Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About brford
brford
Member since
02-12-2001
Cisco Employee
Personal Web Page : http://www.cisco.com/go/stealthwatch
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
04-17-2019
12:38 PM
04-17-2019
12:38 PM
Para problemas de licenciamento, você precisa entrar em contato com o suporte técnico através do Cisco TAC.
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
03-29-2019
05:39 PM
03-29-2019
05:39 PM
OK. For this flow record to work with Cisco Stealthwatch (v6.10 or later) you'll need the following:
match ipv4 proto
match ipv4 source addr
match ipv4 destination addr
match transport source-port
match transport destination-port
match ipv4 tos
collect interface out
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
These are REQUIRED flow record fields for Stealthwatch v6.10 and later.
You can add the following optional data elements to that flow record:
collect routing next-hop address ipv4 (used for closest interface determination)
collectipv4 ttl minimum
collect ipv4 ttl max (these two data elements are used to understand the path of the flow through the network)
collect transport tcp flag (to gain more insight into TCP connections)
... View more
- Tags:
- eta
- stealthwatch
03-29-2019
08:41 AM
Here is an end of March 2019 update regarding Cisco Stealthwatch Labs available in dCloud.
Cisco Stealthwatch 7.0 and ETA Use Cases Sandbox v2.1
The Cisco Stealthwatch 7.0 Use Cases v2.1 Sandbox is a live environment that shows how Cisco Stealthwatch can transform the network into a sensor to detect insider threats and identify anomalous behavior.There are a number of different exercises in this lab so that learners can complete the lab one exercise at a time or all in one session. For learners new to Stealthwatch plan on spending up to 8 hours. If the learner worked with a previous version of Stealthwatch (v 6.10 or earlier) the lab can be completed in as little as 2 hours.This lab has been used for the Cisco Stealthwatch Test Drive seminar and webinar series.
Cisco Stealthwatch 7.0 Deployment Lab v1
The goal of this hands-on lab is to teach the methodology required to successfully deploy a base Stealthwatch installation. By completing the included lab scenarios, you will deploy several Stealthwatch appliances in a simulated customer environment.
This lab provides administrative access to a fresh (new installation) Stealthwatch instance and exposes the learner to information gathering and steps to deploy in a virtual environment. Expect to spend at least 4 hours to complete this lab; more if you are new to Stealthwatch.
Cisco Stealthwatch 7.0 v1 - Instant Demo
This demo can be used to show customers the enhanced visibility and security analytics that be generated from the network. It features Stealthwatch Enterprise solutions such as Encrypted Traffic Analytics (ETA) as well as outsider threat detection such as malware, zero-day attacks, distributed denial-of-service (DDoS) attempts, command-and-control (C2) communications, advanced persistent threats (APTs), and insider threats like data exfiltration and data hoarding.
As data in this lab is pre-populated there is little or no need to reserve and run days in advance.
Cisco Stealthwatch Cloud v1 - Instant Demo
Demonstration how Stealthwatch Cloud provides comprehensive network visibility from the datacenter to the cloud. It is composed of two products, Public Cloud Monitor and Private Network Monitor.
As in instant demo the data here is pre-populated and there is no need to reserve days in advance.
Keep in mind that Stealthwatch is available in all dCloud data centers. The timing of replay data should coincide with business hours of the data center.
... View more
- Tags:
- stealthwatch
Labels:
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
03-29-2019
07:41 AM
03-29-2019
07:41 AM
That's a good looking 9300 NetFlow for Stealthwatch config but it doesn't enable ETA.
While Encrypted Traffic Analytics (ETA) currently uses Cisco NetFlow v9 as it's transport (export) protocol it is not enabled as part of the standard NetFlow configuration. You want to take a look at the 'et-analytics ...' commands in order to enable ETA processing and export.
The ETA process on the 9300 is separate from the NetFlow process. ETA uses one of the available exporters; so if you configure NetFlow as you described and enable ETA your device will report 2 exporters.
For the 9300 see:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.pdf
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
03-22-2019
06:49 AM
03-22-2019
06:49 AM
What version of Stealthwatch are you using?
... View more
Created by
brford
in Threat Insights
in Threat Insights
03-22-2019
06:24 AM
03-22-2019
06:24 AM
OK. Lots going on here.
You have defined two host groups: Link Local and Bogon Subnets
The inside IP 169.254.162.200 appears in both of those host groups.
