07-10-2023 02:03 AM
Hello!
We're interested in having a visual representation of the number of connections within a specific subnet.
Specifically, if we search for a subnet, such as 192.168.1.0/24, our goal is to have a diagram or chart that illustrates all the hosts within that subnet, along with the number of connections (flows etc.) for each host.
Could you confirm if it's possible to generate such a report using Stealthwatch 7.3? If yes, could you guide us on how we could go about this process? Any relevant documentation or resources would be of immense help.
We have only Manager and Flow collector. Most of the flows come from cisco ASA (with nsel).
07-11-2023 12:27 AM
I think you can try to use the Network Diagrams app in StealthWatch, but not sure if that would give you a detailed network diagram, I've never used it before, but I think it does have a few templates that you can use, and also allows you to create your own custom one.
07-11-2023 12:39 AM
Accessing Stealthwatch Manager: Ensure that you have access to Stealthwatch Manager, which is the central management interface for Stealthwatch. It provides a graphical user interface (GUI) to configure and monitor the Stealthwatch system.
Data Collection: Confirm that you have properly configured Stealthwatch to collect flow data from your Cisco ASA devices using NetFlow Secure Event Logging (NSEL). Verify that the flow collector is correctly receiving flow data from the ASA devices.
Defining a Subnet: Within Stealthwatch Manager, define the subnet you want to analyze by creating an IP Group or a Filter based on the desired IP range (e.g., 192.168.1.0/24). This will allow you to isolate flows specific to that subnet.
Generating a Report: Stealthwatch Manager offers various reporting capabilities that can help you visualize and analyze flow data. You can create custom reports to display the number of connections (flows) for each host within the defined subnet.
Running and Exporting the Report: Once the report is configured, you can run it within Stealthwatch Manager to generate the visual representation of the number of connections within the specified subnet. You can then export the report in your desired format, such as PDF or CSV, for further analysis or sharing with others.
07-11-2023 07:28 AM - edited 07-11-2023 10:57 AM
Hi @llomjaria - This is a good question. Building on what @Aref Alsouqi said, let me show you what's possible with the Network Diagrams app. Nothing in here is specific to the ASA/NSEL telemetry type. If you don't have it already installed, go to Central Manager and install the correct app version for the version of Stealthwatch (now called Secure Network Analytics) in the Apps tab.
One thing that's missing in your question is any limitation on where the hosts in 192.168.0.1/24 subnet are connecting to. So, for the purposes of this illustration I'm going to illustrate how to show all possible connections. That means three groups of connections to: Outside Hosts (anything outside organizational control), Inside Hosts (anything the organization controls, including public IP space), and connections within the 192.168.0.1/24 subnet itself.
You're going to need a Host Group object to work with for the 192.168.1.0/24 subnet. Later, having a group object will make it easier to manage and extend the use of the network diagram. I'm creating one called ONE-DOT-OH I will refer to it that way below. If you don't have one already, create one under Configure > Host Group Management. Put it somewhere under Inside Hosts that makes sense for you, it can easily be moved later within the Host Group structure.
Now, let's create a Network Diagram. There are two ways to initialize one, let's do it, manual way first:
Open the Network Diagrams app and click the "Create New Diagram" button. Now in edit mode the box on the left will show your Host Group tree so you can select and drag groups into the diagram to use. Find your ONE-DOT-OH group and add it into the diagram. Also add the Inside Hosts and the Outside Hosts groups into the diagram.
Next, we're going to draw three edges (lines). Click one of the handles on ONE-DOT-OH shape and drag a line a handle on the Inside Hosts group, and repeat that for the Outside Hosts group. For the third edge double click on a handle of the ONE-DOT-OH, this will create a looped edge that begins and ends on that handle and represents all the traffic within the group. (see attached gif)
Now give your diagram a title and suitable description and save it. In a few moments (maybe 1 minute) the edges will populate with labels that show the amount of traffic represented by the edges. If you have some traffic between your ONE-DOT-OH group and the Inside or Outside groups you will see the BPS or PPS populate (depending on what you have selected in the drop-down menu in the upper-right corner). If they don't populate you either don't have any traffic in that part of the network, or you're not getting telemetry that represents that traffic.
With your Network Diagram created and telemetry flowing you have a reusable view of all the traffic in these groups. When you right-click on one of the edges you can get a breakdown of what traffic is flowing between the two groups represented on that edge. This can be broken down by host, peer, port, application, conversation, etc. The timeframe of the default results will be "last 5 minutes" but you can adjust the time range (or any other facet of the resulting query).
This will get you started. Build out this diagram and play a bit with the results of the top queries and reply back here if you have follow up questions.
--jg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide