cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
764
Views
10
Helpful
1
Replies

Stealthwatch Enterprise reporting API for Alarming Hosts

Hello,

My customer would like to retrieve the Alarming Hosts category data as well as the hosts after clicking the numbers on the category through API.

Screen Shot 2019-11-20 at 02.35.17.png

Which APIs are the right ones in the DevNet Stealthwatch Enterprise REST API?

https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1

I see some there but I am not sure if they are the right ones and how to use them.

Screen Shot 2019-11-20 at 02.32.25.png

Any guidance?

1 ACCEPTED SOLUTION

Accepted Solutions
kywinter
Cisco Employee

The SMC uses the following endpoint to get the number of alarms for the alarm categories on the main Security Insights Dashboard: 

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/{alarmTypeId}/trend/daily

It actually makes that call 11 times, one for each of the high-level alarm types displayed in that dashboard. The Tenant ID is the same as your domain ID. The tag ID (host group ID) used on the main Security Insights Dashboard is "1" to represent all of Inside Hosts. The alarm type IDs for the main 11 alarm categories are as follows:

  32 - High Concern Index
  15 - High Target Index
  45 - Data Exfiltration
  46 - Command & Control
  47 - Policy Violation
  51 - Recon
  52 - Data Hoarding
  53 - High DDoS Target Index
  54 - High DDoS Source Index
  56 - Exploitation
  57 - Anomaly

To get the list of IPs associated with those alarms, you can use the following call:

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/topHosts

Let me know if you need more assistance. 

View solution in original post

1 REPLY 1
kywinter
Cisco Employee

The SMC uses the following endpoint to get the number of alarms for the alarm categories on the main Security Insights Dashboard: 

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/{alarmTypeId}/trend/daily

It actually makes that call 11 times, one for each of the high-level alarm types displayed in that dashboard. The Tenant ID is the same as your domain ID. The tag ID (host group ID) used on the main Security Insights Dashboard is "1" to represent all of Inside Hosts. The alarm type IDs for the main 11 alarm categories are as follows:

  32 - High Concern Index
  15 - High Target Index
  45 - Data Exfiltration
  46 - Command & Control
  47 - Policy Violation
  51 - Recon
  52 - Data Hoarding
  53 - High DDoS Target Index
  54 - High DDoS Source Index
  56 - Exploitation
  57 - Anomaly

To get the list of IPs associated with those alarms, you can use the following call:

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/topHosts

Let me know if you need more assistance. 

View solution in original post