01-17-2021 04:09 AM
Hi All,
I have 2 devices and I would like to create an alert on Stealthwatch when there is another communication except between those 2 devices.
let say device A and Device B should communicate
and if Device A tries to communicate with Device C I would like to get an alert.
does anyone know how to create such an alert in Stealthwatch?
Solved! Go to Solution.
01-18-2021 08:16 PM - edited 01-18-2021 08:23 PM
In version 7.3.0, in the SMC GUI go to Configure / Policy Management, and then select at the top right Create New Policy / Custom Security Event
Give it a Name, and optionally provide a Description.
Change the Status to ON
Click the plus sign +
Select from the dropdown list:
NOTES:
1) Items in the dropdown list described as "Subject" are the SOURCE items, and the ones described as "Peer" are the DESTINATION items,
2) An item can be either a Host Group, a Host, or even Users, Devices, etc
3) You can add one or more items as Subject or Peer.
STRATEGY: Create a Host Group "HGroup01" that includes device A AND device B, or you can reference the devices by separately. And then add into the Subject Host Group items like "Inside Hosts", "Outside Hosts", and any other Host Group you want to alarm that communicates with PEER "HGroup01" or the device A or device B referenced separately.
At the end if device A and B are referenced separately the Policy should read something similar : "When any subject host group communicates with device A or device B, an alarm is raised"
You may consider creating another Policy where the Subjects are the devices A and B, and the Peers are the "Inside Hosts" and "Outside Hosts"
01-18-2021 06:12 AM
Hello,
you can use either the relationship policies or the custom security events to track segmentation violation based on the specific use case you have. Please look at the Stealthwatch use cases if you want a list of examples.
Hope this helps.
Dario
01-18-2021 08:16 PM - edited 01-18-2021 08:23 PM
In version 7.3.0, in the SMC GUI go to Configure / Policy Management, and then select at the top right Create New Policy / Custom Security Event
Give it a Name, and optionally provide a Description.
Change the Status to ON
Click the plus sign +
Select from the dropdown list:
NOTES:
1) Items in the dropdown list described as "Subject" are the SOURCE items, and the ones described as "Peer" are the DESTINATION items,
2) An item can be either a Host Group, a Host, or even Users, Devices, etc
3) You can add one or more items as Subject or Peer.
STRATEGY: Create a Host Group "HGroup01" that includes device A AND device B, or you can reference the devices by separately. And then add into the Subject Host Group items like "Inside Hosts", "Outside Hosts", and any other Host Group you want to alarm that communicates with PEER "HGroup01" or the device A or device B referenced separately.
At the end if device A and B are referenced separately the Policy should read something similar : "When any subject host group communicates with device A or device B, an alarm is raised"
You may consider creating another Policy where the Subjects are the devices A and B, and the Peers are the "Inside Hosts" and "Outside Hosts"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide