Cisco Stealthwatch
The JSA DSM for Cisco Stealthwatch receives events from a Cisco Stealthwatch device.
The following table identifies the specifications for the Cisco Stealthwatch DSM:
|
Specification |
Value |
|---|---|
|
Manufacturer |
Cisco |
|
DSM name |
Cisco Stealthwatch |
|
RPM file name |
DSM-CiscoStealthwatch-JSA_version-build_number.noarch.rpm |
|
Supported versions |
6.8 |
|
Protocol |
Syslog |
|
Event format |
LEEF |
|
Recorded event types |
Anomaly, Data Hoarding, Exploitation, High Concern Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfiltration, C&C |
|
Automatically discovered? |
Yes |
|
Includes identity? |
No |
|
Includes Custom properties? |
No |
|
More information |
Cisco Stealthwatch website (http://www.cisco.com) |
To integrate Cisco Stealthwatch with JSA, complete the following steps:
-
If automatic updates are not configured, download the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:
-
DSMCommon RPM
-
Cisco Stealthwatch DSM RPM
-
-
Configure your Cisco Stealthwatch device to send syslog events to JSA.
-
If JSA does not automatically detect the log source, add a Cisco Stealthwatch log source on the JSA Console. The following table describes the parameters that require specific values for Cisco Stealthwatch event collection:
Table 2: Cisco Stealthwatch Log Source Parameters Parameter
Value
Log Source type
Cisco Stealthwatch
Protocol Configuration
Syslog
Log Source
A unique identifier for the log source.
Configuring Cisco Stealthwatch to Communicate with JSA
Cisco Stealthwatch can forward events of different message types, including customized syslog messages, to third parties.
-
Log in to the Stealthwatch Management Console (SMC) as an administrator.
-
In the menu bar, click Configuration >Response Management.
-
From the Actions section in the Response Management menu, click Add >Syslog Message.
-
In the Add Syslog Message Action window, configure the following parameters:
Parameter
Value
Name
The name for the syslog message action.
Enabled
This check box is enabled by default.
IP Address
The IP address of the JSA Event Collector.
Port
The default port is port 514.
Format
Select Syslog Formats.
-
Enter the following custom format:
LEEF:2.0|Lancope|Stealthwatch|6.8|{alarm_type_id}|0x7C|src={source_ip}| dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}| fullmessage={details}|start={start_active_time}|end={end_active_time}| cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}| targetHG={target_host_group_names}|sourceHostSnapshot={source_url}| targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}| domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress ={exporter_ip}| exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}| sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name} -
Select the custom format from the list and click OK.
Note:Use the Test button to send test message to JSA
-
Click Response Management >Rules.
-
Click Add and select Host Alarm.
-
Provide a rule name in the Name field.
-
Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.
-
In the Action dialog, select JSA syslog action for both Active and Inactive conditions. The event is forwarded to JSA when any predefined condition is satisfied.
Cisco Stealthwatch Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Cisco Stealthwatch sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows that watched port is active.
<134>Sep 12 14:03:02 cisco.stealthwatch.test StealthWatch[4969]: LEEF:2.0| Lancope|Stealthwatch|6.8|13|0x7C|src=10.243.54.38|dst=10.100.11.12|dstPort=784|proto=6|msg=A watched port number has become active.|fullmessage=IANAUnassigned (784/tcp) from 10.100.11.12|start=2019-09-12T14:02:30Z| end=|cat=Watch Port Active|alarmID=3X-1F6B-86U2-YUUR-7|sourceHG=Country| targetHG=Catch All|sourceHostSnapshot=https://10.36.52.20/test-page/test.html#/host/ 10.243.54.38|targetHostSnapshot=https://10.36.52.20/landing-page/abc.html#/host/10.100.11.12| flowCollectorName=flow|flowCollectorIP=10.20.25.23|domain=abcd.ab.example.test|exporterName=| exporterIPAddress =|exporterInfo=|targetUser=|targetHostname=|sourceUser=|alarmStatus=ACTIVE| alarmSev=Major
|
JSA field name |
Highlighted fields and values in the event payload |
|---|---|
|
Event ID |
13 |
|
Event Category |
Watch Port Active |
|
Source IP |
src |
|
Destination IP |
dst |
|
Destination Port |
dstPort |
|
Protocol |
proto |
Sample 2: The following sample event message shows that there is suspicious activity.
<134>Sep 12 13:19:27 cisco.stealthwatch.test StealthWatch[4969]: LEEF:2.0|Lancope|Stealthwatch| 6.8|99|0x7C|src=10.10.10.10|dst=10.237.198.232|dstPort=80|proto=6|msg=The host has been observed doing something bad to another host.|fullmessage=Source Host is http (80/tcp) client to target.host.name (10.237.198.232)|start=2019-09-05T08:48:34Z|end=2019-09-05T08:48:34Z| cat=Anomaly|alarmID=3Y-13Y1-QJJ2-YYA9-U|sourceHG=Department, Inside|targetHG=target, Outside|sourceHostSnapshot=https://10.10.10.20/some/path|targetHostSnapshot=https://10.10.10.20/ some/path|flowCollectorName=Collector|flowCollectorIP=10.10.10.20|domain=Corporate Domain|exporterName=exporter.host.name|exporterIPAddress =10.20.30.40| exporterInfo=exporter.host.name (10.20.30.40)|targetUser=admin|targetHostname=www.host.test| sourceUser=admin|alarmStatus=ACTIVE|alarmSev=Critical
|
JSA field name |
Highlighted fields and values in the event payload |
|---|---|
|
Event ID |
99 |
|
Event Category |
Anomaly |
|
Source IP |
src |
|
Destination IP |
dst |
|
Destination Port |
dstPort |
|
Protocol |
proto |