Cisco Secure Network Analytics (formerly Stealthwatch) app submission

[joelwking]

Name of the app csna

Integration Cisco Secure Network Analytics (formerly Stealthwatch) app for Splunk SOAR

About Cisco Secure Network Analytics (Stealthwatch) uses NetFlow and other telemetry sources to feed into its analytics engine to detect a variety of threats and effect a response. This app monitors the behavior of a host on the network.

The csna app for Splunk SOAR to retrieves network traffic meta data from the Stealthwatch management console. The retrieve flows action uses the Stealthwatch Reporting - Version 2 API call to create flow searches and retrieve the searches' results. Stealthwatch is a multi-tenant (Domain) system. The asset configuration must include a valid Tenant (Domain) name on the management console.

To retrieve flow data, a Subject IP (malicious IP) is specified along with optional values for start time, timespan and record limit.

If the user accepts the default values for start time and timespan, the startDateTime is 60 minutes from the current time, and the endDateTime is the current time, effectively returning flow records for the past hour. The record limit specifies the maximum number (default 2000) of flow records to return.

The action result includes a list of flow records, including such fields as Peer IP, Port, Protocol, Byte count, Packet count, Username and Payload.

This app was commissioned by the Cisco Systems Federal Security team and is being evaluated for customer deployment.

[pzhou-splunk]

Repo created at https://github.com/splunk-soar-connectors/csna