability to automatically respond or share alarms by using the Response Manager.

The Response Management  module allows you to configure how SNA responds to alarms.

Cisco Stealthwatch Response Management

 

 

In your scenario, you can achieve shutdown on SW port :

- (ISE + SNA): By triggering SNA Response Management "ISE ANC policy " action based on triggered CI alarms as the condition in the rule.

- (ISE + SNA + Securex): Same action as above but this time Securex can send actions/instructions/commands to ISE based on the workflow created to identify a CI alarm that can be received by Securex through Webhook.

 

Cisco SNA and SecureX Integration (Guide)
About Securex Webhooks

 

-----------------------------------------

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493

to view the latest schedule for upcoming sessions, as well as useful references, e.g. online guides, FAQs etc.

 

Thanks,
G.Srinivasan

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card