About
Cisco Secure Network Analytics (Stealthwatch) uses NetFlow and other telemetry sources to feed into its analytics engine to detect a variety of threats and effect a response. This app monitors the behavior of a host on the network.
The csna app for Splunk SOAR to retrieves network traffic meta data from the Stealthwatch management console. The retrieve flows action uses the Stealthwatch Reporting - Version 2 API call to create flow searches and retrieve the searches' results. Stealthwatch is a multi-tenant (Domain) system. The asset configuration must include a valid Tenant (Domain) name on the management console.
To retrieve flow data, a Subject IP (malicious IP) is specified along with optional values for start time, timespan and record limit.
If the user accepts the default values for start time and timespan, the startDateTime is 60 minutes from the current time, and the endDateTime is the current time, effectively returning flow records for the past hour. The record limit specifies the maximum number (default 2000) of flow records to return.
The action result includes a list of flow records, including such fields as Peer IP, Port, Protocol, Byte count, Packet count, Username and Payload.
This app was commissioned by the Cisco Systems Federal Security team and is being evaluated for customer deployment.
Name of the app
csna
Integration Cisco Secure Network Analytics (formerly Stealthwatch) app for Splunk SOAR
About Cisco Secure Network Analytics (Stealthwatch) uses NetFlow and other telemetry sources to feed into its analytics engine to detect a variety of threats and effect a response. This app monitors the behavior of a host on the network.
The csna app for Splunk SOAR to retrieves network traffic meta data from the Stealthwatch management console. The
retrieve flows
action uses the Stealthwatch Reporting - Version 2 API call to create flow searches and retrieve the searches' results. Stealthwatch is a multi-tenant (Domain) system. The asset configuration must include a valid Tenant (Domain) name on the management console.To retrieve flow data, a Subject IP (
malicious IP
) is specified along with optional values forstart time
,timespan
andrecord limit
.If the user accepts the default values for
start time
andtimespan
, thestartDateTime
is 60 minutes from the current time, and theendDateTime
is the current time, effectively returning flow records for the past hour. Therecord limit
specifies the maximum number (default 2000) of flow records to return.The action result includes a list of flow records, including such fields as Peer IP, Port, Protocol, Byte count, Packet count, Username and Payload.
This app was commissioned by the Cisco Systems Federal Security team and is being evaluated for customer deployment.