I have been reading and watching some videos.
Looking for some best practices on what alerts to enable - lets to be emailed or sysloged.
I watched one video out there, and it was not very helpful.
If there were 5 alerts, which would be one.. I know it varies from customer to customer.
But, for example, is data exfiltration a good alarm .
Looking how generally its done. sometimes I don't login into SMC to look, but what part of this can be automated. Looking for direction here.
Using Stealthwatch and the Management Console what I'd suggest you do is look at the 'Top Alarming Hosts' and "Cognitive Threat Analytics' widgets.
Top Alarming hosts offers a list of the top alarming hosts based on all alerts and how Stealthwatch alerting has been tuned. Alerts contribute to a numeric score and the hosts with the highest score are ranked in that widget. It's updated every couple of minutes. Hosts listed are often 'inside' and as such most of the detections there are 'lateral' or 'east - west' (about activity between hosts inside your protected network).
The Cogntive widget provides risk scores based on analysis of data that your Flow Collector sent to the Cisco Cloud. This extends the analysis to include external hosts (or north south connectivity).
Through a service that uses the Stealthwatch APIs you can export data about either Top Alarming Hosts or Cognitive Threat Analytics to your own external programs or databases.
Using the Stealthwatch 'Response Management' capability an admin can define specific alerts that will produce additional responses (send a Syslog, send an email, etc,...). Those alert on specific conditions and the suggestion is that those be used when looking for (or 'hunting') specific evidence of some investigation.
I hope this helps. We're always looking to improve those videos (if it came from the Cisco Stealthwatch team).