You are seeing 4 different alarms: High SMB Peers, New Flows, Max flows, and Connect to Bogon.
The 'New Flows' should not normally be an issue. It just means a new device has started connecting over the network.
The 'Max flows' could be an issue. It means that you have a baseline set and that the source IP host is exceeding that baseline. That could be a start up issue with a new deployment (and ignored) OR it could mean that host is suddenly very active and should be investigated.
You have a 'High SMB Peers' alarm. That's the same as above. The baseline on a new install could be low. That could go away over the next days or weeks. In the meantime investigate what that host is doing.
The 'Connect to Bogon' means that some inside host is connecting to an external (outside) IP that has been identified as a Bogon. Bogon's are IP addresses that either should not or do not exist in public IP address space. That could be something that is built into a security event in your local SW or it could be coming from the Threat Intel feed or the Cognitive Threat Analytics. I don't know which you have configured.
In general you should investigate these Bogon connections and consider adding ACLs to either your Internet router or your Firewall to block those connections.
Hope this helps.
Brian
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
03-21-2019
11:21 AM
03-21-2019
11:21 AM
If the SMC DNS is configured then entries in the Web GUI should be resolved to a URL and domain. DNS is configured when the SMC is installed. The admin should be able to update that setting on the SMC.
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
03-21-2019
11:18 AM
03-21-2019
11:18 AM
Bob,
Yes. I suggest that any telemetry you send to the primary Flow Collector you use UDP Director to duplicate that at the secondary Flow Collector. UDP Director is the best way to do that rather than exporting flow to each Flow collector from each exporter.
I would assume the back up data center has it's own Internet connection. Send those network translation (NAT) logs to the secondary; not the primary.
If you enable Cognitive Intelligence make sure that you only send from the primary flow collector. You can add the second flow collector to your account but only enable that when the primary in down.
You should be able to login to the Stealthwatch SMC at the backup facility and see just the traffic from the at site.
The SMC at the backup site will not be secondary. Primary - secondary is used when you have 2 SMCs working with the same Flow Collector. The primary will be admin for that deployment (where admin can make config changes) and the secondary will be useful for any other (than admin) user. It allows the Stealthwatch UI to scale up.
Hope this helps!
Brian
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
01-14-2019
07:43 AM
01-14-2019
07:43 AM
Carlos,
Have you configured your Stealthwatch Management Console (SMC) so that it can resolve using a local DNS? If so (and if the local IP is listed in the local DNS DB) I believe that those network addresses should resolve to host names in the WebGUI.
I hope this helps.
Brian
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
01-14-2019
07:40 AM
01-14-2019
07:40 AM
Using Stealthwatch and the Management Console what I'd suggest you do is look at the 'Top Alarming Hosts' and "Cognitive Threat Analytics' widgets.
Top Alarming hosts offers a list of the top alarming hosts based on all alerts and how Stealthwatch alerting has been tuned. Alerts contribute to a numeric score and the hosts with the highest score are ranked in that widget. It's updated every couple of minutes. Hosts listed are often 'inside' and as such most of the detections there are 'lateral' or 'east - west' (about activity between hosts inside your protected network).
The Cogntive widget provides risk scores based on analysis of data that your Flow Collector sent to the Cisco Cloud. This extends the analysis to include external hosts (or north south connectivity).
Through a service that uses the Stealthwatch APIs you can export data about either Top Alarming Hosts or Cognitive Threat Analytics to your own external programs or databases.
Using the Stealthwatch 'Response Management' capability an admin can define specific alerts that will produce additional responses (send a Syslog, send an email, etc,...). Those alert on specific conditions and the suggestion is that those be used when looking for (or 'hunting') specific evidence of some investigation.
I hope this helps. We're always looking to improve those videos (if it came from the Cisco Stealthwatch team).
Brian
... View more
- Tags:
- stealthwatch
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
11-25-2018
06:54 AM
11-25-2018
06:54 AM
Dan,
Start with just one Management Console (SMC) and one Flow Collector (FC).
Configure NetFlow v9 on all of your routers to export to the IP of the Flow Collector.
This will give you visibility into traffic moving across your WAN.
If you have a Internet connection to an Internet Service Provider at one of these sites you will probably want to understand flows to and from the Internet. You can do that three different ways. #1 - Some Firewalls can export their NAT translations via Syslog to the Flow Collector. Stealthwatch can process those logs from Cisco and Palo Alto Firewalls. #2 - If you have a proxy server (Squid, Blue Coat, Cisco, or McAfee) you can also send those proxy logs to the Flow Collector. #3 - You can install a Flow Sensor with interfaces on either side of the Firewall and export IPFIX from the FS to the Flow Collector.
I would start with this.
The layer 2 switches sound like access devices attached to the router (collapsed bypassing the need for an aggregation layer). If you have aggregation L3 switches at any site you can also export NetFlow from those.
Hope this helps.
Brian
... View more
- Tags:
- stealthwatch
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
10-29-2018
10:29 AM
10-29-2018
10:29 AM
Sorry. I would suggest that since this is a Cisco Stealthwatch Support forum you might try running the Stealthwatch Flow Collector. It works and we have some diagnostic capabilities there. You should request support for that open source Joy project via the email alias defined on Github.
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
10-29-2018
09:46 AM
10-29-2018
09:46 AM
I should have asked what your Stealthwatch Flow Collector was reporting.
... View more
Created by
brford
in Security Analytics and Management
in Security Analytics and Management
10-29-2018
09:36 AM
10-29-2018
09:36 AM
What's showing up at your Flow Collector?
... View more
Created by
brford
in Other Network Architecture Subjects
in Other Network Architecture Subjects
10-24-2018
10:54 AM
10-24-2018
10:54 AM
That configuration is not supported.
@joe.fodor wrote:
We are looking into installing stealth watch on our 4331s as a container on the NIM 200GB SSD card. I was curious if anyone has done this and how well does it work?
... View more
Created by
brford
in Security Analytics and Management
Wednesday
Wednesday
Para problemas de licenciamento, você precisa entrar em contato com o
suporte técnico através do Cis...
3 weeks ago
OK. For this flow record to work with Cisco Stealthwatch (v6.10 or
later) you'll need the following:...
3 weeks ago
Here is an end of March 2019 update regarding Cisco Stealthwatch Labs
available in dCloud. Cisco Ste...
3 weeks ago
That's a good looking 9300 NetFlow for Stealthwatch config but it
doesn't enable ETA. While Encrypte...
Created by
brford
in Security Analytics and Management
a month ago
a month ago
What version of Stealthwatch are you using?
a month ago
OK. Lots going on here. You have defined two host groups: Link Local and
Bogon Subnets The inside IP...
Created by
brford
in Security Analytics and Management
a month ago
a month ago
If the SMC DNS is configured then entries in the Web GUI should be
resolved to a URL and domain. DNS...
Created by
brford
in Security Analytics and Management
a month ago
a month ago
Bob, Yes. I suggest that any telemetry you send to the primary Flow
Collector you use UDP Director t...
01-14-2019 07:43 AM
Carlos, Have you configured your Stealthwatch Management Console (SMC)
so that it can resolve using ...
Created by
brford
in Security Analytics and Management
01-14-2019 07:40 AM
01-14-2019 07:40 AM
Using Stealthwatch and the Management Console what I'd suggest you do is
look at the 'Top Alarming H...
Created by
brford
in Security Analytics and Management
11-25-2018 06:54 AM
11-25-2018 06:54 AM
Dan, Start with just one Management Console (SMC) and one Flow Collector
(FC). Configure NetFlow v9 ...
Created by
brford
in Security Analytics and Management
10-29-2018 10:29 AM
10-29-2018 10:29 AM
Sorry. I would suggest that since this is a Cisco Stealthwatch Support
forum you might try running t...
Created by
brford
in Security Analytics and Management
10-29-2018 09:46 AM
10-29-2018 09:46 AM
I should have asked what your Stealthwatch Flow Collector was reporting.
Created by
brford
in Security Analytics and Management
10-29-2018 09:36 AM
10-29-2018 09:36 AM
What's showing up at your Flow Collector?
Created by
brford
in Other Network Architecture Subjects
10-24-2018 10:54 AM
10-24-2018 10:54 AM
That configuration is not supported. @joe.fodor wrote: We are looking
into installing stealth watch ...
Public Statistics
| Date Registered | 02-12-2001 11:09 AM |
| Date Last Visited | 04-17-2019 07:26 PM |
| Total Messages Posted | 105 |
| Total Helpful Votes Received | 62 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 7 | |
| 15 | |
| 5 | |
| 1 | |
| 5 |
