Hello Team,In Anomaly Core Events, we can control events using the "When Host is Source" option. However, for "When Host is Target," the option is not available, meaning in anomaly category we can only control source host groups and not target host g...
Welcome to the Security Analytics Board!
Please take a look at our Stealthwatch Information Hub and our Stealthwatch Use Cases.Forum Posts
When using Data Store, "alerts" are triggered, but there are many false positives.While "alarms" can be tuned using HostGroups and Policies, is there a way to tune "alerts"?
We are getting alarms related to the "UDP Received" security event. After checking the flows, it is Microsoft Teams traffic the one triggering the security event. Is it possible to turno of this security event for traffic using a specific set of port...
Hi,I configured a CSE for alerting everytime a TLS connection using a version lower than 1.3 is made. I'm getting the flow alerts but I cannot see any URL information that helps me identifying which particular URL is not compliant. Is there any way t...
“Is it possible to export all default Relationship and Event policies from Cisco Secure Network Analytics into an Excel format?” Thank You.
https://youtu.be/WMGK8pn0YCYIn this session we discuss the difference of basic SIEM vs. SIEM centered on a data analytics platform first optimized with XDR. We discuss some of the existing challenges with basic SIEM and move towards optimizing data i...
can cisco secure network analytics use firewall syslog ingested from telemetry broker for analysis. and how can i configure SNA to receive syslog?
Resolved! Subject and Destination ports in flows
Hi,How does SNA classifies source and destination IP addresses and ports for flows? I've noticed port 80 as subject port and random high ports as destination, which for me, is a typical client to server communication but the subject and peer are exch...
Hello, Currently I am facing the following issue. I have a cisco flow collector and I successfuly I register it to the Stealthwatch SMC. I can see it from the central system manager but with the status "Data Store not Configured". If I click on th...
I need to use on-prem SAL to increase FMC events retention on SNA and need to provide high availability between two data centers for my deployment. i also have have cisco telemetry broker. Would it be the same if 1- i configured ftd syslog to point t...
Today I made transition to flow collector with datastore.Since then I get major alarms "FlowCollector Longest Export Exceeded after transition to datastore" every hour from different network devices.Why does this appear after transition to datastore?
I had 5 flow collectors (VMs)vCPU - 12Memory - 128GbHDD - 3.6TbI decided to add 3 data node to use Data StorevCPU - 18Memory - 64GbHDD - 18TbAnd after it one of my collector started to sent message FlowCollector Performance Degraded - OversubscribedI...
Hi,We are leveraging the API to perform bulk uploads of endpoints into hostgroups and we noticed that everytime we upload an existing IP in a hostgroup, the IP is removed and recreated again. If the IP does not change, is SNA deleting the historical ...
Hi. We installed Data store virtual cluster with three nodesEvery node has 18Tb but I can see that Total Capacity:32.197 TB Where does 18Tb lost?
On of our IDS is not showing any connection events on the FMC. It shares the same policy with other devices and these are all showing connection events. Customer says policy is OK. When using the Tool > Packet Capture feature on the 4125 Chassis we c...
