Using Stealthwatch and the Management Console what I'd suggest you do is look at the 'Top Alarming Hosts' and "Cognitive Threat Analytics' widgets.
Top Alarming hosts offers a list of the top alarming hosts based on all alerts and how Stealthwatch alerting has been tuned. Alerts contribute to a numeric score and the hosts with the highest score are ranked in that widget. It's updated every couple of minutes. Hosts listed are often 'inside' and as such most of the detections there are 'lateral' or 'east - west' (about activity between hosts inside your protected network).
The Cogntive widget provides risk scores based on analysis of data that your Flow Collector sent to the Cisco Cloud. This extends the analysis to include external hosts (or north south connectivity).
Through a service that uses the Stealthwatch APIs you can export data about either Top Alarming Hosts or Cognitive Threat Analytics to your own external programs or databases.
Using the Stealthwatch 'Response Management' capability an admin can define specific alerts that will produce additional responses (send a Syslog, send an email, etc,...). Those alert on specific conditions and the suggestion is that those be used when looking for (or 'hunting') specific evidence of some investigation.
I hope this helps. We're always looking to improve those videos (if it came from the Cisco Stealthwatch team).
Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a policy server, a mobile device client and an op...
This document covers how can administrators can write a policy to check for multiple disk encryption vendors across their users, with Cisco ISE administrator can create multiple disk encryption conditions by combining the posture conditions into a...
ISE can perform a policy check with SCCM by following methods
Using AnyConnect for posture (leveraging OPSWAT libraries)
ISE checking status with SCCM as an MDM Server using WMI
In this whitepaper, we will demonstrate how to be sele...
Cisco Meraki’s Enterprise Mobility Management (EMM) software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. A typical Cisco Meraki EMM configuration consists of a cloud-bas...
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the compliance, also known as posture, of endpoints, before allowing them to connect to your network. A posture agent, such as the AnyConnect ISE Posture A...