Carlos,   Have you configured your Stealthwatch Management Console (SMC) so that it can resolve using a local DNS?  If so (and if the local IP is listed in the local DNS DB) I believe that those network addresses should resolve to host names in the WebGUI.   I hope this helps.   Brian ... View more

Using Stealthwatch and the Management Console what I'd suggest you do is look at the 'Top Alarming Hosts' and "Cognitive Threat Analytics' widgets.    Top Alarming hosts offers a list of the top alarming hosts based on all alerts and how Stealthwatch alerting has been tuned.  Alerts contribute to a numeric score and the hosts with the highest score are ranked in that widget.  It's updated every couple of minutes.  Hosts listed are often 'inside' and as such most of the detections there are 'lateral' or 'east - west' (about activity between hosts inside your protected network).   The Cogntive widget provides risk scores based on analysis of data that your Flow Collector sent to the Cisco Cloud.  This extends the analysis to include external hosts (or north south connectivity).   Through a service that uses the Stealthwatch APIs you can export data about either Top Alarming Hosts or Cognitive Threat Analytics to your own external programs or databases.   Using the Stealthwatch 'Response Management' capability an admin can define specific alerts that will produce additional responses (send a Syslog, send an email, etc,...).  Those alert on specific conditions and the suggestion is that those be used when looking for (or 'hunting') specific evidence of some investigation.    I hope this helps.  We're always looking to improve those videos (if it came from the Cisco Stealthwatch team).    Brian ... View more

Sorry. I would suggest that since this is a Cisco Stealthwatch Support forum you might try running the Stealthwatch Flow Collector. It works and we have some diagnostic capabilities there. You should request support for that open source Joy project via the email alias defined on Github. ... View more

I should have asked what your Stealthwatch Flow Collector was reporting. ... View more

What's showing up at your Flow Collector? ... View more

The easy way to test that basic Encrypted Traffic Analytics is working is to connect a client computer running a web browser using SSL/TLS to a server or website.  The Catalyst needs to be inline preferably connected to the client or the server.  The Catalyst should create both NetFlow and ET Analytics data for that connection and export it to the Flow Collector.  Once processed you'll be able to create a Flow Query (Flow Search) using either the Client or server IP address as the 'Subject' and then find the connection.  If you look through the fields available you'll find the TLS version and other fields related to  the establishment of that SSL/TLS connection.  If you make the Subject IP the servers's address you'll be able to see data about all SSL/TLS connections going through that Catalyst (or other ETA capable device) to the server.  We called this the 'Crypto Audit' use case.  Try using different browsers or an older version of a browser that may not support TLS 1.2 or 1.3. ... View more

Building flow (or Relationship) maps using Stealthwatch is based on your defined Host Groups. Relationship Maps show the policies that Stealthwatch knows about between these groups.  Host Groups are based on IP addresses. You can define Host Groups as being 'inside' your protected network and outside. It sounds like your Relationship Map would map one or more inside Host Groups to the Host Group serving IP addresses from the proxy, and the inside Host Groups to the IP address pool used by the Firewall. ... View more

To be clear you would need to purchase Catalyst 9000 switches with the C1 license which grants a one year Stealthwatch Flow Collector and SMC license. ... View more

Osama, If you downloaded Stealthwatch version 6.10 from Cisco dot com then you do not need a trail license.  Version 6.10 and later features a 90 day trail license included with the product download. By the way, you will also need a Flow Collector. Hope this helps. Brian ... View more

Great question. The ability to process ETA meta data in Stealthwatch is a feature in version 6.9.2 and laterthat doesn't require any additional license.  That feature is off by default and needs to be enabled on both the SMC and Flow Collector.  See https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cta/configuration/SW_6_9_1_Stealthwatch_and_CTA_Configur… for more information. Those Catalyst 9000s each come with a 'flow license' that is added to the Stealthwatch solution to increase it's 'Flow Rate License'.  So if you bought 10 Catalysts 9300s and each came with a 50 FPS license you can add 500 fps (50 x 10 units) to your Stealthwatch fps simply by pointing that out to your Cisco customer success manager. I do not believe Stealthwatch is part of the DNA Advantage licensing at this time but that is always subject to change.  You should check with your Cisco partner or account manager. Stealthwatch is currently bundled with many Enterprise License agreements.  That means if you have an ELA you are entitled to use Stealthwatch and it's components for the term of that ELA. ... View more

Stealthwatch Enterprise version 6.10.2 reached General Availability yesterday and is available for customer download via Flexnet Cisco dot com software downloads. ... View more