Question: What's the fastest way to determine which sensor reports an observation or alert in Stealthwatch?
Challenge: I have multiple sites with Cisco FTD firewalls, managed by CDO. I also have several ONA sensors deployed throughout a global network. When I see an alert in Stealthwatch, the observation is informational, but I don't see an obvious way to determine what sensor reported the issue or observation. The closest I've found to this is to pre-determine subnets, but that doesn't stop a rogue intruder from connecting to a network device and spinning up a new VLAN or sub-interface (assuming my security was weak).
Any ideas? Thanks!
RFC 1925