As the machine learning engine in Cognitive Analytics was designed to be deployed in real production networks it can be challenging to generate a detection in a home or customer lab environment and generating an "on-demand" detection of the Encrypted Traffic Analytics solution can be even more difficult. This page describes what we have found is the best way to test a Stealthwatch with Cognitive and ETA deployment and generate a detection in lab and on-demand environments.
Generating a Detection:
Classifiers for some of the same domains used to test Umbrella have been built into the Cognitive engine. Specifically classifiers for the following:
Browsing to those URLs from a host, where the https session is passing through an enhanced NetFlow exporter will generate a detection in Cognitive which will display with the "Detected Using Encrypted Traffic Analytics" notifier.
Note: The detection may initially show up as with a risk rating of 5. The risk rating can increase with additional bad or repetitive behavior: such as going to multiple of the above URLs or repeatedly visiting the same URL.
After installing launch the TOR browser and do some internet browsing. A detection will appear in the Cognitive widget/dashboard shortly. The detection will display as a severity 4 possibly unwanted application with the “detected using encrypted traffic analytics” label.
ETA TOR detections in SMC Dashboard Cognitive widget:
TOR detection in Cognitive Widget in the Host Report:
Potentially Unwanted Application in the Cognitive Dashboard:
Basic Lab Overview:
In this scenario we have a host connected to a Catalyst 9300. The Catalyst 9300 is configured to send Enhanced NetFlow (including ETA) to Stealthwatch.
Threat Response integrates with Threat Grid as a reference module. It allows investigators to pivot and get information for IP addresses, domains, URLs and file hashes from the Threat Grid repository. Conversely, Threat Grid leverages the Investigation a...
Threat Response integrates with SMA (Security Management Appliance) as an enrichment and enforcement module. The SMA module allows investigators to take actions such as searching email records for sender email and IP, email subject and message header, am...
Hi All Having a weird spontaneous issue on some WIndows PC's that are setup for 802.1x. After a complete bootup, ISE logs show that the PC is doing MAB authentication and are failing as expected. If I unplug the network cable and reconnec...
With this integration, investigators can see intrusion events from Firepower devices correlated with enrichment from other Cisco Security products, adding greater context and helping the SOC investigate incidents with broader internal visibility.
Threat Response integrates with Umbrella to provide Visibility, Control and Threat Intelligence. The Umbrella module leverages three distinct Umbrella APIs to provide these three functions. Ownership of any of the following 3 APIs gives free access and e...