Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
15
Helpful
1
Replies

Stealthwatch (Security Analytics) Sensor Question

bmurphree@myemma.com
Level 1
Level 1

‎03-03-2022 08:17 AM

Question: What's the fastest way to determine which sensor reports an observation or alert in Stealthwatch?

Challenge: I have multiple sites with Cisco FTD firewalls, managed by CDO. I also have several ONA sensors deployed throughout a global network. When I see an alert in Stealthwatch, the observation is informational, but I don't see an obvious way to determine what sensor reported the issue or observation. The closest I've found to this is to pre-determine subnets, but that doesn't stop a rogue intruder from connecting to a network device and spinning up a new VLAN or sub-interface (assuming my security was weak).

Any ideas? Thanks!

RFC 1925
1 Reply 1

rocedar
Cisco Employee
Cisco Employee

‎12-01-2022 07:23 AM

Hello - Sorry this took so long to answer - I just recently got assigned to SCA.  

You can tell which sensor uploaded the information here:  From Monitoring > Observations > Select the Dropdown next to the 'Time' of the observation and select 'Session Traffic > This brings up the session traffic, scroll window to the far right for the 'Sensor' column.    You should see the name of the sensor that uploaded the information.

  

Preview file
10 KB
Customers Also Viewed These Support Documents