Uploaded by ijkft7a0d

Cisco Stealthwatch Cloud v2 Demo Guide

advertisement
Instant Demo Guide
Cisco dCloud
Cisco Stealthwatch Cloud v2 Overview
- Instant Demo
4
About This Demo
This guide for the preconfigured demonstration includes:
About This Demo
About this Solution
About Public Cloud Monitoring
About Private Network Monitoring
Requirements
Scenario 1. