As the machine learning engine in Cognitive Analytics was designed to be deployed in real production networks it can be challenging to generate a detection in a home or customer lab environment and generating an "on-demand" detection of the Encrypted Traffic Analytics solution can be even more difficult. This page describes what we have found is the best way to test a Stealthwatch with Cognitive and ETA deployment and generate a detection in lab and on-demand environments.
Generating a Detection:
Classifiers for some of the same domains used to test Umbrella have been built into the Cognitive engine. Specifically classifiers for the following:
Browsing to those URLs from a host, where the https session is passing through an enhanced NetFlow exporter will generate a detection in Cognitive which will display with the "Detected Using Encrypted Traffic Analytics" notifier.
Note: The detection may initially show up as with a risk rating of 5. The risk rating can increase with additional bad or repetitive behavior: such as going to multiple of the above URLs or repeatedly visiting the same URL.
After installing launch the TOR browser and do some internet browsing. A detection will appear in the Cognitive widget/dashboard shortly. The detection will display as a severity 4 possibly unwanted application with the “detected using encrypted traffic analytics” label.
ETA TOR detections in SMC Dashboard Cognitive widget:
TOR detection in Cognitive Widget in the Host Report:
Potentially Unwanted Application in the Cognitive Dashboard:
Basic Lab Overview:
In this scenario we have a host connected to a Catalyst 9300. The Catalyst 9300 is configured to send Enhanced NetFlow (including ETA) to Stealthwatch.
hi!I have probably very simple question but i can't find the information i need.So here it is: we have asa5555-x with created context for ISP and admin context. ISP's context has inside and outside interfaces. Both has public ips assigned to it. Admin con...
Hi All, I have recently set up a Firepower management centre with new shiny FTD devices(in HA mode). Now i have to configure remote access VPN to my users, can anyone please suggest me some steps on how to do it, though there are myriad of documents ...
Hello, Wanted to run this question by you guys: We are deploying 3 Guest PSNs (One per region) which are going to be used only for Guest Self registration portal and sponsor approval services. Is it possible to: If I am an ...
The far end can bring up the tunnel; I confirm it with the show IPSec SA command. They launch a ping, the tunnel comes up, but they do NOT see the echo-reply. If I tear down the tunnel, and initiate it from my side, the tunnel comes up, AND the ...