Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1286
Views
10
Helpful
1
Replies

Stealthwatch core event tuning

Bart G
Level 1
Level 1

‎02-08-2021 12:49 PM

Hi all,

 

I did hit a false positive alarm today: a wireless AP was a source of 'suspect data hoarding' from a WLC.

I wanted to disable this core event in this case, but not sure what would be the best way to do so.

 

Ideally, I want to disable this event only for traffic between AP and WLC host groups, but that isn’t possible it seems?

 

As an alternative I could create a custom core event for 'suspect data hoarding', where I assign the WLC group as 'host' and I configure 'when host is target' to 'Off'.

Would this have the desired effect? (As it is not alerting on the WLC as target, but on the AP as source).

I don't want to disable this event on the AP group as source, since I want to be alterted if I see this behaviour towards any other destination.

 

Last option I can think of is to create a custom service for CAPWAP data and turn on 'exclude security event', then on the AP host group also turn on 'disable security events using excluded services'.

 

Thanks for any advice on this!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

TJ-20933766
Spotlight
Spotlight

‎02-08-2021 01:37 PM

I believe that you have to create a Role Policy with the IP addresses of the APs, select Data Hoarding as the Core Event, and set "When Host is Source" to Off. There isn't an option to change the "When Host is Target". This will effectively exclude all APs from any Data Hoarding alarms and remove the current Data Hoarding alarm that this host raised.

If you want to be alerted when the APs initiates communication with any other IP address besides the WLC, you could create a Custom security event with the following rules:

  • Subject Hosts: [AP IPs]
  • Subject Orientation: Client
  • Peer Host Groups: Inside Hosts
  • Peer Hosts: ![WLC IP], ![DNS Server IP]

If this rule is tripped, you'll get a policy violation alarm instead of a Data Hoarding alarm because the APs should not initiate any communication outside of the WLC and DNS server.

You're last option might work provided that you ensure that the CAPWAP traffic was indeed what tripped the original Data Hoarding alarm.

Customers Also Viewed These Support Documents