Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Stealthwatch

 

The JSA DSM for Cisco Stealthwatch receives events from a Cisco Stealthwatch device.

The following table identifies the specifications for the Cisco Stealthwatch DSM:

Table 1: Cisco Stealthwatch DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Stealthwatch

RPM file name

DSM-CiscoStealthwatch-JSA_version-build_number.noarch.rpm

Supported versions

6.8

Protocol

Syslog

Event format

LEEF

Recorded event types

Anomaly, Data Hoarding, Exploitation, High Concern Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfiltration, C&C

Automatically discovered?

Yes

Includes identity?

No

Includes Custom properties?

No

More information

Cisco Stealthwatch website (http://www.cisco.com)

To integrate Cisco Stealthwatch with JSA, complete the following steps:

  1. If automatic updates are not configured, download the most recent version of the following RPMs on your JSA console:

    • DSMCommon RPM

    • Cisco Stealthwatch DSM RPM

  2. Configure your Cisco Stealthwatch device to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Cisco Stealthwatch log source on the JSA Console. The following table describes the parameters that require specific values for Cisco Stealthwatch event collection:

    Table 2: Cisco Stealthwatch Log Source Parameters

    Parameter

    Value

    Log Source type

    Cisco Stealthwatch

    Protocol Configuration

    Syslog

    Log Source

    A unique identifier for the log source.

The following table shows a sample syslog message supported by the Cisco Stealthwatch device:

Table 3: Cisco Stealthwatch Sample Syslog Message

Event name

Low-level category

Sample log message

16

Network Threshold Policy Violation

May 5 18:11:01 127.0.0.1 May 05 18:11:01 KW-SMC-100 StealthWatch[3706]: LEEF:2.0|Lancope|Stealthwatch| 6.8|16|0x7C|src=127.0.0.1|dst=0. 0.0.0|dstPort=|proto=|msg=The total traffic inbound + outbound exceeds the acceptable total traffic values.|fullmessage=Observed 3.95G bytes. Expected 2.22M bytes, tolerance of 50 allows up to 1.92G bytes.|start=2017-05- 05T18:10:00Z|end=|cat=High Total Traffic|alarmID=3L-1CR1- JI38-QGNE-2|sourceHG=United States|targetHG=Unknown|sourc eHostSnapshot=https://127.0.0.1/ smc/getHostSnapshot?domainid= 123&hostip=127.0.0.1&date=201 7-05- 05T18:10:00Z|targetHostSnapsh ot=https://127.0.0.1/smc/getHost Snapshot?domainid=123&hostip =0.0.0.0&date=2017-05- 05T18:10:00Z|flowCollectorName =KW-FC- 101|flowCollectorIP=127.0.0.1|do main=domain.com|exporterName =|exporterIPAddress=|exporterInf o=|targetUser=|targetHostname=| sourceUser=|alarmStatus=ACTIV E|alarmSev=Major

Configuring Cisco Stealthwatch to Communicate with JSA

Cisco Stealthwatch can forward events of different message types, including customized syslog messages, to third parties.

  1. Log in to the Stealthwatch Management Console (SMC) as an administrator.
  2. In the menu bar, click Configuration >Response Management.
  3. From the Actions section in the Response Management menu, click Add >Syslog Message.
  4. In the Add Syslog Message Action window, configure the following parameters:

    Parameter

    Value

    Name

    The name for the syslog message action.

    Enabled

    This check box is enabled by default.

    IP Address

    The IP address of the JSA Event Collector.

    Port

    The default port is port 514.

    Format

    Select Syslog Formats.

  5. Enter the following custom format:
  6. Select the custom format from the list and click OK.Note

    Use the Test button to send test message to JSA

  7. Click Response Management >Rules.
  8. Click Add and select Host Alarm.
  9. Provide a rule name in the Name field.
  10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.
  11. In the Action dialog, select JSA syslog action for both Active and Inactive conditions. The event is forwarded to JSA when any predefined condition is satisfied.