Cisco Stealthwatch v2.0.0

About the connector

Cisco Stealthwatch uses NetFlow to provide visibility across the network, data center, branch offices, and the cloud. Its advanced security analytics uncover stealthy attacks on the extended network. Stealthwatch helps you use your existing network as a security sensor and enforcer to improve your threat defense.

This document provides information about the Cisco Stealthwatch connector, which facilitates automated interactions, with a Cisco Stealthwatch server using FortiSOAR™ playbooks. Add the Cisco Stealthwatch connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details about domains and retrieving inbound and outbound traffic information for a specified DateTime range, or the last 24 hours.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 6.4.4-3164

Cisco Stealthwatch Version Tested on: v7.1.2 2019.10.28.2033-0

Authored By: Fortinet

Certified: Yes

Permissions Required

The Cisco Stealthwatch connector automated operations have been tested using the following roles:

• All Data (Read-Only)
• Security Analyst
• Network Engineer
• Analyst

Release Notes for version 2.0.0

Following enhancements have been made to the Cisco Stealthwatch connector in version 2.0.0:

• Added the following new operations and playbooks:
  • Get Host Groups List
  • Get Host Group Details
  • External Threats Top Alarm Host
  • Initiate Top Conversation Flow Search
  • Get Top Conversation Flow Search Status
  • Get Top Conversation Flow Search Result
• Removed the Get Tenant IDs operation and playbook.
• Updated the Get Application Traffic by Domain ID, Get Application Traffic by Host Group ID, and Get Application Traffic by Exporter IP operations as follows:
  • Updated the "Start Date and Time" input parameter name to "Start Time".
  • Updated the "End Date and Time" input parameter name to "End Time".

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-stealthwatch

Prerequisites to configuring the connector

• You must have the URL of the Cisco Stealthwatch server to which you will connect and perform the automated operations and the credentials (username-password pair) to access that URL.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the Cisco Stealthwatch server.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cisco Stealthwatch connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Global Parameters

Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group (Tag) ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:

Using the SMC Client

Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:

1. In the SMC client interface, select your domain in the enterprise tree and then click Configuration > Properties.
   
   This displays the Properties dialog:
   
2. Select the Export All configuration option and click Export.
3. Save the XML configuration file and after it downloads, open it with a text editor.
4. Search for the identifiers in the configuration file by searching for "<name of the identifier. Some examples follow:
   Locate the domainId by searching for “<domain id”.
   Locate the hostGroupId by searching for “<host-group”.
   Locate the interface if-index by searching for “<interface if-index=”.
   Locate the exporterIp by searching for “<exporter ip=".

Using the Command Line Interface

You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:

grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less

To get the Domain ID for an SMC, type the following command:

 ls /lancope/var/smc/config/ | grep domain

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

operation: Get Domain Details

Input parameters

None.

Output

The JSON contains information for all the domains. The output contains the following populated JSON schema:
{
"data": [
{
"displayName": "",
"id": ""
}
]
}

operation: Get Application Traffic by Domain ID

Input parameters

Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.

Output

The JSON output contains the inbound and outbound traffic information for the DateTime range and domain that you have specified.

The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}

operation: Get Application Traffic by Host Group ID

Input parameters

Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.

Output

The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.

The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}

operation: Get Application Traffic by Exporter IP

Input parameters

Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.

Output

The JSON output contains the inbound and outbound traffic information for the DateTime range and Exporter IP address that you have specified.

The output contains the following populated JSON schema:
{
"applicationTrafficPerApplication": [
{
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": "",
"applicationId": "",
"trafficWithinBps": ""
}
],
"timePeriod": ""
}

operation: Initiate Flow Search

Input parameters

List of valid parameters for the subject host filters are as follows:

• orientation: If included, this parameter determines whether hosts detected as client or server are assigned the subject role. Valid values: server, client.
• ipAddresses: IP Addresses to include or exclude.
• hostGroups: Host Group IDs to include or exclude.
• tcpUdpPorts: Protocols/Ports to include or exclude.
• username: Usernames to include or exclude.
• byteCount: List of byte ranges with which you want to filter the results.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• packetCount: List of packet ranges with which you want to filter the results.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• macAddress: MAC addresses to include or exclude.
• processName: Process names to include or exclude.
• processHash: Process hash values to include or exclude.
• trustSecId: Cisco Trust Sec IDs to include or exclude.
• trustSecName: Cisco Trust Sec Names to include or exclude.

Example of the subject host filter:

{
“orientation”: “CLIENT”,
“ipAddresses”: {
“includes”: [“192.168.0”, “10.20”],
“excludes”: [“10.20.20”, “192.168.0.1-100”]
},
“hostGroups”: {
“includes”: [1234, 2345],
“excludes”: [12345, 23456]
},
“tcpUdpPorts”: {
“includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“username”: {
“includes”: [“admin”, “veep”],
“excludes”: [“jdub”, “ghill”]
},
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “BETWEEN”,
“value”: [100, 400]
}],
“macAddress”: {
“includes”: [“00-1B-63-84-45-36”, “00-1B-63-84-45-63”],
“excludes”: [“00-14-22-01-23-45”, “00-14-22-01-23-54”]
},
“processName”: {
“includes”: [“cmd.exe”, “telnet.exe”],
“excludes”: [“ping.exe”, “proc.bin”]
},
“processHash”: {
“includes”: [“cf23df2207d99a74fbe169e3eba035e633b65d94”],
“excludes”: [“cf23df2207d99a74fbe169e3eba035e633b65d97”]
},
“trustSecId”: {
“includes”: [32, 44],
“excludes”: [75]
},
“trustSecName”: {
“includes”: [“CTS-One”],
“excludes”: [“CTS-Two”, “CTS-Three”]
}
}

List of valid parameters for the peer host filters are as follows:

• ipAddresses: IP Addresses to include or exclude.
• hostGroups: Host Group IDs to include or exclude.
• tcpUdpPorts: Protocols/Ports to include or exclude.
• username: Usernames to include or exclude.
• byteCount: List of byte ranges with which you want to filter the results.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• packetCount: List of packet ranges with which you want to filter the results.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• macAddress: MAC addresses to include or exclude.
• processName: Process names to include or exclude.
• processHash: Process hash values to include or exclude.
• trustSecId: Cisco Trust Sec IDs to include or exclude.
• trustSecName: Cisco Trust Sec Names to include or exclude.

Example of the peer host filter:

{
“ipAddresses”: {
“includes”: [“2001:0db8:85a3:0000:0000:8a2e:0370:7334”, “2001:DB8:0:56::/64”],
“excludes”: [“2001:DB80:0:56::ABCD:239.18.52.86”, “2001:DB8:0:56:ABCD:EF12:3456:1–10”]
},
“hostGroups”: {
“includes”: [9876, 8765],
“excludes”: [987654, 87654]
},
“tcpUdpPorts”: {
“includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“username”: {
“includes”: [“admin”, “veep”],
“excludes”: [“jdub”, “ghill”]
},
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “BETWEEN”,
“value”: [100, 400]
}],
“macAddress”: {
“includes”: [“00-1B-63-84-45-36”, “00-1B-63-84-45-63”],
“excludes”: [“00-14-22-01-23-45”, “00-14-22-01-23-54”]
},
“processName”: {
“includes”: [“cmd.exe”, “telnet.exe”],
“excludes”: [“ping.exe”, “proc.bin”]
},
“processHash”: {
“includes”: [“cf23df2207d99a74fbe169e3eba035e633b65d94”],
“excludes”: [“cf23df2207d99a74fbe169e3eba035e633b65d97”]
},
“trustSecId”: {
“includes”: [32, 44],
“excludes”: [75]
},
“trustSecName”: {
“includes”: [“CTS-One”],
“excludes”: [“CTS-Two”, “CTS-Three”]
}
}

List of valid parameters for the flow metadata filters are as follows:

• tcpUdpPorts: Protocols/Ports to include or exclude. For example, “8080/tcp”, “20-21/UDP”
• applications: Application IDs to include or exclude.
• flowDirection: Indicates the direction of the flow. Valid values: “BOTH”, “UNIDIRECTIONAL”, “BIDIRECTIONAL”
• byteCount: List of byte ranges with which you want to filter the results.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• packetCount: List of packet ranges with which you want to filter the results.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• payload: List of payload data (in ASCII format) to include or exclude.
• tcpConnections: The number of TCP connections that occur during the flow.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• tcpRetransmissions: The number of TCP packets that were retransmitted during the flow.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• averageRoundTripTime: The Average Round-Trip Time, or the average amount of time (in milliseconds) required for all the TCP connections to occur in the flow.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• averageServerResponseTime: The Average Server Response Time, or the average amount of time (in milliseconds) between the first request and response for all the TCP connections in the flow.
  operator: Comparator to use while running the query. Valid values: >, <, >=, <=, BETWEEN.
  value: Either one or two integers representing the value(s) to be compared.
• protocol: The list of protocol IDs as assigned by IANA with which to filter the results.
• includeInterfaceData: The flag to include the interface data.
• flowDataSource: The list of Flow Collectors/Exporter/Interfaces.
• flowCollectorId: The Flow Collector ID with which to filter the results.
• exporters: The Flow Collector Exporters with which to filter the results. If not provided, then it defaults to all.
• ipAddress: The Exporter IP Address with which to filter the results.
• interfaceIds: The list of Exporter’s Interface IDs with which to filter the results. If not provided, then it defaults to all.
• flowAction: The interfaces flow action with which to filter the results. Valid values: permitted, denied, permitted_denied.
• tlsVersion: The list of TLS version with which to filter the results. Valid values: “TLS 1.3”,“TLS 1.2”,“TLS 1.1”,“TLS 1.0”,“SSL 3.0”,“SSL 2.0”,“SSL 1.0”,“UNKNOWN”,“NONE”.
• cipherSuite: The set of cryptographic algorithms being used to filter results.
• messageAuthCode: List of message authentication code (MAC) algorithms being used to filter results.
  Examples: “GOST28147”, “GOSTR3411”, “MD5”, “NULL”, “SHA”, “SHA256”, “SHA384”.
• keyExchange: The list of key exchange algorithms being used to filter results.
  Examples:, “DH”, “DHE”, “ECDH”, “ECDHE”, “FORTEZZA”, “KRB5”, “KRB5_EXPORT”, “NULL”, “PCT”, “PCT1_MAC_BITS 128”, “PSK”, “RSA”, “RSA_EXPORT 1024”, “RSA_EXPORT”, “RSA_FIPS”, “SRP”, “VKO GOST R 34.10-2001”, “VKO GOST R 34.10-94”.
• authAlgorithm: List of authorization algorithms being used to filter results.
  Examples: “Anon”, “DHE”, “DSS”, “ECDSA”, “KEA”, “KRB5”, “KRB5_EXPORT”, “NULL”, “PCT”, “PSK”, “RSA”, “RSA_EXPORT 1024”, “RSA_EXPORT”, “RSA_FIPS”, “SHA”, “VKO GOST R 34.10-2001”, “VKO GOST R 34.10-94”.
• encAlgorithm: List of encryption algorithms being used to filter results.
  Examples: “3DES_EDE_CBC”, “AES_128_CBC”, “AES_128_CCM”, “AES_128_CCM_8”, “AES_128_GCM”, “AES_256_CBC”, “AES_256_CCM”, “AES_256_CCM_8”, “AES_256_GCM”, “ARIA_128_CBC”, “ARIA_128_GCM”, “ARIA_256_CBC”, “ARIA_256_GCM”, “CAMELLIA_128_CBC”, “CAMELLIA_128_GCM”, “CAMELLIA_256_CBC”, “CAMELLIA_256_GCM”, “CHACHA20_POLY1305”, “DES40_CBC”, “DES_192_EDE3_CBC”, “DES_64_CBC”, “DES_CBC”, “DES_CBC_40”, “FORTEZZA_CBC”, “GOST28147”, “IDEA_128_CBC”, “IDEA_CBC”, “NULL”, “RC2_CBC_128_CBC”, “RC2_CBC_40”, “RC2_CBC_56”, “RC4_128”, “RC4_128_EXPORT40”, “RC4_40”, “RC4_56”, “RC4_64”, “SEED_CBC”.
• keyLength: List of key length in bits being used to filter results.
  Examples: “0”, “40”, “56”, “64”, “80”, “128”, “168”, “192”, “256”.

Example of the flow metadata filter:

{
“tcpUdpPorts”: { “includes”: [“80-9000/tcp”, “67-68/udp”],
“excludes”: [“8000-9000/tcp”, “68/udp”]
},
“applications”: {
“includes”: [3002, 3001, 116, 136],
“excludes”: [127, 125, 147, 45]
},
“flowDirection”: “BIDIRECTIONAL”,
“byteCount”: [{
“operator”: “>=”,
“value”: [204800]
}],
“packetCount”: [{
“operator”: “<=”,
“value”: [10]
}],
“payload”: {
“includes”: [“http”, “blah”],
“excludes”: []
},
“tcpConnections”: [{
“operator”: “>=”,
“value”: [2000]
}],
“tcpRetransmissions”: [{
“operator”: “>=”,
“value”: [2000]
}],
“tlsVersion”: [“TLS 1.2”, “UNKNOWN”],
“cipherSuite”: {
“messageAuthCode”: [“SHA256”],
“keyExchange”: [“ECDHE”],
“authAlgorithm”: [“RSA”],
“encAlgorithm”: [“AES_128_CBC”],
“keyLength”: [“128”] },
“averageRoundTripTime”: [{
“operator”: “<=”,
“value”: [50]
}],
“averageServerResponseTime”: [{
“operator”: “>=”,
“value”: [2000]
}],
“flowDataSource”: [{
“flowCollectorId”: 151,
“exporters”: [{
“ipAddress”: “10.100.100.7”,
“interfaceIds”: [7,27]
},{
“ipAddress”: “10.203.1.1”
}]
}],
“protocol”: [114, 10],
“includeInterfaceData”: false,
“flowAction”: “permitted”
}

For more information, see the /tenants/{tenantId}/flows/queries endpoint, at https://developer.cisco.com/docs/stealthwatch/enterprise/#!reporting-api-version-2

Output

The output contains the following populated JSON schema:

{
"data": {
"query": {
"id": "",
"status": "",
"domainId": "",
"percentComplete": ""
}
}
}

operation: Get Flow Search Status

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"status": "",
"domainId": "",
"percentComplete": ""
}
}
}

operation: Get Flow Search Results

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"flows": [
{
"id": "",
"tenantId": "",
"flowCollectorId": "",
"mplsLabel": "",
"protocol": "",
"serviceId": "",
"tlsVersion": "",
"vlanId": "",
"applicationId": "",
"cipherSuite": {
"id": "",
"name": "",
"protocol": "",
"keyExchange": "",
"authAlgorithm": "",
"encAlgorithm": "",
"keyLength": "",
"messageAuthCode": ""
},
"statistics": {
"activeDuration": "",
"numCombinedFlowRecords": "",
"firstActiveTime": "",
"lastActiveTime": "",
"tcpRetransmissions": "",
"tcpRetransmissionsRatio": "",
"byteCount": "",
"packetCount": "",
"byteRate": "",
"packetRate": "",
"tcpConnections": "",
"roundTripTime": "",
"serverResponseTime": "",
"subjectPeerRatio": "",
"rttAverage": "",
"rttMaximum": "",
"rttMinimum": "",
"srtAverage": "",
"srtMaximum": "",
"srtMinimum": "",
"flowTimeSinceStart": ""
},
"subject": {
"hostGroupIds": [],
"countryCode": "",
"ipAddress": "",
"natAddress": "",
"natPort": "",
"portProtocol": {
"protocol": "",
"port": "",
"serviceId": ""
},
"percentBytes": "",
"bytes": "",
"packets": "",
"byteRate": "",
"packetRate": "",
"orientation": "",
"finPackets": "",
"rstPackets": "",
"synPackets": "",
"synAckPackets": "",
"tlsVersion": "",
"trustSecId": ""
},
"peer": {
"hostGroupIds": [],
"countryCode": "",
"ipAddress": "",
"natPort": "",
"portProtocol": {
"protocol": "",
"port": "",
"serviceId": ""
},
"percentBytes": "",
"bytes": "",
"packets": "",
"byteRate": "",
"packetRate": "",
"orientation": "",
"finPackets": "",
"rstPackets": "",
"synPackets": "",
"synAckPackets": "",
"tlsVersion": "",
"trustSecId": ""
}
}
]
}
}

operation: Get Host Groups List

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"id": "",
"displayName": "",
"tags": [
{
"displayName": "",
"tags": [
{
"displayName": "",
"tags": [],
"id": ""
}
],
"id": ""
}
]
}
}
{
"data": [
{
"id": "",
"displayName": ""
}
]
}

operation: Get Host Group Details

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"id": "",
"displayName": ""
}
}

operation: Get External Threats Top Alarm Host

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"data": [
{
"sourceCategoryEvents": [
{
"severity": "",
"typeId": "",
"alwaysBadCount": ""
}
],
"sourceSecurityEvents": [
{
"severity": "",
"typeId": "",
"alwaysBadCount": ""
}
],
"ipAddress": "",
"targetSecurityEvents": [],
"hostGroupIds": [],
"targetCategoryEvents": []
}
],
"header": {
"startTime": "",
"endTime": ""
}
}
}

operation: Initiate Top Conversation Flow Search

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"status": "",
"queryId": ""
}
}

operation: Get Top Conversation Flow Search Status

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"queryId": "",
"status": ""
}
}

operation: Get Top Conversation Flow Search Result

Input parameters

Output

The output contains the following populated JSON schema:
{
"data": {
"results": [
{
"records": "",
"hostClientPackets": "",
"peerServerBytes": "",
"port": "",
"flows": "",
"packetRateAvg": "",
"connections": "",
"trafficRateAvg": "",
"protocol": "",
"hostClients": "",
"peerConnections": "",
"hostBytes": "",
"hostServers": "",
"peerBytesRatio": "",
"rank": "",
"trafficRate95th": "",
"hostServerBytes": "",
"peerRole": "",
"peerPackets": "",
"peerClientPackets": "",
"hosts": "",
"serverBytesRatio": "",
"hostPackets": "",
"packetRate95th": "",
"peerServerPackets": "",
"trafficRateMin": "",
"protocolNumber": "",
"hostClientBytes": "",
"hostServerPackets": "",
"peers": "",
"hostRole": "",
"peerClientBytes": "",
"host": {
"ipAddress": "",
"hostGroupIds": [],
"country": ""
},
"peerClients": "",
"hostBytesRatio": "",
"hostFlows": "",
"deviceId": "",
"packetRateMax": "",
"trafficRateMax": "",
"packetRateMin": "",
"portProtocol": {
"protocol": "",
"port": "",
"service": {
"protocol": "",
"id": ""
}
},
"hostConnections": "",
"peerBytes": "",
"percent": "",
"clientBytesRatio": "",
"peer": {
"ipAddress": "9",
"hostGroupIds": [],
"country": ""
},
"packets": "",
"peerServers": "",
"peerFlows": "",
"bytes": ""
}
],
"summary": {
"records": "",
"hostClientBytes": "",
"peerClientBytes": "",
"deviceId": "",
"peerServerBytes": "",
"hostPackets": "",
"peers": "",
"flows": "",
"packetRateAvg": "",
"connections": "",
"trafficRateAvg": "",
"hostClients": "",
"hostBytesRatio": "",
"hostFlows": "",
"peerBytes": "",
"hostClientPackets": "",
"peerServers": "",
"peerConnections": "",
"peerBytesRatio": "",
"packetRateMax": "",
"hostRole": "",
"trafficRateMax": "",
"hostBytes": "",
"packetRateMin": "",
"hostServerPackets": "",
"hostServers": "",
"hostConnections": "",
"bytes": "",
"trafficRate95th": "",
"percent": "",
"clientBytesRatio": "",
"hostServerBytes": "",
"peerRole": "",
"peerPackets": "",
"packets": "",
"peerClientPackets": "",
"hosts": "",
"serverBytesRatio": "",
"peerFlows": "",
"packetRate95th": "",
"peerServerPackets": "",
"trafficRateMin": "",
"peerClients": ""
}
}
}

Included playbooks

The Sample - Cisco Stealthwatch - 2.0.0 playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.

• Get Application Traffic by Domain ID
• Get Application Traffic by Exporter IP
• Get Application Traffic by Host Group ID
• Get Domain Details
• External Threats Top Alarm Host
• Get Flow Search Results
• Get Flow Search Status
• Get Host Group Details
• Get Host Groups List
• Get Top Conversation Flow Search Result
• Get Top Conversation Flow Search Status
• Initiate Flow Search
• Initiate Top Conversation Flow Search

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.