Stealthwatch is the solution that detects threats across your private network, public clouds, and even in encrypted traffic.
This document provides information about the Cisco Stealthwatch Connector, which facilitates automated interactions, with a Cisco Stealthwatch server using FortiSOAR™ playbooks. Add the Cisco Stealthwatch Connector as a step in FortiSOAR™ playbooks and perform automated operations with Cisco Stealthwatch.
Connector Version: 2.1.0
Authored By: Fortinet
Contributor: Malaya Manas Panda
Certified: No
Following enhancements have been made to the Cisco Stealthwatch Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-stealthwatch
The Cisco Stealthwatch connector automated operations have been tested using the following roles:
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Cisco Stealthwatch connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
| Username | Username to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
| Password | Password to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Application Traffic by Domain ID | Retrieves inbound and outbound traffic information from Cisco Stealthwatch for the Domain (Tenant) ID and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
| Get Application Traffic by Host Group ID | Retrieves inbound and outbound traffic information from Cisco Stealthwatch for the Host Group (Tag) ID, Domain (Tenant) ID, and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
| Get Application Traffic by Exporter IP | Retrieves inbound and outbound traffic information from Cisco Stealthwatch for the Domain (Tenant) ID, Flow Collector Device ID, Exporter IP address, Interface, and optionally a DateTime range you have specified. If you do not specify the DateTime range, then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
| Get Domain Details | Retrieves information for all the domains (tenants) from Cisco Stealthwatch. | get_domain_details Investigation |
| Initiate Flow Search | Initiates a flow search on Cisco Stealthwatch, based on the tenant (domain) ID, search name, and other filters you have specified. | initiate_flow_search Investigation |
| Get Flow Search Status | Retrieves the status of a specified flow search, based on the tenant (domain) ID and query ID you have specified. | get_flow_search_status Investigation |
| Get Flow Search Results | Retrieves the result of a specified flow search, based on the tenant (domain) ID and query ID you have specified. | get_flow_search_results Investigation |
| Get Host Groups List | Retrieves all host tags (groups) based on the tenant (domain) ID and host type you have specified. | list_host_groups Investigation |
| Get Host Group Details | Retrieves details of host tag (group) based on the tenant (domain) ID and host type you have specified. You can also optionally specify the host group ID to further filter the results and retrieve details only for the specified host group ID. | get_host_details Investigation |
| Get External Threats Top Alarm Host | Retrieves the top alarming hosts for an external threat tag (tagId) for a specific Tenant or Domain (tenantId). | threats_top_alarms Investigation |
| Initiate Top Conversation Flow Search | Initiates a top conversation flow report search on Cisco Stealthwatch, based on the tenant (domain) ID, search name, and other filters you have specified. | top_conversation_flow Investigation |
| Get Top Conversation Flow Search Status | Retrieves the status of a specified top conversation flow search, based on the tenant (domain) ID and query ID you have specified. | get_top_conversation_status Investigation |
| Get Top Conversation Flow Search Result | Retrieves the result of a specified top conversation flow search, based on the tenant (domain) ID and query ID you have specified. | get_top_conversation_result Investigation |
| Initiate Flow Analysis | Initiates a top conversation flow report search on Cisco Stealthwatch, based on the tenant (domain) ID, advance search filter as JSON, and other parameters that you have specified. | initiate_flow_analysis Investigation |
| Parameter | Description |
|---|---|
| Domain ID | Specify the ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Start Time | (Optional) Specify the start time from when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| End Time | (Optional) Specify the end time till when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and domain that you have specified.
The output contains the following populated JSON schema:
[
{
"timePeriod": "",
"applicationTrafficPerApplication": [
{
"applicationId": "",
"trafficOutboundBps": "",
"trafficWithinBps": "",
"applicationName": "",
"trafficInboundBps": ""
}
]
}
]
| Parameter | Description |
|---|---|
| Domain ID | Specify the ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Host Group ID | Specify the ID of the Host Group for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Start Time | (Optional) Specify the start time from when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| End Time | (Optional) Specify the end time till when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.
The output contains the following populated JSON schema:
[
{
"timePeriod": "",
"applicationTrafficPerApplication": [
{
"applicationId": "",
"trafficOutboundBps": "",
"trafficWithinBps": "",
"applicationName": "",
"trafficInboundBps": ""
}
]
}
]
| Parameter | Description |
|---|---|
| Domain ID | Specify the ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Flow Collector Device ID | Specify the ID of the Flow Collector Device, which is generated by Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch.
NOTE: You can retrieve the Flow Collector Device ID using the Get Flow Search Results operation. |
| Exporter IP Address | Specify the IP address of the Exporter, such as router or switch, for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Interface ID | Specify the ID of the Interface created in Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch.
NOTE: You can retrieve the interface ID using the Get Flow Search Results operation. |
| Start Time | (Optional) Specify the start time from when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| End Time | (Optional) Specify the end time till when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and Exporter IP address that you have specified.
The output contains the following populated JSON schema:
[
{
"timePeriod": "",
"applicationTrafficPerApplication": [
{
"applicationId": "",
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": ""
}
]
}
]
None.
The JSON contains information for all the domains.
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"displayName": ""
}
]
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant on which you want to initiate a flow search on Cisco Stealthwatch. |
| Search Name | Specify the name for the search that you initiate on Cisco Stealthwatch. |
| Start Time | Specify the start time from when you want to initiate a flow search on Cisco Stealthwatch. This value must not occur after the End Time. |
| End Time | Specify the start time till when you want to initiate a flow search on Cisco Stealthwatch. This value must not occur before the Start Time. |
| Number of Records | (Optional) Specify the maximum number of flow records that you want this operation to return from Cisco Stealthwatch. You can specify any number within the 1-10000 range. |
| Subject Host Filters | (Optional) Specify the collection of Subject Host filters in the JSON format, based on which you want to initiate a flow search on Cisco Stealthwatch. Refer to the section Valid Parameters For Subject Host Filters for more information. |
| Peer Host Filters | (Optional) Specify the collection of Peer Host filters in the JSON format, based on which you want to initiate a flow search on Cisco Stealthwatch. Refer to the section Valid Parameters For Peer Host Filters for more information. |
| Flow Metadata Filters | (Optional) Specify the collection of Flow Metadata filters in the JSON format, based on which you want to initiate a flow search on Cisco Stealthwatch. Refer to the section Valid Parameters For Flow Metadata Filters for more information. |
orientation: If included, this parameter determines whether hosts detected as client or server are assigned the subject role. Valid values:
ipAddresses: IP Addresses to include or exclude.hostGroups: Host Group IDs to include or exclude.tcpUdpPorts: Protocols/Ports to include or exclude.username: Usernames to include or exclude.byteCount: List of byte ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.packetCount: List of packet ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.macAddress: MAC addresses to include or exclude.processName: Process names to include or exclude.processHash: Process hash values to include or exclude.trustSecId: Cisco Trust Sec IDs to include or exclude.trustSecName: Cisco Trust Sec Names to include or exclude.
{
"orientation": "CLIENT",
"ipAddresses": {
"includes": [
"192.168.0",
"10.20"
],
"excludes": [
"10.20.20",
"192.168.0.1-100"
]
},
"hostGroups": {
"includes": [
1234,
2345
],
"excludes": [
12345,
23456
]
},
"tcpUdpPorts": {
"includes": [
"80-9000/tcp",
"67-68/udp"
],
"excludes": [
"8000-9000/tcp",
"68/udp"
]
},
"username": {
"includes": [
"admin",
"veep"
],
"excludes": [
"jdub",
"ghill"
]
},
"byteCount": [
{
"operator": ">=",
"value": [
204800
]
}
],
"packetCount": [
{
"operator": "BETWEEN",
"value": [
100,
400
]
}
],
"macAddress": {
"includes": [
"00-1B-63-84-45-36",
"00-1B-63-84-45-63"
],
"excludes": [
"00-14-22-01-23-45",
"00-14-22-01-23-54"
]
},
"processName": {
"includes": [
"cmd.exe",
"telnet.exe"
],
"excludes": [
"ping.exe",
"proc.bin"
]
},
"processHash": {
"includes": [
"cf23df2207d99a74fbe169e3eba035e633b65d94"
],
"excludes": [
"cf23df2207d99a74fbe169e3eba035e633b65d97"
]
},
"trustSecId": {
"includes": [
32,
44
],
"excludes": [
75
]
},
"trustSecName": {
"includes": [
"CTS-One"
],
"excludes": [
"CTS-Two",
"CTS-Three"
]
}
}
ipAddresses: IP Addresses to include or exclude.hostGroups: Host Group IDs to include or exclude.tcpUdpPorts: Protocols/Ports to include or exclude.username: Usernames to include or exclude.byteCount: List of byte ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.packetCount: List of packet ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.macAddress: MAC addresses to include or exclude.processName: Process names to include or exclude.processHash: Process hash values to include or exclude.trustSecId: Cisco Trust Sec IDs to include or exclude.trustSecName: Cisco Trust Sec Names to include or exclude.
{
"ipAddresses": {
"includes": [
"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"2001:DB8:0:56::/64"
],
"excludes": [
"2001:DB80:0:56::ABCD:239.18.52.86",
"2001:DB8:0:56:ABCD:EF12:3456:1-10"
]
},
"hostGroups": {
"includes": [
9876,
8765
],
"excludes": [
987654,
87654
]
},
"tcpUdpPorts": {
"includes": [
"80-9000/tcp",
"67-68/udp"
],
"excludes": [
"8000-9000/tcp",
"68/udp"
]
},
"username": {
"includes": [
"admin",
"veep"
],
"excludes": [
"jdub",
"ghill"
]
},
"byteCount": [
{
"operator": ">=",
"value": [
204800
]
}
],
"packetCount": [
{
"operator": "BETWEEN",
"value": [
100,
400
]
}
],
"macAddress": {
"includes": [
"00-1B-63-84-45-36",
"00-1B-63-84-45-63"
],
"excludes": [
"00-14-22-01-23-45",
"00-14-22-01-23-54"
]
},
"processName": {
"includes": [
"cmd.exe",
"telnet.exe"
],
"excludes": [
"ping.exe",
"proc.bin"
]
},
"processHash": {
"includes": [
"cf23df2207d99a74fbe169e3eba035e633b65d94"
],
"excludes": [
"cf23df2207d99a74fbe169e3eba035e633b65d97"
]
},
"trustSecId": {
"includes": [
32,
44
],
"excludes": [
75
]
},
"trustSecName": {
"includes": [
"CTS-One"
],
"excludes": [
"CTS-Two",
"CTS-Three"
]
}
}
tcpUdpPorts: Protocols/Ports to include or exclude. For example, 8080/tcp, 20-21/UDPapplications: Application IDs to include or exclude.flowDirection: Indicates the direction of the flow. Valid values:
byteCount: List of byte ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.packetCount: List of packet ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.payload: List of payload data (in ASCII format) to include or exclude.tcpConnections: The number of TCP connections that occur during the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.tcpRetransmissions: The number of TCP packets that were retransmitted during the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.averageRoundTripTime: The Average Round-Trip Time, or the average amount of time (in milliseconds) required for all the TCP connections to occur in the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.averageServerResponseTime: The Average Server Response Time, or the average amount of time (in milliseconds) between the first request and response for all the TCP connections in the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.protocol: The list of protocol IDs as assigned by IANA with which to filter the results.includeInterfaceData: The flag to include the interface data.flowDataSource: The list of Flow Collectors/Exporter/Interfaces.flowCollectorId: The Flow Collector ID with which to filter the results.exporters: The Flow Collector Exporters with which to filter the results. If not provided, then it defaults to all.ipAddress: The Exporter IP Address with which to filter the results.interfaceIds: The list of Exporter's Interface IDs with which to filter the results. If not provided, then it defaults to all.flowAction: The interfaces flow action with which to filter the results. Valid values:
tlsVersion: The list of TLS version with which to filter the results. Valid values:
cipherSuite: The set of cryptographic algorithms being used to filter results.messageAuthCode: List of message authentication code (MAC) algorithms being used to filter results. Examples:
keyExchange: The list of key exchange algorithms being used to filter results Examples:
authAlgorithm: List of authorization algorithms being used to filter results. Examples:
encAlgorithm: List of encryption algorithms being used to filter results. Examples:
keyLength: List of key length in bits being used to filter results. Examples:
{
"tcpUdpPorts": {
"includes": [
"80-9000/tcp",
"67-68/udp"
],
"excludes": [
"8000-9000/tcp",
"68/udp"
]
},
"applications": {
"includes": [
3002,
3001,
116,
136
],
"excludes": [
127,
125,
147,
45
]
},
"flowDirection": "BIDIRECTIONAL",
"byteCount": [
{
"operator": ">=",
"value": [
204800
]
}
],
"packetCount": [
{
"operator": "<=",
"value": [
10
]
}
],
"payload": {
"includes": [
"http",
"blah"
],
"excludes": []
},
"tcpConnections": [
{
"operator": ">=",
"value": [
2000
]
}
],
"tcpRetransmissions": [
{
"operator": ">=",
"value": [
2000
]
}
],
"tlsVersion": [
"TLS 1.2",
"UNKNOWN"
],
"cipherSuite": {
"messageAuthCode": [
"SHA256"
],
"keyExchange": [
"ECDHE"
],
"authAlgorithm": [
"RSA"
],
"encAlgorithm": [
"AES_128_CBC"
],
"keyLength": [
"128"
]
},
"averageRoundTripTime": [
{
"operator": "<=",
"value": [
50
]
}
],
"averageServerResponseTime": [
{
"operator": ">=",
"value": [
2000
]
}
],
"flowDataSource": [
{
"flowCollectorId": 151,
"exporters": [
{
"ipAddress": "10.100.100.7",
"interfaceIds": [
7,
27
]
},
{
"ipAddress": "10.203.1.1"
}
]
}
],
"protocol": [
114,
10
],
"includeInterfaceData": false,
"flowAction": "permitted"
}
For more information, see the /tenants//flows/queries endpoint, at https://developer.cisco.com/docs/stealthwatch/enterprise/#!reporting-api-version-2
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"domainId": "",
"status": "",
"percentComplete": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | ID of the tenant whose flow search status you want to retrieve from Cisco Stealthwatch. |
| Query ID | Specify the ID of the query whose flow search status you want to retrieve from Cisco Stealthwatch. NOTE: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"domainId": "",
"status": "",
"percentComplete": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose flow search results you want to retrieve from Cisco Stealthwatch. |
| Query ID | Specify the ID of the query whose flow search result you want to retrieve from Cisco Stealthwatch. Note: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"flows": [
{
"id": "",
"tenantId": "",
"flowCollectorId": "",
"mplsLabel": "",
"protocol": "",
"serviceId": "",
"tlsVersion": "",
"vlanId": "",
"applicationId": "",
"cipherSuite": {
"id": "",
"name": "",
"protocol": "",
"keyExchange": "",
"authAlgorithm": "",
"encAlgorithm": "",
"keyLength": "",
"messageAuthCode": ""
},
"statistics": {
"activeDuration": "",
"numCombinedFlowRecords": "",
"firstActiveTime": "",
"lastActiveTime": "",
"tcpRetransmissions": "",
"tcpRetransmissionsRatio": "",
"byteCount": "",
"packetCount": "",
"byteRate": "",
"packetRate": "",
"tcpConnections": "",
"roundTripTime": "",
"serverResponseTime": "",
"subjectPeerRatio": "",
"rttAverage": "",
"rttMaximum": "",
"rttMinimum": "",
"srtAverage": "",
"srtMaximum": "",
"srtMinimum": "",
"flowTimeSinceStart": ""
},
"subject": {
"hostGroupIds": [],
"countryCode": "",
"ipAddress": "",
"natAddress": "",
"natPort": "",
"portProtocol": {
"protocol": "",
"port": "",
"serviceId": ""
},
"percentBytes": "",
"bytes": "",
"packets": "",
"byteRate": "",
"packetRate": "",
"orientation": "",
"finPackets": "",
"rstPackets": "",
"synPackets": "",
"synAckPackets": "",
"tlsVersion": "",
"trustSecId": ""
},
"peer": {
"hostGroupIds": [],
"countryCode": "",
"ipAddress": "",
"natPort": "",
"portProtocol": {
"protocol": "",
"port": "",
"serviceId": ""
},
"percentBytes": "",
"bytes": "",
"packets": "",
"byteRate": "",
"packetRate": "",
"orientation": "",
"finPackets": "",
"rstPackets": "",
"synPackets": "",
"synAckPackets": "",
"tlsVersion": "",
"trustSecId": ""
}
}
]
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant (domain) whose host groups (tags) you want to retrieve from Cisco Stealthwatch. |
| Type | Select the host type whose list of groups you want to retrieve from Cisco Stealthwatch. You can choose from following options:
|
| Hierarchy View | (Optional) Select this option to retrieve all the tags, organized in an hierarchical manner, for the specified Tenant. |
Output schema when you choose Hierarchy View as true:
{
"data": {
"id": "",
"displayName": "",
"tags": [
{
"displayName": "",
"tags": [
{
"displayName": "",
"tags": [],
"id": ""
}
],
"id": ""
}
]
}
}
This is the default output schema:
{
"data": [
{
"id": "",
"displayName": ""
}
]
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose host tags (groups) details you want to retrieve from Cisco Stealthwatch. |
| Type | Select the host type whose group details you want to retrieve from Cisco Stealthwatch. You can choose between Custom Hosts, External Geos, External Hosts, External Threats, or Internal Hosts. |
| Host Group ID | (Optional) Specify the ID of the host group (tag) whose details you want to retrieve from Cisco Stealthwatch. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"displayName": ""
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose host group (tag) alarms you want to retrieve from Cisco Stealthwatch. |
| External Threat Tag ID | Specify the External Threat Tag (tagId) for which you want to retrieves the top alarming hosts from Cisco Stealthwatch. |
The output contains the following populated JSON schema:
{
"data": {
"data": [
{
"sourceCategoryEvents": [
{
"severity": "",
"typeId": "",
"alwaysBadCount": ""
}
],
"sourceSecurityEvents": [
{
"severity": "",
"typeId": "",
"alwaysBadCount": ""
}
],
"ipAddress": "",
"targetSecurityEvents": [],
"hostGroupIds": [],
"targetCategoryEvents": []
}
],
"header": {
"startTime": "",
"endTime": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant for which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
| Start Time | Specify the start Time from when you want to initiate the flow search on Cisco Stealthwatch. This value must not occur after the End Time. |
| End Time | Specify the end Time till when you want to initiate the flow search on Cisco Stealthwatch. This value must not occur before the Start Time. |
| Search Name | Specify the name of the search that you want to initiate on Cisco Stealthwatch. |
| Number of Records | (Optional) Specify the maximum number of top conversation flow reports that you want this operation to return from Cisco Stealthwatch. The maximum value for this field is 5000. Its default value is 50. |
| Orientation | (Optional) Select to determine whether the subject information is considered to be part of the client or the server or either. Select one of the following:
|
| Order By | (Optional) Specify the order based on which the records will be retrieved and sorted (i.e. Bytes or Packets or Flows or TCP Connection). The value must be one of the following: TOTAL_BYTES (Default), TOTAL_PACKETS, TOTAL_FLOWS, or TOTAL_CONNECTIONS |
| Default Columns | Select this option, i.e., set it to True (default), if you want this operation to set the implicit fields that are part of Advanced Options to their default values. Advanced Options have Excludes BPS/PPS, Exclude Other Records, and Exclude Counts parameters. |
| Excludes BPS/PPS | Select this option, i.e., set it to True (default), if you want this operation to exclude BPS/PPS values. |
| Exclude Other Records | Select this option, i.e., set it to True (default), if you want this operation to exclude Other Records. |
| Exclude Counts | Select this option, i.e., set it to True, if you want this operation to exclude Counts. |
| Flow Collectors | (Optional) Specify the list of flow collector IDs that the system will search and based on which you want to initiate a flow search on Cisco Stealthwatch. If you do not specify any flow collector ID, then the system will search all the flow collectors. |
| Subject Host Filters | (Optional) Specify the collection of subject host filters in the JSON format, based on which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
| Peer Host Filters | (Optional) Specify the collection of peer host filters in the JSON format, based on which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
| Connection Filters | (Optional) Specify the connection filters in the JSON format, based on which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
The output contains the following populated JSON schema:
{
"data": {
"status": "",
"queryId": ""
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant (domain) whose top conversation flow search status you want to retrieve from Cisco Stealthwatch. |
| Query ID | Specify the ID of the query whose top conversation flow search status you want to retrieve from Cisco Stealthwatch. NOTE: You can retrieve the Query ID using the Initiate Top Conversation Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"queryId": "",
"status": ""
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose top conversation flow search result you want to retrieve from Cisco Stealthwatch. |
| Query ID | ID of the query whose top conversation flow search result you want to retrieve from Cisco Stealthwatch. NOTE: You can retrieve the Query ID using the Initiate Top Conversation Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"results": [
{
"records": "",
"hostClientPackets": "",
"peerServerBytes": "",
"port": "",
"flows": "",
"packetRateAvg": "",
"connections": "",
"trafficRateAvg": "",
"protocol": "",
"hostClients": "",
"peerConnections": "",
"hostBytes": "",
"hostServers": "",
"peerBytesRatio": "",
"rank": "",
"trafficRate95th": "",
"hostServerBytes": "",
"peerRole": "",
"peerPackets": "",
"peerClientPackets": "",
"hosts": "",
"serverBytesRatio": "",
"hostPackets": "",
"packetRate95th": "",
"peerServerPackets": "",
"trafficRateMin": "",
"protocolNumber": "",
"hostClientBytes": "",
"hostServerPackets": "",
"peers": "",
"hostRole": "",
"peerClientBytes": "",
"host": {
"ipAddress": "",
"hostGroupIds": [],
"country": ""
},
"peerClients": "",
"hostBytesRatio": "",
"hostFlows": "",
"deviceId": "",
"packetRateMax": "",
"trafficRateMax": "",
"packetRateMin": "",
"portProtocol": {
"protocol": "",
"port": "",
"service": {
"protocol": "",
"id": ""
}
},
"hostConnections": "",
"peerBytes": "",
"percent": "",
"clientBytesRatio": "",
"peer": {
"ipAddress": "",
"hostGroupIds": [],
"country": ""
},
"packets": "",
"peerServers": "",
"peerFlows": "",
"bytes": ""
}
],
"summary": {
"records": "",
"hostClientBytes": "",
"peerClientBytes": "",
"deviceId": "",
"peerServerBytes": "",
"hostPackets": "",
"peers": "",
"flows": "",
"packetRateAvg": "",
"connections": "",
"trafficRateAvg": "",
"hostClients": "",
"hostBytesRatio": "",
"hostFlows": "",
"peerBytes": "",
"hostClientPackets": "",
"peerServers": "",
"peerConnections": "",
"peerBytesRatio": "",
"packetRateMax": "",
"hostRole": "",
"trafficRateMax": "",
"hostBytes": "",
"packetRateMin": "",
"hostServerPackets": "",
"hostServers": "",
"hostConnections": "",
"bytes": "",
"trafficRate95th": "",
"percent": "",
"clientBytesRatio": "",
"hostServerBytes": "",
"peerRole": "",
"peerPackets": "",
"packets": "",
"peerClientPackets": "",
"hosts": "",
"serverBytesRatio": "",
"peerFlows": "",
"packetRate95th": "",
"peerServerPackets": "",
"trafficRateMin": "",
"peerClients": ""
},
"others": {
"bytes": "",
"flows": "",
"hosts": "",
"peers": "",
"packets": "",
"percent": "",
"records": "",
"deviceId": "",
"hostRole": "",
"peerRole": "",
"hostBytes": "",
"hostFlows": "",
"peerBytes": "",
"peerFlows": "",
"connections": "",
"hostClients": "",
"hostPackets": "",
"hostServers": "",
"peerClients": "",
"peerPackets": "",
"peerServers": "",
"packetRateAvg": "",
"packetRateMax": "",
"packetRateMin": "",
"hostBytesRatio": "",
"packetRate95th": "",
"peerBytesRatio": "",
"trafficRateAvg": "",
"trafficRateMax": "",
"trafficRateMin": "",
"hostClientBytes": "",
"hostConnections": "",
"hostServerBytes": "",
"peerClientBytes": "",
"peerConnections": "",
"peerServerBytes": "",
"trafficRate95th": "",
"clientBytesRatio": "",
"serverBytesRatio": "",
"hostClientPackets": "",
"hostServerPackets": "",
"peerClientPackets": "",
"peerServerPackets": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the tenant ID on which to perform the flow analysis using Cisco StealthWatch. |
| Flow Analysis | Specify the advanced filter, to apply for the flow analysis, in a JSON format. |
No output schema is available at this time.
The Sample - Cisco Stealthwatch - 2.1.0 playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group (Tag) ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:
Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:
Locate the domainId by searching for "<domain id".
Locate the hostGroupId by searching for "<host-group".
Locate the interface if-index by searching for "<interface if-index=".
Locate the exporterIp by searching for "<exporter ip=".
You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:
grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less
To get the Domain ID for an SMC, type the following command:
ls /lancope/var/smc/config/ | grep domain
Stealthwatch is the solution that detects threats across your private network, public clouds, and even in encrypted traffic.
This document provides information about the Cisco Stealthwatch Connector, which facilitates automated interactions, with a Cisco Stealthwatch server using FortiSOAR™ playbooks. Add the Cisco Stealthwatch Connector as a step in FortiSOAR™ playbooks and perform automated operations with Cisco Stealthwatch.
