We often see reports of behavior like this when the server that Stealthwatch is being deployed on doesn't meet the processing or memory requirements.  I'd suggest you check those. ... View more

I've found that the best references regarding configuring Encrypted Traffic Analytics (ETA) are:   the ETA White Paper (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf )   and the    the Design Guide (https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/eta-design-guide-2019oct.pdf )     There are design and deployment decisions that have to be made when deploying ETA on your network infrastructure.  ETA meta data represents new NetFlow / IPFIX meta data that is generated by new process running on devices where it is deployed.  ETA runs in this new process because it can be deployed on a variety of hardware (physical and virtual) with from as little as 2 Ethernet interfaces (where it would have little impact) to as many as 48 ports where it may have a significant impact depending on how it is designed and deployed.        ... View more

It's likely not a problem with the fields in the flow record but with the sources of data being exported.  Flow matching works best when all the exporters are sending the same fields.  You presented a flow record but not all exporters (including firewalls) offer configurable flow records.   You said you have one router and two firewalls exporting.    You did mention the models of firewalls.  That said not all firewalls send flow data the same.  Cisco's ASA exports NSEL, which while in a NetFlow format sends flow data based on the firewalls function and configuration.  For example, NSEL uses a fixed export format that will include username if authentication is configured on the firewall.  It will also include data about any IP address translations if NAT is configured.     Other firewalls have their own export characteristics.    A couple of suggestions.    Try disabling flow export from the Core Firewall. It may be redundant with what the core router is exporting.   Try enabling export from an aggregation router.  Another idea might be to enable flow from either a remote access concentrator (firewall?) or wireless LAN controller (or router that connects either of those devices to the core) that bring remote access users into the network.     ... View more

See page 133 of the document that you referenced titled "Changing Appliances After Configuration".  There is a great big note there that says:   The appliance identity certificate is replaced automatically as part of this pro cedure. If your appliance uses a custom certificate, please contact Cisco Stealth - watch Support to change these settings. Do not use the instructions shown here. Make sure you have a copy of the custom certificate and private key.   You should definitely initiate a call or contact with Cisco Stealthwatch  Support. ... View more

Have you verified that an AnyConnect (Apex license) equipped end point is configured and sending nzflow to the Endpoint Concentrator? ... View more

The Stealthwatch and Cognitive Analytics Configuration Guide can be found here.  The Stealthwatch Threat Intelligence License At-a-Glance document is here. Configuring the Threat Intelligence License is covered in the Stealthwatch Configuration Guide v7.  Look in section 7. ... View more

Take a look at https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/smc_users_guide/SW_6_9_0_SMC_Users_Guide_DV_1_2.pdf , specifically page 325 'Adding Authentication Services' and see if that helps. ... View more

Ben makes a couple of important points here. Meta data from the AnyConnect Network Visibility Module (NVM has to be sent to an Endpoint Concentrator. That meta data is 'NZFlow' not NetFlow or IPFIX. That meta data is not able to be processed at a Flow Collector and requires the Endpoint Concentrator to create IPFIX data that the Flow Collector can process. Another important point is that NZFlow or endpoint meta data is stitched into Flow Collector connection records. You need to have either NetFlow or IPFIX data about a connection to add endpoint data in to. That means the connection has to also pass through a NetFlow or IPFIX capable device. Often this is the switch or WLC the endpoint is connecting to OR a router that the switch or WLC is connected to. ... View more

It's important to understand the differences in the two approaches; threat intel feed and cloud based data analysis.    The Stealthwatch Threat Intelligence Feed (formerly known as SLIC or Stealthwatch Labs Intelligence Connection) is a IP list that is updated sometimes several times per day based on data from a variety of sources with Cisco and the security industry.  That list resides locally on the Stealthwatch Management Console (SMC).  When an external IP address in a connection matches an IP on that list an alarm is generated.  The process of getting that list from the Internet to the SMC is a download from Cisco.  No local SMC data other than the SMC serial number for identification is shared with Cisco.   Stealthwatch Cognitive integration uses both the Flow Collector and the SMC.  The Flow Collector identifies connections in it's database that cross the trust boundary defined by Internet gateway.  The Flow Collector sends data about connections that cross that trust boundary to Cognitive via an HTTPS tunnel.  At Cognitive additional account specific baselines on submitted data are established and the data is used analyzed using a multi layer framework of classifier algorithms.  The results are that for each submitted connection a risk score is computed and then sent back to the SMC.   Cognitive holds some processed data and as the classifiers are updated it runs that data through now updated classifiers to determine if the risk score has changed.  If it has that info is sent to the SMC.   The Threat Intel feed does not expose any of the customer network and matches very fast.   Stealthwatch with CTA uses cloud based analytics and processing to greatly extend the analysis of customer Internet connection data.   I hope this helps.   ... View more