Instant Demo Guide Cisco dCloud Cisco Stealthwatch Cloud v2 Overview - Instant Demo 4 About This Demo This guide for the preconfigured demonstration includes: About This Demo About this Solution About Public Cloud Monitoring About Private Network Monitoring Requirements Scenario 1. Navigate the Stealthwatch Cloud Portal Scenario 2. Manage Stealthwatch Cloud Alerts Scenario 3. Interact with Supporting Observations Scenario 4. Explore Stealthwatch Cloud Models Scenario 5. Customize Alerts Scenario 6. AWS-specific Instrumentation and Features © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 49 Instant Demo Guide Cisco dCloud About this Solution Cisco Stealthwatch Cloud provides comprehensive network visibility and threat detection from the campus, branch and datacenter to the cloud, allowing advanced threat analytics across public and private cloud to traditional on-premise networks. Cisco Stealthwatch Cloud is primarily different from Stealthwatch Enterprise in that it is a Software as a Service (SaaS) solution which leverages the public cloud for analytics, storage and portal access. Both Stealthwatch Cloud and Enterprise use collected network telemetry to provide visibility into advanced threats by identifying suspicious patterns of traffic and host behavior deviations. About Public Cloud Monitoring Integrated with Stealthwatch Enterprise via an API, Stealthwatch Cloud includes these features: • Simplifies security efforts by having complete network visibility in public cloud environments. • Provides a cloud platform-agnostic solution, using APIs in Amazon Web Services, Google Cloud Platform, and Microsoft Azure to collect network telemetry. • Offers complete network monitoring and security for the cloud network and leverages entity modeling to build an understanding of cloud resource behavior that helps identify the point where suspicious changes occur. • Integrates with Stealthwatch Enterprise or Stealthwatch Cloud PNM (Private Network Monitoring) for premises monitoring. Tip: To demonstrate how public cloud monitoring works with Stealthwatch Cloud, download the Cisco Stealthwatch Cloud Public Cloud Monitoring Instant Demo Guide from the Related Content tab in the demo profile. About Private Network Monitoring Private network monitoring is simple to deploy and use. It includes these features and benefits: • Monitors behavior near real-time for automated threat detection. • Delivers from the cloud precise, actionable threat-activity information as it happens. • Generates deep behavioral analytics for any network at scale based on anomalous behavior. • Delivers Network-Based Anomaly Detection by ingesting NetFlow (v9/IPFIX), SPAN, NSEL and Firewall Connection, IPS, and more to generate Observations and where applicable Alerts. Tip: To demonstrate how private networkng monitoring works with Stealthwatch Cloud, download the Cisco Stealthwatch Cloud Private Network Monitoring Instant Demo Guide from the Related Content tab in the demo profile. Requirements to Run this Demo The table below outlines the requirements for this preconfigured demonstration. Required ● Laptop or desktop computer with Internet access ● Cisco dCloud account ● Google Chrome or Mozilla Firefox web browser © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 49 Instant Demo Guide Cisco dCloud Scenario 1. Navigate the Stealthwatch Cloud Portal The Stealthwatch Cloud Portal is your entry point to Stealthwatch Cloud, and it is where you begin investigating the alerts, observations and other information collected for a given deployment. This scenario demonstrates these elements within the portal: 1. • Dashboard—most recent Open Alerts, Endpoints, Traffic, and Sensors • Alerts—all Open Alerts, with the Status for each and the Tags, Assignee, Excessive Attempts, Hostnames, and more • Observations—Date, Time, Device, Port, Connected IP, and related data for a selected Alert • Models—Roles, Traffic, and Session Traffic You are initially brought to the portal Dashboard page. Tip: To return to this page at any time, select Dashboard > Dashboard. 2. On the Dashboard home page, you will see: a. The most recent open Alerts raised by Stealthwatch Cloud: Note: Alerts displayed on the Dashboard will vary, based on occurring activity in the demo environment. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 49 Instant Demo Guide Cisco dCloud b. The past 30 days’ worth of total device counts for all deployed sensors connected to the account: c. The traffic summary for all endpoints for the last 24 hours, with the bandwidth monitored: d. The amount of encrypted traffic, including the ratios of encryption in inbound and outbound direction: © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 49 Instant Demo Guide Cisco dCloud e. Top devices and top DNS devices in the network: f. Traffic summaries for countries configured as high risk by the user. Countries in red have recent traffic. Countries in dark gray have no traffic but have been configured as high risk: g. The number of observations triggered today, yesterday and last seven days, including how many of them are highlighted. Observations are simply facts about the endpoint traffic that can be classified and tracked. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 49 Instant Demo Guide Cisco dCloud 3. Select the cloud Icon ( ) to see all Sensors that are active for this portal, and then click Sensors. 4. The Welcome to Stealthwatch Cloud! window opens, with the Sensors tab displaying information about an example we have preconfigured called Dcloud_SWC_Sensor. 5. Click Change settings at the bottom of one of the sections at bottom of the screen for a specific sensor. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 49 Instant Demo Guide Cisco dCloud 6. Here, we can configure the following: • Networks this sensor will monitor, including the rate of packets captured. • Syslog options, such as server and port. • SNMP traps. About Sensors Note: Sensors can be on-premise, collecting network telemetry Routers, Switches, Firewalls, and SPAN traffic, as well as API integrations with Public Cloud providers such as AWS, GCP and MS Azure. Different functionality is available for the various sensor types. The onpremises sensor allows you to configure flow input types, Syslog output, sensor name, etc. The cloud integrations do not have these fields as they are using their respective API. For example, in AWS the flow type will always be VPC flow logs and the name of the sensor is always the name of the VPC flow log from their account. Any changes to the cloud sensor would be done on the Integrations page. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 49 Instant Demo Guide Cisco dCloud 7. At the top of the main dashboard click the drop down, select Subnet Report to see all subnets and their associated traffic metrics. This is useful to confirm you are collecting traffic for all customer subnets and if the endpoint count matches the customer expectations. It also shows which subnets only have one-way communication; this indicates there might be a telemetry issue. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 49 Instant Demo Guide Cisco dCloud 8. Let’s go back to the drop-down menu and select Visibility Assessment to view the Visibility Assessment Report. A quick way to summarize risky traffic in the portal, this report summarizes information within the portal for the past 30 days and organizes it in the following categories: Internal Monitored Network, External SMB Risk, DNS Risk, Remote Access Breach and Traffic to High-Risk Countries. Tip: This assessment is included in every portal and can be published at any time. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 49 Instant Demo Guide Cisco dCloud Scenario 2. Manage Stealthwatch Cloud Alerts Stealthwatch Cloud has over 60 built-in alerts which gradually enable during the 36 day baseline period. This baseline process employs entity modeling to learn what is normal behavior for an endpoint. A simple example is a machine that hosts remote access connections, such as Remote Desktop or SSH. During the learning period, the model geo-codes any external IP that appears to successfully authenticate. This allows the service to know what countries typically access the environment. If an “unusual” country appears to successfully authenticate then the service produces an Alert. This alert, “Geographically Unusual Access,” requires 30 days of history. Each alert will reference one or more “Observations” consider these as the evidence for the alert. Users can view all observations, not just those referenced for alerts. For example, if a user wanted to see all remote access sessions--not just ones to unusual countries--they could select that Observation Type. Note: The 60-plus built-in alerts each have a default sensitivity level the user can adjust. Changing the sensitivity to a higher level will allow more of those alert types to fire. Users are not able to change the underlying detection for the alert. This is built into the Stealthwatch Cloud analytics engine. 1. The Stealthwatch Cloud dashboard displays the most recently triggered alerts. Select Alerts to view all open Alerts. 2. A list of all Open alerts is displayed. Note: Because alerts in dCloud are dynamic, some of the underlying flow data may age-out over time. Alerts are never deleted. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 49 Instant Demo Guide Cisco dCloud 3. You can filter and sort displayed Alerts by different criteria. a. Status is the alert’s workflow status assigned by users, including: i. All: Display all Alerts triggered in your environment, regardless of status. ii. Open: Display all currently triggered Alerts that have not been closed or snoozed. iii. Closed: Display Alerts that have been closed by users. If the same behavior is detected again, the alert will most likely trigger again. iv. Snoozed: Display Alerts “silenced” by users who specify the time period for snoozing. When the snooze period expires, the alert could trigger again. b. Tags: View Alerts with custom descriptions that you create to track and organize Alerts. Note: Alert customization is not required but can be used to achieve better alert-to-noise ratio. c. Assignee: View Alerts assigned to the specified user for investigation/remediation. d. Sort: View the selected alerts by newest, oldest, type, or source of Alert. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 49 Instant Demo Guide Cisco dCloud Alert Sensitivity Alert sensitivity is directly related to the sensitivity of the subnet. For example, if a subnet is rated as Low sensitivity, only High sensitivity Alerts will fire. If a subnet is rated as High sensitivity, then Low, Normal and High sensitivity Alerts will all trigger. Tip: You can adjust the sensitivity of the alerts to be Normal, Low, High, or None. However, “None” is not generally recommended, since this provides no sensitivity and thus these alerts do not trigger at all. 4. Select (?) > Alert Types and Priorities. 5. For each alert, click the Edit ( 6. For this next exercise, make sure the Alerts list displays only Open Alerts, sorted by Newest. 7. At the top of the dashboard, select one of the alerts displayed. ) icon to display and then select the sensitivity options for each alert. Note: The current Open Alerts displayed here may vary. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 49 Instant Demo Guide Cisco dCloud The details screen will open for the selected Alert. 8. Alert Details display, like the Name of the Alert and the associated device name/IP address. Other information provided includes: a. Status: Current Status of the Alert (Open or Closed). b. ID: Identification number of the Alert. This is an incrementing number based on all triggered Alerts. c. Description: A description of the alert explaining what it means and why it is important. d. Updated: When the Alert most recently had activity related to it occur e. Created: When the Alert was first triggered. f. The IP addresses of all observed entities involved in the alert. (may not be displayed for all alerts) g. Hostnames of the entities when the Alert triggered (may not be displayed for all alerts) h. Assignee: Who the alert is assigned to. Useful for triage and tracking. i. 9. Tags: The custom tags currently associated with an alert. This also allows you to assign custom tags to an alert for organization and tracking purposes. Note the Supporting Observations: All Alerts are based on observations. These are the related activities that caused the alert to trigger. Depending on the type of Alert, there can be multiple kinds of Observations listed here. The associated table for each observation displays the connection details for the activity. 10. Note the Additional Observations: You can explore additional information and context about the device that triggered the alarm. 11. Note the Comments: You can enter any related or relevant comments or information about the Alert, as well as provides updates about when additional related Observations are added. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 49 Instant Demo Guide Cisco dCloud Alert Export Options Cisco Stealthwatch Cloud can export alerts to several popular tools like Spark, Slack, PagerDuty, etc. In addition, Amazon and Google have built-in notification tools like SNS that can be used to deliver alerts. The on-premises virtual appliance can generate SNMP or Syslog data and pass it to a local collector (e.g. SIEM). Services & Webhooks 12. Click ( ) > Services/Webhooks to view all current supported integrations. 13. Cisco Stealthwatch Cloud can export alert data using a variety of services and webhooks. Current capabilities are displayed on the Services/Webhooks tab and can be explored. A new event is exported when an alert is created. The services page has limited customization. The API allows for custom querying of the data, including alerts. The following screenshot shows an example of a Slack Integration alert: © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 49 Instant Demo Guide Cisco dCloud Syslog or SNMP 14. Select the Sensors tab to access Syslog and SNMP configuration options based on the individual sensors. 15. Click Change settings for one of the sensors. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 49 Instant Demo Guide Cisco dCloud 16. Select the Syslog tab to adjust the local sensor settings for publishing. 17. Select the SNMP tab to configure SNMP reporting functionality. 18. Click Close. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 49 Instant Demo Guide Cisco dCloud Scenario 3. Interact with Supporting Observations Supporting Observations for an Alert contain a lot of useful data to drill into, the information presented will vary based on the kind of Observation but in general there will be Date, Time, Device, Port, Connected IP, and any related data to the specific Observation such as shown in the screenshot below which illustrates TLS Version related to an Insecure Transport Protocol. Note: The connected IP is not always the source of the traffic; Stealthwatch Cloud does not make that distinction. 1. At the top of the Stealthwatch Cloud Dashboard, click Alerts. Notice there often is a red circle to the right showing the number of alerts. 2. For this example, we have chosen Unusual External Server. 3. Scroll down until you see Supporting Observations. 4. CSV: Enables you to export all Observations in the table as a .CSV formatted file. Note: The kinds of Observations and fields displayed will vary depending on the Alert you are investigating. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 49 Instant Demo Guide Cisco dCloud © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 49 Instant Demo Guide Cisco dCloud 5. Click an Observation’s Time to open the session information screen and view all related network activity for that observation’s entry. Note: To return to the alarm you selected, click Back in your browser. 6. Click the down-arrow ( ) icon beside a Source IP/Name to drill down into additional reports for that device. This includes: a. Alerts currently involving the selected device b. Observations involving the selected device Device information, which displays information about what is known about the selected device. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 49 Instant Demo Guide Cisco dCloud 7. Using the Active Filters option, you can define and filter your search for specific segments, your IP space, or individual hosts. For example, in the screen capture below, we can see filtered the Session Traffic search for all traffic using port 445 over the past 24 hours. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 49 Instant Demo Guide Cisco dCloud 8. Search for all DNS traffic that is not going to the Umbrella DNS servers of 208.67.222.222 and 208.67.222.220. 9. Optional: Create your own unique filters and search for different types of traffic. a. Device Models for more information) b. All Session Traffic related to the selected device Additionally, you can Copy the device IP or name into the clipboard for pasting elsewhere. You can also click Back to return to the alarm you selected. 10. Click the down-arrow ( ) icon beside a Connected IP/Device to drill into additional reports, as well as pivot out for additional context for the host. This additional information about the host includes: a. IP Traffic: Displays an overview of network traffic the IP address has been involved in, including amounts of data, internal entities it connected to, and the ports used in communication. b. Session Traffic: All network traffic related to the selected IP. c. AbuseIPDB, Cisco Umbrella, Google Search, or Talos Intelligence: Pivot into external data stores for additional context about the host. d. Add IP to watchlist: Create a watchlist rule for the IP that will trigger an Alert when network activity is detected from it in the future. e. Find IP on multiple days: View the amount of traffic and the number of connections this entity was involved with per day, over the past 30 days. 11. Optional: Explore other Alerts triggered in the demo system. It is recommended that you investigate several different Alerts to get an idea of the kinds of Observations that can trigger an Alert, as well as the kind of information that is collected and analyzed by Stealthwatch Cloud as part of its operation. Supporting Observations pane can be displayed specific to each Alert type so fields may vary. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 49 Instant Demo Guide Cisco dCloud About Observations Observations are facts about the traffic that have been recorded. Most observations are not attached to Alerts. When an Alert is triggered because of bad behavior, an observation indicating this is recorded. For example, a new high-throughput connection to an Akamai stream server is not necessarily relevant to security and will only be noted as an observation but not associated with/trigger an Alert. However, a new or persistent high-throughput connection to a known or suspected Command & Control server would become an observation associated with an Alert. An Alert generates when combinations of observations represent a security concern, either immediately (a DDoS attack, for example) or over time, through baseline analysis such as a Role Change. Observations are the building blocks of Alerts. 12. Click Observations. 13. You are shown a list of Observations made by Stealthwatch Cloud about the deployment. Isolated Observations aren't security threats; they are records of activity considered remarkable by Stealthwatch Cloud’s entity models and algorithms. 14. Click the Recent Highlights tab display recent observations of interesting behaviors, and then review them. 15. Notice that beside each Observation’s name are two icons: a. Click the information ( b. Click the right ( ) icon to view a brief definition of the Observation, to supplement the explanation. ) icon to view all Observations of the specified type. 16. Click the down-arrow ( ) icon beside IPs/device names to bring up contextual menus for each, and then drill-down into additional collected information or pivot to other data sources for more context. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 49 Instant Demo Guide Cisco dCloud 17. Select the Types tab to display a list of all Observations that Stealthwatch Cloud can generate, as well as the number of these Observations made for the account. a. Click the right-arrow ( ) icon to view all Observations of the specified type. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 49 Instant Demo Guide Cisco dCloud 18. Click the By Device tab to see the endpoints responsible for the highest number of detected Observations. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 49 Instant Demo Guide Cisco dCloud Scenario 4. Explore Stealthwatch Cloud Models The Models tab contains several functions, such as reporting on endpoints, traffic, and subnets, or viewing detailed flow records query (Session Traffic). Portions of the reported endpoint and traffic information are presented on the initial Dashboard. For this section, we will look more closely at Roles, Traffic and Session Traffic. Roles 1. Select the Models tab to see the various models aggregated by Stealthwatch Cloud. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 49 Instant Demo Guide Cisco dCloud 2. Select Models > Roles to view the device types identified on the network. 3. The Roles displayed will vary based upon implementation, for the purposes of the dCloud lab a mix of typical LAN devices such as DNS, database servers, and Domain Controllers, as well as Amazon Resources & Instances (AWS EC2 Instance) are shown. Note: Stealthwatch Cloud observes endpoint behavior as part of the entity modeling process to determine roles. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 49 Instant Demo Guide Cisco dCloud 4. Click the plus (+) icon to the left of a role to see all devices on the network identified for the given role. 5. Hover your mouse pointer over the information ( ) icon beside a device under Matching Sources for an informational pop-up. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 49 Instant Demo Guide Cisco dCloud 6. Click the down-arrow ( ) icon beside a Source IP/Name to drill down into additional reports for that device. a. Alerts currently involving the selected device b. Observations involving the selected device c. Device information, which displays information about what is known about the selected device Session Traffic, showing the Traffic, Traffic Chart, and Connections Graph tabs. 7. Using the Active Filters option, you can define and filter your search for specific segments, your IP space, or individual hosts. For example, in the screen capture below, we can see filtered the Session Traffic search for all traffic using port 445 over the past 24 hours. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 49 Instant Demo Guide Cisco dCloud 8. Search for all DNS traffic that is not going to the Umbrella DNS servers of 208.67.222.222 and 208.67.222.220. 9. Optional: Create your own unique filters and search for different types of traffic. a. Device Models for more information) b. All Session Traffic related to the selected device c. Additionally, you can Copy the device IP or name into the clipboard for pasting elsewhere. 10. Optional: Explore other detected roles and the devices associated with them. 11. Select Models > Traffic to view the device types identified on the network. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 49 Instant Demo Guide Cisco dCloud You will see a Traffic window similar this one: 12. Notice that at the top of the page, you can use the filter to change the dates. 13. The Overview graph provides data that Stealthwatch Cloud has seen over the set time interval. By default, the time interval is set to 24 hours. 14. You can also select Sources to see the different Subnets that are generating traffic. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 49 Instant Demo Guide Cisco dCloud 15. Scroll down the page to find Top IPs. 16. Further down the page, find Top Ports. Here, you can find the ports being used the most on the networks being monitored by Stealthwatch Cloud. 17. Note that you can move between the Internal and External tabs at the top of the chart. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 49 Instant Demo Guide Cisco dCloud Now, let’s look at the Session Traffic model. 18. Select Models > Session Traffic to view the device types identified on the network. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 49 Instant Demo Guide Cisco dCloud 19. Using the Active Filters option, you can define and filter your search for specific segments, your IP space, or individual hosts. For example, in the screen capture below, we can see filtered the Session Traffic search for all traffic using port 445 over the past 24 hours. 20. Search for all DNS traffic that is not going to the Umbrella DNS servers of 208.67.222.222 and 208.67.222.220. 21. Optional: Create your own unique filters and search for different types of traffic. Device Models The Device page lists the traffic details on a given day, including internal/external connections, byte counts, open alerts and observations for the Device, the auto-identified role, and traffic profiles. Every internal listed IP in Stealthwatch Cloud has a device model page that can be used to view historical behavior data. Device View 22. Select Dashboard > Dashboard to return to the main Dashboard. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 49 Instant Demo Guide Cisco dCloud 23. From the Top Devices section of the Dashboard, click one of the devices listed to go to the device page. You can select any of the devices, and remember the list of devices will vary. 24. Note that every device/host is tracked and modeled, building the baseline you use to track behavior and detect deviations relevant to security. The Device page displays a trend graph showing an overview of the past month of Connections, and data transfer to and from the device. 25. Note that the summary page for any given IP or Device shows various statistics which can be useful during investigation. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 49 Instant Demo Guide Cisco dCloud 26. In addition to the summarized data collected for the device, select the Traffic tab to investigate traffic details. 27. Click Previous Day and Next Day to cycle through individual days. 28. Select All, Internal, External, or New to filter traffic with more precision. 29. At the bottom of the page, click the CSV icon to export all collected Traffic information in CSV format. 30. An overview of all connections based on type can be found on the Profiling tab. 31. All recorded DNS requests and what they resolved to can be found on the DNS tab. This tab is empty if you only collect NetFlow data. If using a source such as SPAN, the Stealthwatch Cloud sensor will snoop DNS look-ups. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 49 Instant Demo Guide Cisco dCloud Scenario 5. Customize Alerts Alert customization is not required but can be used to achieve better alert-to-noise ratio. Descriptive Subnet Input Labeling subnets is very useful and recommended to get added value out of the monitoring and alerts Stealthwatch Cloud provides. AWS and Google Cloud subnet info is automatically imported when integrated with Stealthwatch Cloud. 1. Select ( 2. This displays Tabs for Local Subnets, AWS Subnets, GCP Subnets, and VPN Subnets. 3. You have the following options to add subnets: a. ) > Subnets. Click Add Subnet to manually add a subnet, or b. Click Upload CSV to import a properly formatted CSV file. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 49 Instant Demo Guide Cisco dCloud © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 49 Instant Demo Guide Cisco dCloud 4. You can also define 3 attributes for a subnet: a. Sensitivity: The sensitivity of a subnet is directly related to an Alert’s sensitivity. For example, if a subnet is rated as low sensitivity, only high sensitivity Alerts will fire. If a subnet is rated as high sensitivity, low, normal, and high sensitivity Alerts will trigger. No sensitivity will keep any Alerts from triggering and is generally not recommended. b. Static: Select this if the subnet range is primarily composed of static IP addresses. Stealthwatch Cloud will assume IPs in these ranges always belong to the same device. c. New Device Alerts: Select this to trigger an Alert if a new IP appears in the subnet range. Not recommended for DHCP ranges. 5. Click Add Subnet to view the Add Subnet window. Here, you can define the subnet details and description, as well as define the Alert Sensitivity for devices that appear in this subnet. 6. Click Cancel. 7. Select the AWS Subnets tab. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 49 Instant Demo Guide Cisco dCloud 8. The Virtual Cloud Subnets tab is populated automatically and can be used to verify proper configuration of your AWS integration settings. You can define two attributes for subnets listed here: a. Sensitivity: The sensitivity of a subnet is directly related to an Alert’s sensitivity. For example, if a subnet is rated as low sensitivity, only high sensitivity Alerts will fire. If a subnet is rated as high sensitivity, low and high sensitivity Alerts will trigger. No sensitivity will keep any Alerts from triggering and is generally not recommended. b. New Device Alerts: Select this to trigger an Alert if a new IP appears in the subnet range. Not recommended for DHCP ranges. 9. You are done with this review. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 49 Instant Demo Guide Cisco dCloud Configure Watchlists You can also define custom alerts Watchlists in Stealthwatch Cloud from the Settings menu. 10. From Settings ( ), click the Alerts tab and then click Configure Watchlists at the bottom of the Alert Configuration list to display the options available for Stealthwatch Cloud users to input their own watchlists (e.g., TOR) for additional visibility. 11. From the Watchlist Config screen, click the IPs and Domains tab allows you to enter domains and IPs to generate Alerts when activity is detected between them and internal devices. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 49 Instant Demo Guide Cisco dCloud 12. To define custom watchlists to monitor, click the Third Party Watchlists tab from the Watchlist Config page. 13. The Internal Connection Watchlist enables users to create custom alerts when traffic matches specified criteria. For example, you could create a watchlist for Remote Desktop Traffic from the Internet or if traffic is seen between two internal subnets that should never communicate. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 49 Instant Demo Guide Cisco dCloud Scenario 6. AWS-specific Instrumentation and Features Cisco Stealthwatch Cloud leverages AWS APIs and security features and pulls data from additional data sources, like AWS CloudTrail, to get context about the instances (servers) in the customer account. 1. Select ( 2. To setup Stealthwatch Cloud to monitor an account, we are required to do the following: a. ) > Integrations to review what is needed to set up the integration with AWS. Create a policy with the appropriate permissions, as detailed on the About tab for AWS. b. Create a role (e.g. user) for Stealthwatch Cloud and link to the previously created policy. c. Select the Credentials tab. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 49 Instant Demo Guide Cisco dCloud d. Enter the Role ARN (Amazon Resource Name) into the Stealthwatch portal. e. Select the VPC Flow Logs tab. f. Enter the Flow Log name in the CloudWatch Logs Group field, then click Add. The users should have VPC flow logs enabled in their account. 3. Click the Permissions tab to see the granted permissions for the role. 4. Note that the Auth Logs tab enables you to leverage the Amazon CloudWatch logs machine agent for EC2 instances. This allows you to enhance Alerts and Observations. For example, you would be able to see authenticated sessions for a machine. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 49 Instant Demo Guide Cisco dCloud 5. Notice that from the AWS Config and Inspector tabs, you can configure Cisco Stealthwatch Cloud to pull in alerts generated by the AWS Config and Inspector services. This enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting. 6. Notice that Cisco Stealthwatch Cloud can initiate AWS Inspector assessments and pull any generating alerts into the Cisco Stealthwatch Cloud portal by defining them on the Inspector tab. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 49 Instant Demo Guide Cisco dCloud AWS alerts • Anomalous AWS Workspace | Normal priority - An AWS Virtual Workspace used a new anomalous behavioral profile (e.g., the host connected to many devices over BitTorrent). This alert uses the Anomalous Profile observation and may be an indication of malware or misuse. This alert requires 14 days of history. • AWS API Watchlist IP Hit | Normal priority - An AWS API was accessed from an IP on a user-supplied watchlist. This alert uses the AWS API Watchlist Access observation and may indicate that user credentials are compromised. This alert requires 0 days of history. • AWS Config Rule Violation | Normal priority – An AWS Config rule was violated. This alert requires 0 days of history. • AWS Console Login Failures | Normal priority – A user tried and failed to log in to the AWS Console several times. This alert requires 0 days of history. • AWS Inspector Finding | Normal priority – AWS Inspector reported a high-severity finding for the device. This alert requires 0 days of history. • AWS Lambda Invocation Spike | Normal priority – A Lambda function was invoked a record number of times. This alert requires 14 days of history. • AWS Multifactor Authentication Change | Normal priority – Multifactor authentication was removed from a user account. This alert requires 0 days of history. • AWS Overlapping Subnet | Normal priority – A new AWS subnet has a CIDR that overlaps an existing subnet. This is a violation of Amazon best practices. This alert requires 0 days of history. • AWS Root Account Used | Normal priority – An action was performed using the AWS root account. This alert requires 0 days of history. • CloudTrail Watchlist Hit | Normal priority – AWS CloudTrail reported an event on a user-supplied watchlist. This alert requires 0 days of history. • Geographically Unusual AWS API Usage - An AWS API has been accessed from a remote host in a country that doesn't normally access the API. This alert requires 14 days of history. • New AWS Region | Normal priority – An AWS resource was detected in a previously unused region. This alert requires 0 days of history. • New AWS Route53 Target | Normal priority – A new AWS Route53 resource record was assigned to a device that was not previously associated with a Route53 resource record. This alert requires 0 days of history. • Stale AWS Access Key | Normal priority – AWS IAM access key exceeded the configurable age. This alert requires 30 days of history. • Permissive AWS S3 Access Control List | Normal priority – A new ACL has been created that allows permissive access to an S3 bucket. This may be a misconfiguration and might lead to unauthorized access to stored data. This alert requires 0 days of history. • Permissive AWS Security Group Created | Normal priority – A new AWS security group has been created that allows access from any host on unsafe ports. This alert requires 0 days of history. • Public Amazon Route 53 Hosted Zone Created | Normal priority -- A public Amazon Route 53 hosted zone was created. This alert requires 0 days of history. • Unused AWS Resource | Normal priority – No recent activity has been seen for this AWS resource. This alert requires 14 days of history. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 49 Instant Demo Guide Cisco dCloud CloudTrail Watchlist When an action is performed in the customer AWS environment, it is recorded in the CloudTrail API. All CloudTrail records are published in the CloudTrail observation. To view them, select Observations > Types > AWS CloudTrail Event Observation. For example, when a new network interface is created, modified, or deleted, it will be recorded in the CloudTrail. You can build watchlists for any specific actions you want to be notified about. This functionality can be accessed on the Settings > Alerts tab. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 49 Instant Demo Guide Cisco dCloud 7. We can see the AWS Root Account Used alert that has fired. 8. Under the alert, we can find the supporting AWS CloudTrail Event Observations. 9. For this exercise, make sure the Alerts list displays only Open Alerts, sorted by Newest. 10. Select one of the top alerts displayed on the screen by clicking it. Note: The current Open Alerts displayed here will vary. We will be covering how to read and interact with Alerts in general, so any selection will do. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 49 Instant Demo Guide Cisco dCloud 11. Observe that the Details screen will open for the selected Alert. 12. The Alert Details screen displays the Name of the Alert and the associated device name/IP address, and more: a. Status: Current Status of the Alert (Open or Closed). b. ID: Identification number of the Alert. This is an incrementing number based on all triggered Alerts. c. Description: A description of the alert explaining what it means and why it is important. d. Updated: When the Alert most recently had activity related to it occur e. Created: When the Alert was first triggered. f. The IP addresses of all observed entities involved in the alert. (may not be displayed for all alerts) g. Hostnames of the entities when the Alert triggered (may not be displayed for all alerts) h. Assignee: Who the alert is assigned to. Useful for triage and tracking. i. Tags: The custom tags currently associated with an alert. This also allows you to assign custom tags to an alert for organization and tracking purposes. 13. Supporting Observations: All Alerts are based on Observations. These are the related activities that caused the alert to trigger. Depending on the type of Alert, there can be multiple kinds of Observations listed here. The associated table for each observation displays the connection details for the activity. 14. Additional Observations: Lets you explore additional information and context about the device that triggered the alarm. 15. Comments: Allows you to enter any related or relevant comments or information about the Alert, as well as provides updates about when additional related Observations are added. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 49 Instant Demo Guide Cisco dCloud What’s next? • Check out the related information on cisco.com. • Talk about it on the dCloud Community. © 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 49