Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1265
Views
0
Helpful
2
Replies

Create Alert base on Host and Peer comminucation

Go to solution
DmitryVolk83628
Level 1
Level 1

‎01-17-2021 04:09 AM

Hi All,

 

I have 2 devices and I would like to create an alert on Stealthwatch when there is another communication except between those 2 devices.

let say device A and Device B should communicate

and if Device A tries to communicate with Device C I would like to get an alert.

 

does anyone know how to create such an alert in Stealthwatch?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
juanpablorivera
Level 1
Level 1

‎01-18-2021 08:16 PM - edited ‎01-18-2021 08:23 PM

 

In version 7.3.0, in the SMC GUI go to Configure / Policy Management, and then select at the top right  Create New Policy / Custom Security Event

Give it a Name, and optionally provide a Description.

Change the Status to ON

Click the plus sign +

Select from the dropdown list:     

NOTES:

   1) Items in the dropdown list described as "Subject" are the SOURCE items, and the ones described as "Peer" are the DESTINATION items,

    2) An item can be either a Host Group, a Host, or even Users, Devices, etc

    3) You can add one or more items as Subject or Peer.

STRATEGY: Create a Host Group "HGroup01" that includes device A AND device B, or you can reference the devices by separately. And then add into the Subject Host Group items like "Inside Hosts", "Outside Hosts", and any other Host Group you want to alarm that communicates with PEER "HGroup01" or the device A or device B referenced separately.

 

At the end if device A and B are referenced separately the Policy should read something similar :  "When any subject host group communicates with device A or device B, an alarm is raised"

 

You may consider creating another Policy where the Subjects are the devices A and B, and the Peers are the "Inside Hosts" and "Outside Hosts"

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
dcavalla
Cisco Employee
Cisco Employee

‎01-18-2021 06:12 AM

Hello,

you can use either the relationship policies or the custom security events to track segmentation violation based on the specific use case you have. Please look at the Stealthwatch use cases if you want a list of examples.

 

Hope this helps.

 

Dario

0 Helpful

Go to solution
juanpablorivera
Level 1
Level 1

‎01-18-2021 08:16 PM - edited ‎01-18-2021 08:23 PM

 

In version 7.3.0, in the SMC GUI go to Configure / Policy Management, and then select at the top right  Create New Policy / Custom Security Event

Give it a Name, and optionally provide a Description.

Change the Status to ON

Click the plus sign +

Select from the dropdown list:     

NOTES:

   1) Items in the dropdown list described as "Subject" are the SOURCE items, and the ones described as "Peer" are the DESTINATION items,

    2) An item can be either a Host Group, a Host, or even Users, Devices, etc

    3) You can add one or more items as Subject or Peer.

STRATEGY: Create a Host Group "HGroup01" that includes device A AND device B, or you can reference the devices by separately. And then add into the Subject Host Group items like "Inside Hosts", "Outside Hosts", and any other Host Group you want to alarm that communicates with PEER "HGroup01" or the device A or device B referenced separately.

 

At the end if device A and B are referenced separately the Policy should read something similar :  "When any subject host group communicates with device A or device B, an alarm is raised"

 

You may consider creating another Policy where the Subjects are the devices A and B, and the Peers are the "Inside Hosts" and "Outside Hosts"

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents