Cisco Stealthwatch uses NetFlow to provide visibility across the network, data center, branch offices, and the cloud. Its advanced security analytics uncover stealthy attacks on the extended network. Stealthwatch helps you use your existing network as a security sensor and enforcer to improve your threat defense.
This document provides information about the Cisco Stealthwatch connector, which facilitates automated interactions, with a Cisco Stealthwatch server using FortiSOAR™ playbooks. Add the Cisco Stealthwatch connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details about domains and retrieving inbound and outbound traffic information for a specified DateTime range, or the last 24 hours.
Connector Version: 1.1.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Cisco Stealthwatch connector in version 1.1.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-stealthwatch
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Stealthwatch connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
Username | Username to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
Password | Password to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True. |
Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:
Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:
“<domain id”
.“<host-group”
.“<interface if-index=”
.“<exporter ip="
.You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:
grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less
To get the Domain ID for an SMC, type the following command:
ls /lancope/var/smc/config/ | grep domain
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Application Traffic by Domain ID | Retrieves inbound and outbound traffic information from Cisco StealthWatch for the Domain ID and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
Get Application Traffic by Host Group ID | Retrieves inbound and outbound traffic information from Cisco StealthWatch for the Host Group ID, Domain ID, and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
Get Application Traffic by Exporter IP | Retrieves inbound and outbound traffic information from Cisco StealthWatch for the Domain ID, Flow Collector Device ID, Exporter IP address, Interface, and optionally a DateTime range you have specified. If you do not specify the DateTime range, then inbound and outbound traffic information is retrieved for the last 24 hours. | get_applicaton_traffic Investigation |
Get Domain Details | Retrieves information for all the domains from Cisco StealthWatch. | get_domain_details Investigation |
Initiate Flow Search | Initiates a flow search on Cisco StealthWatch, based on the tenant ID, search name and other filters you have specified. | initiate_flow_search Investigation |
Get Flow Search Status | Retrieves the status of a specified flow search, based on the tenant ID and query ID you have specified. | get_flow_search_status Investigation |
Get Flow Search Results | Retrieves the result of a specified flow search, based on the tenant ID and query ID you have specified. | get_flow_search_results Investigation |
Get Tenant IDs | Retrieves the IDs of all the tenants (domains) from Cisco StealthWatch. | get_tenant_ids Investigation |
None.
The JSON contains information for all the domains. The output contains the following populated JSON schema:
{
"data": [
{
"displayName": "",
"id": ""
}
]
}
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Start Date and Time | (Optional) Start DateTime from when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
End Date and Time | (Optional) End DateTime till when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and domain that you have specified.
The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Host Group ID | ID of the Host Group for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Start Date and Time | (Optional) Start DateTime from when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
End Date and Time | (Optional) End DateTime till when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.
The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Flow Collector Device ID | ID of the Flow Collector Device, which is generated by Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Exporter IP Address | IP of the Exporter, such as router or switch, for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Interface | ID of the Interface created in Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Start Date and Time | (Optional) Start DateTime from when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
End Date and Time | (Optional) End DateTime till when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and Exporter IP address that you have specified.
The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant on which you want to initiate a flow search on Cisco StealthWatch. |
Search Name | Name for the search that you initiate on Cisco StealthWatch. |
Start Date/Time | Start DateTime from when you want to initiate a flow search on Cisco StealthWatch. This value must not occur after the End Date/Time. |
End Date/Time | Start DateTime till when you want to initiate a flow search on Cisco StealthWatch. This value must not occur before the Start Date/Time. |
Number of Records | (Optional) Maximum number of flow records that you want this operation to return from Cisco StealthWatch. You can specify any number within the 1-10000 range. |
Subject Host Filters | (Optional) Collection of Subject Host filters in the JSON format, based on which you want to initiate a flow search on Cisco StealthWatch. Valid parameters for the subject host filters are listed after the table. |
Peer Host Filters | (Optional) Collection of Peer Host filters in the JSON format, based on which you want to initiate a flow search on Cisco StealthWatch. Valid parameters for the peer host filters are listed after the table. |
Flow Metadata Filters | (Optional) Collection of Flow Metadata filters in the JSON format, based on which you want to initiate a flow search on Cisco StealthWatch. Valid parameters for the flow metadata host filters are listed after the table. |
List of valid parameters for the subject host filters are as follows:
orientation
: If included, this parameter determines whether hosts detected as client or server are assigned the subject role. Valid values: server, client.ipAddresses
: IP Addresses to include or exclude.hostGroups
: Host Group IDs to include or exclude.tcpUdpPorts
: Protocols/Ports to include or exclude.username
: Usernames to include or exclude.byteCount
: List of byte ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.packetCount
: List of packet ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.macAddress
: MAC addresses to include or exclude.processName
: Process names to include or exclude.processHash
: Process hash values to include or exclude.trustSecId
: Cisco Trust Sec IDs to include or exclude.trustSecName
: Cisco Trust Sec Names to include or exclude.
Example of the subject host filter:
{
“orientation”: “CLIENT”,
“ipAddresses”: {
“includes”: [“192.168.0”, “10.20”],
“excludes”: [“10.20.20”, “192.168.0.1-100”]
},
“hostGroups”: {
“includes”: [1234, 2345],
“excludes”: [12345, 23456]
},
“tcpUdpPorts”: {
“includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“username”: {
“includes”: [“admin”, “veep”],
“excludes”: [“jdub”, “ghill”]
},
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “BETWEEN”,
“value”: [100, 400]
}],
“macAddress”: {
“includes”: [“00-1B-63-84-45-36”, “00-1B-63-84-45-63”],
“excludes”: [“00-14-22-01-23-45”, “00-14-22-01-23-54”]
},
“processName”: {
“includes”: [“cmd.exe”, “telnet.exe”],
“excludes”: [“ping.exe”, “proc.bin”]
},
“processHash”: {
“includes”: [“cf23df2207d99a74fbe169e3eba035e633b65d94”],
“excludes”: [“cf23df2207d99a74fbe169e3eba035e633b65d97”]
},
“trustSecId”: {
“includes”: [32, 44],
“excludes”: [75]
},
“trustSecName”: {
“includes”: [“CTS-One”],
“excludes”: [“CTS-Two”, “CTS-Three”]
}
}
ipAddresses
: IP Addresses to include or exclude.hostGroups
: Host Group IDs to include or exclude.tcpUdpPorts
: Protocols/Ports to include or exclude.username
: Usernames to include or exclude.byteCount
: List of byte ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.packetCount
: List of packet ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.macAddress
: MAC addresses to include or exclude.processName
: Process names to include or exclude.processHash
: Process hash values to include or exclude.trustSecId
: Cisco Trust Sec IDs to include or exclude.trustSecName
: Cisco Trust Sec Names to include or exclude.Example of the peer host filter:
{
“ipAddresses”: {
“includes”: [“2001:0db8:85a3:0000:0000:8a2e:0370:7334”, “2001:DB8:0:56::/64”],
“excludes”: [“2001:DB80:0:56::ABCD:239.18.52.86”, “2001:DB8:0:56:ABCD:EF12:3456:1–10”]
},
“hostGroups”: {
“includes”: [9876, 8765],
“excludes”: [987654, 87654]
},
“tcpUdpPorts”: {
“includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“username”: {
“includes”: [“admin”, “veep”],
“excludes”: [“jdub”, “ghill”]
},
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “BETWEEN”,
“value”: [100, 400]
}],
“macAddress”: {
“includes”: [“00-1B-63-84-45-36”, “00-1B-63-84-45-63”],
“excludes”: [“00-14-22-01-23-45”, “00-14-22-01-23-54”]
},
“processName”: {
“includes”: [“cmd.exe”, “telnet.exe”],
“excludes”: [“ping.exe”, “proc.bin”]
},
“processHash”: {
“includes”: [“cf23df2207d99a74fbe169e3eba035e633b65d94”],
“excludes”: [“cf23df2207d99a74fbe169e3eba035e633b65d97”]
},
“trustSecId”: {
“includes”: [32, 44],
“excludes”: [75]
},
“trustSecName”: {
“includes”: [“CTS-One”],
“excludes”: [“CTS-Two”, “CTS-Three”]
}
}
List of valid parameters for the flow metadata filters are as follows:
tcpUdpPorts
: Protocols/Ports to include or exclude. For example, “8080/tcp”, “20-21/UDP”byteCount
: List of byte ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.packetCount
: List of packet ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.
Example of the flow metadata filter:
{
“tcpUdpPorts”: { “includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“applications”: {
“includes”: [3002, 3001, 116, 136],
“excludes”: [127, 125, 147, 45]
},
“flowDirection”: “BIDIRECTIONAL”,
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “<=”,
“value”: [10]
}],
“payload”: {
“includes”: [“http”, “blah”],
“excludes”: []
},
“tcpConnections”: [{
“operator”: “>=”,
“value”: [2000]
}],
“tcpRetransmissions”: [{
“operator”: “>=”,
“value”: [2000]
}],
“tlsVersion”: [“TLS 1.2”, “UNKNOWN”],
“cipherSuite”: {
“messageAuthCode”: [“SHA256”],
“keyExchange”: [“ECDHE”],
“authAlgorithm”: [“RSA”],
“encAlgorithm”: [“AES_128_CBC”],
“keyLength”: [“128”] },
“averageRoundTripTime”: [{
“operator”: “<=”,
“value”: [50]
}],
“averageServerResponseTime”: [{
“operator”: “>=”,
“value”: [2000]
}],
“flowDataSource”: [{
“flowCollectorId”: 151,
“exporters”: [{
“ipAddress”: “10.100.100.7”,
“interfaceIds”: [7,27]
},{
“ipAddress”: “10.203.1.1”
}]
}],
“protocol”: [114, 10],
“includeInterfaceData”: false,
“flowAction”: “permitted”
}
For more information, you can see, https://www.cisco.com/web/fw/stealthwatch/Online-Help/Content/Online-Help/v2_API.html#tenants__tenantId__flows_queries_post
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"status": "",
"domainId": "",
"percentComplete": ""
}
}
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose flow search status you want to retrieve from Cisco StealthWatch. |
Query ID | ID of the query whose flow search status you want to retrieve from Cisco StealthWatch. Note: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"status": "",
"domainId": "",
"percentComplete": ""
}
}
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose flow search results you want to retrieve from Cisco StealthWatch. |
Query ID | ID of the query whose flow search result you want to retrieve from Cisco StealthWatch. Note: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"flows": [
{
"vlanId": "",
"id": "",
"subject": {
"finPackets": "",
"macAddress": "",
"userName": "",
"bytes": "",
"ipAddress": "",
"packets": "",
"byteRate": "",
"synPackets": "",
"processUsername": "",
"interfaces": [
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
},
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
}
],
"processName": "",
"hostGroupIds": [],
"parentProcessName": "",
"payload": "",
"trustSecName": "",
"portProtocol": {
"serviceId": "",
"port": "",
"protocol": ""
},
"countryCode": "",
"asn": "",
"natAddress": "",
"orientation": "",
"tlsVersion": "",
"processHash": "",
"parentProcessHash": "",
"macVendor": "",
"natPort": "",
"percentBytes": "",
"trustSecId": "",
"synAckPackets": "",
"natHostName": "",
"packetRate": "",
"rstPackets": ""
},
"packetShaperApp": {
"name": "",
"id": "",
"description": ""
},
"paloAltoAppId": "",
"serviceId": "",
"tenantId": "",
"nbarApp": {
"name": "",
"id": "",
"description": ""
},
"tlsVersion": "",
"flowCollectorId": "",
"peer": {
"finPackets": "",
"macAddress": "",
"userName": "",
"bytes": "",
"ipAddress": "",
"packets": "",
"byteRate": "",
"synPackets": "",
"processUsername": "",
"interfaces": [
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
},
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
}
],
"processName": "",
"hostGroupIds": [],
"parentProcessName": "",
"payload": "",
"trustSecName": "",
"portProtocol": {
"serviceId": "",
"port": "",
"protocol": ""
},
"countryCode": "",
"asn": "",
"natAddress": "",
"orientation": "",
"tlsVersion": "",
"processHash": "",
"parentProcessHash": "",
"macVendor": "",
"natPort": "",
"percentBytes": "",
"trustSecId": "",
"synAckPackets": "",
"natHostName": "",
"packetRate": "",
"rstPackets": ""
},
"statistics": {
"tcpRetransmissions": "",
"roundTripTime": "",
"packetCount": "",
"byteRate": "",
"srtAverage": "",
"byteCount": "",
"packetRate": "",
"subjectPeerRatio": "",
"rttMinimum": "",
"rttAverage": "",
"flowTimeSinceStart": "",
"serverResponseTime": "",
"activeDuration": "",
"srtMinimum": "",
"tcpRetransmissionsRatio": "",
"lastActiveTime": "",
"rttMaximum": "",
"firstActiveTime": "",
"numCombinedFlowRecords": "",
"srtMaximum": "",
"tcpConnections": ""
},
"flowSensorApp": {
"name": "",
"id": "",
"description": ""
},
"mplsLabel": "",
"protocol": "",
"cipherSuite": {
"name": "",
"encAlgorithm": "",
"id": "",
"messageAuthCode": "",
"keyExchange": "",
"authAlgorithm": "",
"keyLength": "",
"protocol": ""
},
"applicationId": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"data": [
{
"displayName": "",
"id": ""
}
]
}
The Sample - Cisco Stealthwatch - 1.1.0
playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Cisco Stealthwatch uses NetFlow to provide visibility across the network, data center, branch offices, and the cloud. Its advanced security analytics uncover stealthy attacks on the extended network. Stealthwatch helps you use your existing network as a security sensor and enforcer to improve your threat defense.
This document provides information about the Cisco Stealthwatch connector, which facilitates automated interactions, with a Cisco Stealthwatch server using FortiSOAR™ playbooks. Add the Cisco Stealthwatch connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details about domains and retrieving inbound and outbound traffic information for a specified DateTime range, or the last 24 hours.
Connector Version: 1.1.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Cisco Stealthwatch connector in version 1.1.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-stealthwatch
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Stealthwatch connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
Username | Username to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
Password | Password to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True. |
Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:
Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:
“<domain id”
.“<host-group”
.“<interface if-index=”
.“<exporter ip="
.You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:
grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less
To get the Domain ID for an SMC, type the following command:
ls /lancope/var/smc/config/ | grep domain
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Application Traffic by Domain ID | Retrieves inbound and outbound traffic information from Cisco StealthWatch for the Domain ID and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
Get Application Traffic by Host Group ID | Retrieves inbound and outbound traffic information from Cisco StealthWatch for the Host Group ID, Domain ID, and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
Get Application Traffic by Exporter IP | Retrieves inbound and outbound traffic information from Cisco StealthWatch for the Domain ID, Flow Collector Device ID, Exporter IP address, Interface, and optionally a DateTime range you have specified. If you do not specify the DateTime range, then inbound and outbound traffic information is retrieved for the last 24 hours. | get_applicaton_traffic Investigation |
Get Domain Details | Retrieves information for all the domains from Cisco StealthWatch. | get_domain_details Investigation |
Initiate Flow Search | Initiates a flow search on Cisco StealthWatch, based on the tenant ID, search name and other filters you have specified. | initiate_flow_search Investigation |
Get Flow Search Status | Retrieves the status of a specified flow search, based on the tenant ID and query ID you have specified. | get_flow_search_status Investigation |
Get Flow Search Results | Retrieves the result of a specified flow search, based on the tenant ID and query ID you have specified. | get_flow_search_results Investigation |
Get Tenant IDs | Retrieves the IDs of all the tenants (domains) from Cisco StealthWatch. | get_tenant_ids Investigation |
None.
The JSON contains information for all the domains. The output contains the following populated JSON schema:
{
"data": [
{
"displayName": "",
"id": ""
}
]
}
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Start Date and Time | (Optional) Start DateTime from when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
End Date and Time | (Optional) End DateTime till when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and domain that you have specified.
The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Host Group ID | ID of the Host Group for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Start Date and Time | (Optional) Start DateTime from when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
End Date and Time | (Optional) End DateTime till when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.
The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Flow Collector Device ID | ID of the Flow Collector Device, which is generated by Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Exporter IP Address | IP of the Exporter, such as router or switch, for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Interface | ID of the Interface created in Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Start Date and Time | (Optional) Start DateTime from when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
End Date and Time | (Optional) End DateTime till when you want to retrieve inbound and outbound traffic information from Cisco StealthWatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and Exporter IP address that you have specified.
The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant on which you want to initiate a flow search on Cisco StealthWatch. |
Search Name | Name for the search that you initiate on Cisco StealthWatch. |
Start Date/Time | Start DateTime from when you want to initiate a flow search on Cisco StealthWatch. This value must not occur after the End Date/Time. |
End Date/Time | Start DateTime till when you want to initiate a flow search on Cisco StealthWatch. This value must not occur before the Start Date/Time. |
Number of Records | (Optional) Maximum number of flow records that you want this operation to return from Cisco StealthWatch. You can specify any number within the 1-10000 range. |
Subject Host Filters | (Optional) Collection of Subject Host filters in the JSON format, based on which you want to initiate a flow search on Cisco StealthWatch. Valid parameters for the subject host filters are listed after the table. |
Peer Host Filters | (Optional) Collection of Peer Host filters in the JSON format, based on which you want to initiate a flow search on Cisco StealthWatch. Valid parameters for the peer host filters are listed after the table. |
Flow Metadata Filters | (Optional) Collection of Flow Metadata filters in the JSON format, based on which you want to initiate a flow search on Cisco StealthWatch. Valid parameters for the flow metadata host filters are listed after the table. |
List of valid parameters for the subject host filters are as follows:
orientation
: If included, this parameter determines whether hosts detected as client or server are assigned the subject role. Valid values: server, client.ipAddresses
: IP Addresses to include or exclude.hostGroups
: Host Group IDs to include or exclude.tcpUdpPorts
: Protocols/Ports to include or exclude.username
: Usernames to include or exclude.byteCount
: List of byte ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.packetCount
: List of packet ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.macAddress
: MAC addresses to include or exclude.processName
: Process names to include or exclude.processHash
: Process hash values to include or exclude.trustSecId
: Cisco Trust Sec IDs to include or exclude.trustSecName
: Cisco Trust Sec Names to include or exclude.
Example of the subject host filter:
{
“orientation”: “CLIENT”,
“ipAddresses”: {
“includes”: [“192.168.0”, “10.20”],
“excludes”: [“10.20.20”, “192.168.0.1-100”]
},
“hostGroups”: {
“includes”: [1234, 2345],
“excludes”: [12345, 23456]
},
“tcpUdpPorts”: {
“includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“username”: {
“includes”: [“admin”, “veep”],
“excludes”: [“jdub”, “ghill”]
},
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “BETWEEN”,
“value”: [100, 400]
}],
“macAddress”: {
“includes”: [“00-1B-63-84-45-36”, “00-1B-63-84-45-63”],
“excludes”: [“00-14-22-01-23-45”, “00-14-22-01-23-54”]
},
“processName”: {
“includes”: [“cmd.exe”, “telnet.exe”],
“excludes”: [“ping.exe”, “proc.bin”]
},
“processHash”: {
“includes”: [“cf23df2207d99a74fbe169e3eba035e633b65d94”],
“excludes”: [“cf23df2207d99a74fbe169e3eba035e633b65d97”]
},
“trustSecId”: {
“includes”: [32, 44],
“excludes”: [75]
},
“trustSecName”: {
“includes”: [“CTS-One”],
“excludes”: [“CTS-Two”, “CTS-Three”]
}
}
ipAddresses
: IP Addresses to include or exclude.hostGroups
: Host Group IDs to include or exclude.tcpUdpPorts
: Protocols/Ports to include or exclude.username
: Usernames to include or exclude.byteCount
: List of byte ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.packetCount
: List of packet ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.macAddress
: MAC addresses to include or exclude.processName
: Process names to include or exclude.processHash
: Process hash values to include or exclude.trustSecId
: Cisco Trust Sec IDs to include or exclude.trustSecName
: Cisco Trust Sec Names to include or exclude.Example of the peer host filter:
{
“ipAddresses”: {
“includes”: [“2001:0db8:85a3:0000:0000:8a2e:0370:7334”, “2001:DB8:0:56::/64”],
“excludes”: [“2001:DB80:0:56::ABCD:239.18.52.86”, “2001:DB8:0:56:ABCD:EF12:3456:1–10”]
},
“hostGroups”: {
“includes”: [9876, 8765],
“excludes”: [987654, 87654]
},
“tcpUdpPorts”: {
“includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“username”: {
“includes”: [“admin”, “veep”],
“excludes”: [“jdub”, “ghill”]
},
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “BETWEEN”,
“value”: [100, 400]
}],
“macAddress”: {
“includes”: [“00-1B-63-84-45-36”, “00-1B-63-84-45-63”],
“excludes”: [“00-14-22-01-23-45”, “00-14-22-01-23-54”]
},
“processName”: {
“includes”: [“cmd.exe”, “telnet.exe”],
“excludes”: [“ping.exe”, “proc.bin”]
},
“processHash”: {
“includes”: [“cf23df2207d99a74fbe169e3eba035e633b65d94”],
“excludes”: [“cf23df2207d99a74fbe169e3eba035e633b65d97”]
},
“trustSecId”: {
“includes”: [32, 44],
“excludes”: [75]
},
“trustSecName”: {
“includes”: [“CTS-One”],
“excludes”: [“CTS-Two”, “CTS-Three”]
}
}
List of valid parameters for the flow metadata filters are as follows:
tcpUdpPorts
: Protocols/Ports to include or exclude. For example, “8080/tcp”, “20-21/UDP”byteCount
: List of byte ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.packetCount
: List of packet ranges with which you want to filter the results.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.operator
: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.value
: Either one or two integers representing the value(s) to be compared.
Example of the flow metadata filter:
{
“tcpUdpPorts”: { “includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“applications”: {
“includes”: [3002, 3001, 116, 136],
“excludes”: [127, 125, 147, 45]
},
“flowDirection”: “BIDIRECTIONAL”,
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “<=”,
“value”: [10]
}],
“payload”: {
“includes”: [“http”, “blah”],
“excludes”: []
},
“tcpConnections”: [{
“operator”: “>=”,
“value”: [2000]
}],
“tcpRetransmissions”: [{
“operator”: “>=”,
“value”: [2000]
}],
“tlsVersion”: [“TLS 1.2”, “UNKNOWN”],
“cipherSuite”: {
“messageAuthCode”: [“SHA256”],
“keyExchange”: [“ECDHE”],
“authAlgorithm”: [“RSA”],
“encAlgorithm”: [“AES_128_CBC”],
“keyLength”: [“128”] },
“averageRoundTripTime”: [{
“operator”: “<=”,
“value”: [50]
}],
“averageServerResponseTime”: [{
“operator”: “>=”,
“value”: [2000]
}],
“flowDataSource”: [{
“flowCollectorId”: 151,
“exporters”: [{
“ipAddress”: “10.100.100.7”,
“interfaceIds”: [7,27]
},{
“ipAddress”: “10.203.1.1”
}]
}],
“protocol”: [114, 10],
“includeInterfaceData”: false,
“flowAction”: “permitted”
}
For more information, you can see, https://www.cisco.com/web/fw/stealthwatch/Online-Help/Content/Online-Help/v2_API.html#tenants__tenantId__flows_queries_post
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"status": "",
"domainId": "",
"percentComplete": ""
}
}
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose flow search status you want to retrieve from Cisco StealthWatch. |
Query ID | ID of the query whose flow search status you want to retrieve from Cisco StealthWatch. Note: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"status": "",
"domainId": "",
"percentComplete": ""
}
}
}
Parameter | Description |
---|---|
Tenant ID | ID of the tenant whose flow search results you want to retrieve from Cisco StealthWatch. |
Query ID | ID of the query whose flow search result you want to retrieve from Cisco StealthWatch. Note: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"flows": [
{
"vlanId": "",
"id": "",
"subject": {
"finPackets": "",
"macAddress": "",
"userName": "",
"bytes": "",
"ipAddress": "",
"packets": "",
"byteRate": "",
"synPackets": "",
"processUsername": "",
"interfaces": [
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
},
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
}
],
"processName": "",
"hostGroupIds": [],
"parentProcessName": "",
"payload": "",
"trustSecName": "",
"portProtocol": {
"serviceId": "",
"port": "",
"protocol": ""
},
"countryCode": "",
"asn": "",
"natAddress": "",
"orientation": "",
"tlsVersion": "",
"processHash": "",
"parentProcessHash": "",
"macVendor": "",
"natPort": "",
"percentBytes": "",
"trustSecId": "",
"synAckPackets": "",
"natHostName": "",
"packetRate": "",
"rstPackets": ""
},
"packetShaperApp": {
"name": "",
"id": "",
"description": ""
},
"paloAltoAppId": "",
"serviceId": "",
"tenantId": "",
"nbarApp": {
"name": "",
"id": "",
"description": ""
},
"tlsVersion": "",
"flowCollectorId": "",
"peer": {
"finPackets": "",
"macAddress": "",
"userName": "",
"bytes": "",
"ipAddress": "",
"packets": "",
"byteRate": "",
"synPackets": "",
"processUsername": "",
"interfaces": [
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
},
{
"dscpValue": "",
"interfaceDescription": "",
"direction": "",
"maxTtl": "",
"dscpDescription": "",
"minTtl": "",
"interfaceId": "",
"flowAction": "",
"exporterIpAddress": "",
"exporterType": ""
}
],
"processName": "",
"hostGroupIds": [],
"parentProcessName": "",
"payload": "",
"trustSecName": "",
"portProtocol": {
"serviceId": "",
"port": "",
"protocol": ""
},
"countryCode": "",
"asn": "",
"natAddress": "",
"orientation": "",
"tlsVersion": "",
"processHash": "",
"parentProcessHash": "",
"macVendor": "",
"natPort": "",
"percentBytes": "",
"trustSecId": "",
"synAckPackets": "",
"natHostName": "",
"packetRate": "",
"rstPackets": ""
},
"statistics": {
"tcpRetransmissions": "",
"roundTripTime": "",
"packetCount": "",
"byteRate": "",
"srtAverage": "",
"byteCount": "",
"packetRate": "",
"subjectPeerRatio": "",
"rttMinimum": "",
"rttAverage": "",
"flowTimeSinceStart": "",
"serverResponseTime": "",
"activeDuration": "",
"srtMinimum": "",
"tcpRetransmissionsRatio": "",
"lastActiveTime": "",
"rttMaximum": "",
"firstActiveTime": "",
"numCombinedFlowRecords": "",
"srtMaximum": "",
"tcpConnections": ""
},
"flowSensorApp": {
"name": "",
"id": "",
"description": ""
},
"mplsLabel": "",
"protocol": "",
"cipherSuite": {
"name": "",
"encAlgorithm": "",
"id": "",
"messageAuthCode": "",
"keyExchange": "",
"authAlgorithm": "",
"keyLength": "",
"protocol": ""
},
"applicationId": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"data": [
{
"displayName": "",
"id": ""
}
]
}
The Sample - Cisco Stealthwatch - 1.1.0
playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.