Cisco Stealthwatch uses NetFlow to provide visibility across the network, data center, branch offices, and the cloud. Its advanced security analytics uncover stealthy attacks on the extended network. Stealthwatch helps you use your existing network as a security sensor and enforcer to dramatically improve your threat defense.
This document provides information about the Stealthwatch connector, which facilitates automated interactions, with an Stealthwatch server using FortiSOAR™ playbooks. Add the Stealthwatch connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details about domains and retrieving inbound and outbound traffic information for a specified datetime range, or for the last 24 hours.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Stealthwatch Versions: 6.9.1 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Stealthwatch connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
URL | URL of the Stealthwatch server to which you will connect and perform the automated operations. |
Username | Username to access the Stealthwatch server. |
Password | Password to access the Stealthwatch server. |
Verify SSL | Verify SSL connection to the Stealthwatch server. Defaults to True. |
Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:
Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:
“<domain id”
.“<host-group”
.“<interface if-index=”
.“<exporter ip="
.You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:
grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less
To get the Domain ID for an SMC, type the following command:
ls /lancope/var/smc/config/ | grep domain
The following automated operations can be included in playbooks:
None.
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON contains information for all the domains.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information. |
Start Date/Time (optional) | Start datetime in the 8601 format, from when you want to retrieve inbound and outbound traffic information. |
End Date/Time (optional) | End datetime in the 8601 format, till when you want to retrieve inbound and outbound traffic information. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and domain that you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information. |
Host Group ID | ID of the Host Group for which you want to retrieve inbound and outbound traffic information. |
Start Date/Time (optional) | Start datetime in the 8601 format, from when you want to retrieve inbound and outbound traffic information. |
End Date/Time (optional) | End datetime in the 8601 format, till when you want to retrieve inbound and outbound traffic information. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information. |
Flow Collector Device ID | ID of the Flow Collector Device generated by Stealthwatch. |
Exporter IP Address | IP of the Exporter, such as router or switch, for which you want to retrieve inbound and outbound traffic information. |
Interface | ID of the Interface created in Stealthwatch. |
Start Date/Time (optional) | Start datetime in the 8601 format, from when you want to retrieve inbound and outbound traffic information. |
End Date/Time (optional) | End datetime in the 8601 format, till when you want to retrieve inbound and outbound traffic information. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Exporter IP address that you have specified.
Following image displays a sample output:
The Sample - Cisco Stealthwatch - 1.0.0
playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Cisco Stealthwatch uses NetFlow to provide visibility across the network, data center, branch offices, and the cloud. Its advanced security analytics uncover stealthy attacks on the extended network. Stealthwatch helps you use your existing network as a security sensor and enforcer to dramatically improve your threat defense.
This document provides information about the Stealthwatch connector, which facilitates automated interactions, with an Stealthwatch server using FortiSOAR™ playbooks. Add the Stealthwatch connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details about domains and retrieving inbound and outbound traffic information for a specified datetime range, or for the last 24 hours.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Stealthwatch Versions: 6.9.1 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Stealthwatch connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
URL | URL of the Stealthwatch server to which you will connect and perform the automated operations. |
Username | Username to access the Stealthwatch server. |
Password | Password to access the Stealthwatch server. |
Verify SSL | Verify SSL connection to the Stealthwatch server. Defaults to True. |
Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:
Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:
“<domain id”
.“<host-group”
.“<interface if-index=”
.“<exporter ip="
.You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:
grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less
To get the Domain ID for an SMC, type the following command:
ls /lancope/var/smc/config/ | grep domain
The following automated operations can be included in playbooks:
None.
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON contains information for all the domains.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information. |
Start Date/Time (optional) | Start datetime in the 8601 format, from when you want to retrieve inbound and outbound traffic information. |
End Date/Time (optional) | End datetime in the 8601 format, till when you want to retrieve inbound and outbound traffic information. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and domain that you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information. |
Host Group ID | ID of the Host Group for which you want to retrieve inbound and outbound traffic information. |
Start Date/Time (optional) | Start datetime in the 8601 format, from when you want to retrieve inbound and outbound traffic information. |
End Date/Time (optional) | End datetime in the 8601 format, till when you want to retrieve inbound and outbound traffic information. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information. |
Flow Collector Device ID | ID of the Flow Collector Device generated by Stealthwatch. |
Exporter IP Address | IP of the Exporter, such as router or switch, for which you want to retrieve inbound and outbound traffic information. |
Interface | ID of the Interface created in Stealthwatch. |
Start Date/Time (optional) | Start datetime in the 8601 format, from when you want to retrieve inbound and outbound traffic information. |
End Date/Time (optional) | End datetime in the 8601 format, till when you want to retrieve inbound and outbound traffic information. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Exporter IP address that you have specified.
Following image displays a sample output:
The Sample - Cisco Stealthwatch - 1.0.0
playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.