Connector Version: 2.1.0
Authored By: Fortinet
Contributor: Malaya Manas Panda
Certified: No
Following enhancements have been made to the Cisco Stealthwatch Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-stealthwatch
The Cisco Stealthwatch connector automated operations have been tested using the following roles:
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Cisco Stealthwatch connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
| Username | Username to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
| Password | Password to access the Cisco Stealthwatch server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Application Traffic by Domain ID | Retrieves inbound and outbound traffic information from Cisco Stealthwatch for the Domain (Tenant) ID and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
| Get Application Traffic by Host Group ID | Retrieves inbound and outbound traffic information from Cisco Stealthwatch for the Host Group (Tag) ID, Domain (Tenant) ID, and optionally a DateTime range, you have specified. If you do not specify the DateTime range then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
| Get Application Traffic by Exporter IP | Retrieves inbound and outbound traffic information from Cisco Stealthwatch for the Domain (Tenant) ID, Flow Collector Device ID, Exporter IP address, Interface, and optionally a DateTime range you have specified. If you do not specify the DateTime range, then inbound and outbound traffic information is retrieved for the last 24 hours. | get_application_traffic Investigation |
| Get Domain Details | Retrieves information for all the domains (tenants) from Cisco Stealthwatch. | get_domain_details Investigation |
| Initiate Flow Search | Initiates a flow search on Cisco Stealthwatch, based on the tenant (domain) ID, search name, and other filters you have specified. | initiate_flow_search Investigation |
| Get Flow Search Status | Retrieves the status of a specified flow search, based on the tenant (domain) ID and query ID you have specified. | get_flow_search_status Investigation |
| Get Flow Search Results | Retrieves the result of a specified flow search, based on the tenant (domain) ID and query ID you have specified. | get_flow_search_results Investigation |
| Get Host Groups List | Retrieves all host tags (groups) based on the tenant (domain) ID and host type you have specified. | list_host_groups Investigation |
| Get Host Group Details | Retrieves details of host tag (group) based on the tenant (domain) ID and host type you have specified. You can also optionally specify the host group ID to further filter the results and retrieve details only for the specified host group ID. | get_host_details Investigation |
| Get External Threats Top Alarm Host | Retrieves the top alarming hosts for an external threat tag (tagId) for a specific Tenant or Domain (tenantId). | threats_top_alarms Investigation |
| Initiate Top Conversation Flow Search | Initiates a top conversation flow report search on Cisco Stealthwatch, based on the tenant (domain) ID, search name, and other filters you have specified. | top_conversation_flow Investigation |
| Get Top Conversation Flow Search Status | Retrieves the status of a specified top conversation flow search, based on the tenant (domain) ID and query ID you have specified. | get_top_conversation_status Investigation |
| Get Top Conversation Flow Search Result | Retrieves the result of a specified top conversation flow search, based on the tenant (domain) ID and query ID you have specified. | get_top_conversation_result Investigation |
| Initiate Flow Analysis | Initiates a top conversation flow report search on Cisco Stealthwatch, based on the tenant (domain) ID, advance search filter as JSON, and other parameters that you have specified. | initiate_flow_analysis Investigation |
| Parameter | Description |
|---|---|
| Domain ID | Specify the ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Start Time | (Optional) Specify the start time from when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| End Time | (Optional) Specify the end time till when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and domain that you have specified.
The output contains the following populated JSON schema:
[
{
"timePeriod": "",
"applicationTrafficPerApplication": [
{
"applicationId": "",
"trafficOutboundBps": "",
"trafficWithinBps": "",
"applicationName": "",
"trafficInboundBps": ""
}
]
}
]
| Parameter | Description |
|---|---|
| Domain ID | Specify the ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Host Group ID | Specify the ID of the Host Group for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Start Time | (Optional) Specify the start time from when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| End Time | (Optional) Specify the end time till when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
Note: If you do not specify the datetime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the datetime range and Host Group IP that you have specified.
The output contains the following populated JSON schema:
[
{
"timePeriod": "",
"applicationTrafficPerApplication": [
{
"applicationId": "",
"trafficOutboundBps": "",
"trafficWithinBps": "",
"applicationName": "",
"trafficInboundBps": ""
}
]
}
]
| Parameter | Description |
|---|---|
| Domain ID | Specify the ID of the domain for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Flow Collector Device ID | Specify the ID of the Flow Collector Device, which is generated by Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch.
NOTE: You can retrieve the Flow Collector Device ID using the Get Flow Search Results operation. |
| Exporter IP Address | Specify the IP address of the Exporter, such as router or switch, for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| Interface ID | Specify the ID of the Interface created in Cisco Stealthwatch for which you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch.
NOTE: You can retrieve the interface ID using the Get Flow Search Results operation. |
| Start Time | (Optional) Specify the start time from when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
| End Time | (Optional) Specify the end time till when you want to retrieve inbound and outbound traffic information from Cisco Stealthwatch. |
Note: If you do not specify the DateTime range, then the inbound and outbound traffic information is retrieved for the last 24 hours.
The JSON output contains the inbound and outbound traffic information for the DateTime range and Exporter IP address that you have specified.
The output contains the following populated JSON schema:
[
{
"timePeriod": "",
"applicationTrafficPerApplication": [
{
"applicationId": "",
"trafficOutboundBps": "",
"applicationName": "",
"trafficInboundBps": ""
}
]
}
]
None.
The JSON contains information for all the domains.
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"displayName": ""
}
]
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant on which you want to initiate a flow search on Cisco Stealthwatch. |
| Search Name | Specify the name for the search that you initiate on Cisco Stealthwatch. |
| Start Time | Specify the start time from when you want to initiate a flow search on Cisco Stealthwatch. This value must not occur after the End Time. |
| End Time | Specify the start time till when you want to initiate a flow search on Cisco Stealthwatch. This value must not occur before the Start Time. |
| Number of Records | (Optional) Specify the maximum number of flow records that you want this operation to return from Cisco Stealthwatch. You can specify any number within the 1-10000 range. |
| Subject Host Filters | (Optional) Specify the collection of Subject Host filters in the JSON format, based on which you want to initiate a flow search on Cisco Stealthwatch. Refer to the section Valid Parameters For Subject Host Filters for more information. |
| Peer Host Filters | (Optional) Specify the collection of Peer Host filters in the JSON format, based on which you want to initiate a flow search on Cisco Stealthwatch. Refer to the section Valid Parameters For Peer Host Filters for more information. |
| Flow Metadata Filters | (Optional) Specify the collection of Flow Metadata filters in the JSON format, based on which you want to initiate a flow search on Cisco Stealthwatch. Refer to the section Valid Parameters For Flow Metadata Filters for more information. |
orientation: If included, this parameter determines whether hosts detected as client or server are assigned the subject role. Valid values:
ipAddresses: IP Addresses to include or exclude.hostGroups: Host Group IDs to include or exclude.tcpUdpPorts: Protocols/Ports to include or exclude.username: Usernames to include or exclude.byteCount: List of byte ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.packetCount: List of packet ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.macAddress: MAC addresses to include or exclude.processName: Process names to include or exclude.processHash: Process hash values to include or exclude.trustSecId: Cisco Trust Sec IDs to include or exclude.trustSecName: Cisco Trust Sec Names to include or exclude.
