Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1433
Views
10
Helpful
1
Replies

Stealthwatch Enterprise reporting API for Alarming Hosts

Go to solution
kahsieh
Cisco Employee
Cisco Employee

‎11-19-2019 10:39 AM

Hello,

My customer would like to retrieve the Alarming Hosts category data as well as the hosts after clicking the numbers on the category through API.

Screen Shot 2019-11-20 at 02.35.17.png

Which APIs are the right ones in the DevNet Stealthwatch Enterprise REST API?

https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1

I see some there but I am not sure if they are the right ones and how to use them.

Screen Shot 2019-11-20 at 02.32.25.png

Any guidance?

Labels:
Preview file
95 KB
Preview file
232 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kywinter
Cisco Employee
Cisco Employee

‎11-20-2019 09:14 AM - edited ‎11-20-2019 09:15 AM

The SMC uses the following endpoint to get the number of alarms for the alarm categories on the main Security Insights Dashboard: 

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/{alarmTypeId}/trend/daily

It actually makes that call 11 times, one for each of the high-level alarm types displayed in that dashboard. The Tenant ID is the same as your domain ID. The tag ID (host group ID) used on the main Security Insights Dashboard is "1" to represent all of Inside Hosts. The alarm type IDs for the main 11 alarm categories are as follows:

  32 - High Concern Index
  15 - High Target Index
  45 - Data Exfiltration
  46 - Command & Control
  47 - Policy Violation
  51 - Recon
  52 - Data Hoarding
  53 - High DDoS Target Index
  54 - High DDoS Source Index
  56 - Exploitation
  57 - Anomaly

To get the list of IPs associated with those alarms, you can use the following call:

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/topHosts

Let me know if you need more assistance. 

View solution in original post

1 Reply 1

Go to solution
kywinter
Cisco Employee
Cisco Employee

‎11-20-2019 09:14 AM - edited ‎11-20-2019 09:15 AM

The SMC uses the following endpoint to get the number of alarms for the alarm categories on the main Security Insights Dashboard: 

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/{alarmTypeId}/trend/daily

It actually makes that call 11 times, one for each of the high-level alarm types displayed in that dashboard. The Tenant ID is the same as your domain ID. The tag ID (host group ID) used on the main Security Insights Dashboard is "1" to represent all of Inside Hosts. The alarm type IDs for the main 11 alarm categories are as follows:

  32 - High Concern Index
  15 - High Target Index
  45 - Data Exfiltration
  46 - Command & Control
  47 - Policy Violation
  51 - Recon
  52 - Data Hoarding
  53 - High DDoS Target Index
  54 - High DDoS Source Index
  56 - Exploitation
  57 - Anomaly

To get the list of IPs associated with those alarms, you can use the following call:

/sw-reporting/v1/tenants/{tenantId}/internalHosts/tags/{tagId}/alarms/topHosts

Let me know if you need more assistance. 

Customers Also Viewed These Support Documents