{
"orientation": "CLIENT",
"ipAddresses": {
"includes": [
"192.168.0",
"10.20"
],
"excludes": [
"10.20.20",
"192.168.0.1-100"
]
},
"hostGroups": {
"includes": [
1234,
2345
],
"excludes": [
12345,
23456
]
},
"tcpUdpPorts": {
"includes": [
"80-9000/tcp",
"67-68/udp"
],
"excludes": [
"8000-9000/tcp",
"68/udp"
]
},
"username": {
"includes": [
"admin",
"veep"
],
"excludes": [
"jdub",
"ghill"
]
},
"byteCount": [
{
"operator": ">=",
"value": [
204800
]
}
],
"packetCount": [
{
"operator": "BETWEEN",
"value": [
100,
400
]
}
],
"macAddress": {
"includes": [
"00-1B-63-84-45-36",
"00-1B-63-84-45-63"
],
"excludes": [
"00-14-22-01-23-45",
"00-14-22-01-23-54"
]
},
"processName": {
"includes": [
"cmd.exe",
"telnet.exe"
],
"excludes": [
"ping.exe",
"proc.bin"
]
},
"processHash": {
"includes": [
"cf23df2207d99a74fbe169e3eba035e633b65d94"
],
"excludes": [
"cf23df2207d99a74fbe169e3eba035e633b65d97"
]
},
"trustSecId": {
"includes": [
32,
44
],
"excludes": [
75
]
},
"trustSecName": {
"includes": [
"CTS-One"
],
"excludes": [
"CTS-Two",
"CTS-Three"
]
}
}
ipAddresses: IP Addresses to include or exclude.hostGroups: Host Group IDs to include or exclude.tcpUdpPorts: Protocols/Ports to include or exclude.username: Usernames to include or exclude.byteCount: List of byte ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.packetCount: List of packet ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.macAddress: MAC addresses to include or exclude.processName: Process names to include or exclude.processHash: Process hash values to include or exclude.trustSecId: Cisco Trust Sec IDs to include or exclude.trustSecName: Cisco Trust Sec Names to include or exclude.
{
"ipAddresses": {
"includes": [
"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"2001:DB8:0:56::/64"
],
"excludes": [
"2001:DB80:0:56::ABCD:239.18.52.86",
"2001:DB8:0:56:ABCD:EF12:3456:1-10"
]
},
"hostGroups": {
"includes": [
9876,
8765
],
"excludes": [
987654,
87654
]
},
"tcpUdpPorts": {
"includes": [
"80-9000/tcp",
"67-68/udp"
],
"excludes": [
"8000-9000/tcp",
"68/udp"
]
},
"username": {
"includes": [
"admin",
"veep"
],
"excludes": [
"jdub",
"ghill"
]
},
"byteCount": [
{
"operator": ">=",
"value": [
204800
]
}
],
"packetCount": [
{
"operator": "BETWEEN",
"value": [
100,
400
]
}
],
"macAddress": {
"includes": [
"00-1B-63-84-45-36",
"00-1B-63-84-45-63"
],
"excludes": [
"00-14-22-01-23-45",
"00-14-22-01-23-54"
]
},
"processName": {
"includes": [
"cmd.exe",
"telnet.exe"
],
"excludes": [
"ping.exe",
"proc.bin"
]
},
"processHash": {
"includes": [
"cf23df2207d99a74fbe169e3eba035e633b65d94"
],
"excludes": [
"cf23df2207d99a74fbe169e3eba035e633b65d97"
]
},
"trustSecId": {
"includes": [
32,
44
],
"excludes": [
75
]
},
"trustSecName": {
"includes": [
"CTS-One"
],
"excludes": [
"CTS-Two",
"CTS-Three"
]
}
}
tcpUdpPorts: Protocols/Ports to include or exclude. For example, 8080/tcp, 20-21/UDPapplications: Application IDs to include or exclude.flowDirection: Indicates the direction of the flow. Valid values:
byteCount: List of byte ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.packetCount: List of packet ranges with which you want to filter the results.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.payload: List of payload data (in ASCII format) to include or exclude.tcpConnections: The number of TCP connections that occur during the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.tcpRetransmissions: The number of TCP packets that were retransmitted during the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.averageRoundTripTime: The Average Round-Trip Time, or the average amount of time (in milliseconds) required for all the TCP connections to occur in the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.averageServerResponseTime: The Average Server Response Time, or the average amount of time (in milliseconds) between the first request and response for all the TCP connections in the flow.
operatorComparator to use while running the query. Valid values:
><>=<=BETWEENvalue: Either one or two integers representing the value(s) to be compared.protocol: The list of protocol IDs as assigned by IANA with which to filter the results.includeInterfaceData: The flag to include the interface data.flowDataSource: The list of Flow Collectors/Exporter/Interfaces.flowCollectorId: The Flow Collector ID with which to filter the results.exporters: The Flow Collector Exporters with which to filter the results. If not provided, then it defaults to all.ipAddress: The Exporter IP Address with which to filter the results.interfaceIds: The list of Exporter's Interface IDs with which to filter the results. If not provided, then it defaults to all.flowAction: The interfaces flow action with which to filter the results. Valid values:
tlsVersion: The list of TLS version with which to filter the results. Valid values:
cipherSuite: The set of cryptographic algorithms being used to filter results.messageAuthCode: List of message authentication code (MAC) algorithms being used to filter results. Examples:
keyExchange: The list of key exchange algorithms being used to filter results Examples:
authAlgorithm: List of authorization algorithms being used to filter results. Examples:
encAlgorithm: List of encryption algorithms being used to filter results. Examples:
keyLength: List of key length in bits being used to filter results. Examples:
{
"tcpUdpPorts": {
"includes": [
"80-9000/tcp",
"67-68/udp"
],
"excludes": [
"8000-9000/tcp",
"68/udp"
]
},
"applications": {
"includes": [
3002,
3001,
116,
136
],
"excludes": [
127,
125,
147,
45
]
},
"flowDirection": "BIDIRECTIONAL",
"byteCount": [
{
"operator": ">=",
"value": [
204800
]
}
],
"packetCount": [
{
"operator": "<=",
"value": [
10
]
}
],
"payload": {
"includes": [
"http",
"blah"
],
"excludes": []
},
"tcpConnections": [
{
"operator": ">=",
"value": [
2000
]
}
],
"tcpRetransmissions": [
{
"operator": ">=",
"value": [
2000
]
}
],
"tlsVersion": [
"TLS 1.2",
"UNKNOWN"
],
"cipherSuite": {
"messageAuthCode": [
"SHA256"
],
"keyExchange": [
"ECDHE"
],
"authAlgorithm": [
"RSA"
],
"encAlgorithm": [
"AES_128_CBC"
],
"keyLength": [
"128"
]
},
"averageRoundTripTime": [
{
"operator": "<=",
"value": [
50
]
}
],
"averageServerResponseTime": [
{
"operator": ">=",
"value": [
2000
]
}
],
"flowDataSource": [
{
"flowCollectorId": 151,
"exporters": [
{
"ipAddress": "10.100.100.7",
"interfaceIds": [
7,
27
]
},
{
"ipAddress": "10.203.1.1"
}
]
}
],
"protocol": [
114,
10
],
"includeInterfaceData": false,
"flowAction": "permitted"
}
For more information, see the /tenants//flows/queries endpoint, at https://developer.cisco.com/docs/stealthwatch/enterprise/#!reporting-api-version-2
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"domainId": "",
"status": "",
"percentComplete": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | ID of the tenant whose flow search status you want to retrieve from Cisco Stealthwatch. |
| Query ID | Specify the ID of the query whose flow search status you want to retrieve from Cisco Stealthwatch. NOTE: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"query": {
"id": "",
"domainId": "",
"status": "",
"percentComplete": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose flow search results you want to retrieve from Cisco Stealthwatch. |
| Query ID | Specify the ID of the query whose flow search result you want to retrieve from Cisco Stealthwatch. Note: You can retrieve a Query ID using the Initiate Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"flows": [
{
"id": "",
"tenantId": "",
"flowCollectorId": "",
"mplsLabel": "",
"protocol": "",
"serviceId": "",
"tlsVersion": "",
"vlanId": "",
"applicationId": "",
"cipherSuite": {
"id": "",
"name": "",
"protocol": "",
"keyExchange": "",
"authAlgorithm": "",
"encAlgorithm": "",
"keyLength": "",
"messageAuthCode": ""
},
"statistics": {
"activeDuration": "",
"numCombinedFlowRecords": "",
"firstActiveTime": "",
"lastActiveTime": "",
"tcpRetransmissions": "",
"tcpRetransmissionsRatio": "",
"byteCount": "",
"packetCount": "",
"byteRate": "",
"packetRate": "",
"tcpConnections": "",
"roundTripTime": "",
"serverResponseTime": "",
"subjectPeerRatio": "",
"rttAverage": "",
"rttMaximum": "",
"rttMinimum": "",
"srtAverage": "",
"srtMaximum": "",
"srtMinimum": "",
"flowTimeSinceStart": ""
},
"subject": {
"hostGroupIds": [],
"countryCode": "",
"ipAddress": "",
"natAddress": "",
"natPort": "",
"portProtocol": {
"protocol": "",
"port": "",
"serviceId": ""
},
"percentBytes": "",
"bytes": "",
"packets": "",
"byteRate": "",
"packetRate": "",
"orientation": "",
"finPackets": "",
"rstPackets": "",
"synPackets": "",
"synAckPackets": "",
"tlsVersion": "",
"trustSecId": ""
},
"peer": {
"hostGroupIds": [],
"countryCode": "",
"ipAddress": "",
"natPort": "",
"portProtocol": {
"protocol": "",
"port": "",
"serviceId": ""
},
"percentBytes": "",
"bytes": "",
"packets": "",
"byteRate": "",
"packetRate": "",
"orientation": "",
"finPackets": "",
"rstPackets": "",
"synPackets": "",
"synAckPackets": "",
"tlsVersion": "",
"trustSecId": ""
}
}
]
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant (domain) whose host groups (tags) you want to retrieve from Cisco Stealthwatch. |
| Type | Select the host type whose list of groups you want to retrieve from Cisco Stealthwatch. You can choose from following options:
|
| Hierarchy View | (Optional) Select this option to retrieve all the tags, organized in an hierarchical manner, for the specified Tenant. |
Output schema when you choose Hierarchy View as true:
{
"data": {
"id": "",
"displayName": "",
"tags": [
{
"displayName": "",
"tags": [
{
"displayName": "",
"tags": [],
"id": ""
}
],
"id": ""
}
]
}
}
This is the default output schema:
{
"data": [
{
"id": "",
"displayName": ""
}
]
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose host tags (groups) details you want to retrieve from Cisco Stealthwatch. |
| Type | Select the host type whose group details you want to retrieve from Cisco Stealthwatch. You can choose between Custom Hosts, External Geos, External Hosts, External Threats, or Internal Hosts. |
| Host Group ID | (Optional) Specify the ID of the host group (tag) whose details you want to retrieve from Cisco Stealthwatch. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"displayName": ""
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose host group (tag) alarms you want to retrieve from Cisco Stealthwatch. |
| External Threat Tag ID | Specify the External Threat Tag (tagId) for which you want to retrieves the top alarming hosts from Cisco Stealthwatch. |
The output contains the following populated JSON schema:
{
"data": {
"data": [
{
"sourceCategoryEvents": [
{
"severity": "",
"typeId": "",
"alwaysBadCount": ""
}
],
"sourceSecurityEvents": [
{
"severity": "",
"typeId": "",
"alwaysBadCount": ""
}
],
"ipAddress": "",
"targetSecurityEvents": [],
"hostGroupIds": [],
"targetCategoryEvents": []
}
],
"header": {
"startTime": "",
"endTime": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant for which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
| Start Time | Specify the start Time from when you want to initiate the flow search on Cisco Stealthwatch. This value must not occur after the End Time. |
| End Time | Specify the end Time till when you want to initiate the flow search on Cisco Stealthwatch. This value must not occur before the Start Time. |
| Search Name | Specify the name of the search that you want to initiate on Cisco Stealthwatch. |
| Number of Records | (Optional) Specify the maximum number of top conversation flow reports that you want this operation to return from Cisco Stealthwatch. The maximum value for this field is 5000. Its default value is 50. |
| Orientation | (Optional) Select to determine whether the subject information is considered to be part of the client or the server or either. Select one of the following:
|
| Order By | (Optional) Specify the order based on which the records will be retrieved and sorted (i.e. Bytes or Packets or Flows or TCP Connection). The value must be one of the following: TOTAL_BYTES (Default), TOTAL_PACKETS, TOTAL_FLOWS, or TOTAL_CONNECTIONS |
| Default Columns | Select this option, i.e., set it to True (default), if you want this operation to set the implicit fields that are part of Advanced Options to their default values. Advanced Options have Excludes BPS/PPS, Exclude Other Records, and Exclude Counts parameters. |
| Excludes BPS/PPS | Select this option, i.e., set it to True (default), if you want this operation to exclude BPS/PPS values. |
| Exclude Other Records | Select this option, i.e., set it to True (default), if you want this operation to exclude Other Records. |
| Exclude Counts | Select this option, i.e., set it to True, if you want this operation to exclude Counts. |
| Flow Collectors | (Optional) Specify the list of flow collector IDs that the system will search and based on which you want to initiate a flow search on Cisco Stealthwatch. If you do not specify any flow collector ID, then the system will search all the flow collectors. |
| Subject Host Filters | (Optional) Specify the collection of subject host filters in the JSON format, based on which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
| Peer Host Filters | (Optional) Specify the collection of peer host filters in the JSON format, based on which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
| Connection Filters | (Optional) Specify the connection filters in the JSON format, based on which you want to initiate a top conversation flow search on Cisco Stealthwatch. |
The output contains the following populated JSON schema:
{
"data": {
"status": "",
"queryId": ""
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant (domain) whose top conversation flow search status you want to retrieve from Cisco Stealthwatch. |
| Query ID | Specify the ID of the query whose top conversation flow search status you want to retrieve from Cisco Stealthwatch. NOTE: You can retrieve the Query ID using the Initiate Top Conversation Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"queryId": "",
"status": ""
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the ID of the tenant whose top conversation flow search result you want to retrieve from Cisco Stealthwatch. |
| Query ID | ID of the query whose top conversation flow search result you want to retrieve from Cisco Stealthwatch. NOTE: You can retrieve the Query ID using the Initiate Top Conversation Flow Search operation. |
The output contains the following populated JSON schema:
{
"data": {
"results": [
{
"records": "",
"hostClientPackets": "",
"peerServerBytes": "",
"port": "",
"flows": "",
"packetRateAvg": "",
"connections": "",
"trafficRateAvg": "",
"protocol": "",
"hostClients": "",
"peerConnections": "",
"hostBytes": "",
"hostServers": "",
"peerBytesRatio": "",
"rank": "",
"trafficRate95th": "",
"hostServerBytes": "",
"peerRole": "",
"peerPackets": "",
"peerClientPackets": "",
"hosts": "",
"serverBytesRatio": "",
"hostPackets": "",
"packetRate95th": "",
"peerServerPackets": "",
"trafficRateMin": "",
"protocolNumber": "",
"hostClientBytes": "",
"hostServerPackets": "",
"peers": "",
"hostRole": "",
"peerClientBytes": "",
"host": {
"ipAddress": "",
"hostGroupIds": [],
"country": ""
},
"peerClients": "",
"hostBytesRatio": "",
"hostFlows": "",
"deviceId": "",
"packetRateMax": "",
"trafficRateMax": "",
"packetRateMin": "",
"portProtocol": {
"protocol": "",
"port": "",
"service": {
"protocol": "",
"id": ""
}
},
"hostConnections": "",
"peerBytes": "",
"percent": "",
"clientBytesRatio": "",
"peer": {
"ipAddress": "",
"hostGroupIds": [],
"country": ""
},
"packets": "",
"peerServers": "",
"peerFlows": "",
"bytes": ""
}
],
"summary": {
"records": "",
"hostClientBytes": "",
"peerClientBytes": "",
"deviceId": "",
"peerServerBytes": "",
"hostPackets": "",
"peers": "",
"flows": "",
"packetRateAvg": "",
"connections": "",
"trafficRateAvg": "",
"hostClients": "",
"hostBytesRatio": "",
"hostFlows": "",
"peerBytes": "",
"hostClientPackets": "",
"peerServers": "",
"peerConnections": "",
"peerBytesRatio": "",
"packetRateMax": "",
"hostRole": "",
"trafficRateMax": "",
"hostBytes": "",
"packetRateMin": "",
"hostServerPackets": "",
"hostServers": "",
"hostConnections": "",
"bytes": "",
"trafficRate95th": "",
"percent": "",
"clientBytesRatio": "",
"hostServerBytes": "",
"peerRole": "",
"peerPackets": "",
"packets": "",
"peerClientPackets": "",
"hosts": "",
"serverBytesRatio": "",
"peerFlows": "",
"packetRate95th": "",
"peerServerPackets": "",
"trafficRateMin": "",
"peerClients": ""
},
"others": {
"bytes": "",
"flows": "",
"hosts": "",
"peers": "",
"packets": "",
"percent": "",
"records": "",
"deviceId": "",
"hostRole": "",
"peerRole": "",
"hostBytes": "",
"hostFlows": "",
"peerBytes": "",
"peerFlows": "",
"connections": "",
"hostClients": "",
"hostPackets": "",
"hostServers": "",
"peerClients": "",
"peerPackets": "",
"peerServers": "",
"packetRateAvg": "",
"packetRateMax": "",
"packetRateMin": "",
"hostBytesRatio": "",
"packetRate95th": "",
"peerBytesRatio": "",
"trafficRateAvg": "",
"trafficRateMax": "",
"trafficRateMin": "",
"hostClientBytes": "",
"hostConnections": "",
"hostServerBytes": "",
"peerClientBytes": "",
"peerConnections": "",
"peerServerBytes": "",
"trafficRate95th": "",
"clientBytesRatio": "",
"serverBytesRatio": "",
"hostClientPackets": "",
"hostServerPackets": "",
"peerClientPackets": "",
"peerServerPackets": ""
}
}
}
| Parameter | Description |
|---|---|
| Tenant ID | Specify the tenant ID on which to perform the flow analysis using Cisco StealthWatch. |
| Flow Analysis | Specify the advanced filter, to apply for the flow analysis, in a JSON format. |
No output schema is available at this time.
The Sample - Cisco Stealthwatch - 2.1.0 playbook collection comes bundled with the Cisco Stealthwatch connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Stealthwatch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Calls from many Actions can require identifiers of various objects in the system. For example, Domain ID, Exporter IP, Host Group (Tag) ID, Interface, and Flow Collector ID. You can obtain these identifiers by the following two methods:
Use the Stealthwatch Management Console (SMC) client to obtain the identifiers as follows:
Locate the domainId by searching for "<domain id".
Locate the hostGroupId by searching for "<host-group".
Locate the interface if-index by searching for "<interface if-index=".
Locate the exporterIp by searching for "<exporter ip=".
You can also find parameter information from using a Command Line Interface (CLI). For example, type the following command to get a list of the host_id from a Flow Collector:
grep id= /lancope/var/sw/today/config/groups.xml | awk ' {print $2, $3, $4}' | sed s/\"//g| sed s/id=//g |awk '$1<60000'|sort -k1,1n |less
To get the Domain ID for an SMC, type the following command:
ls /lancope/var/smc/config/ | grep domain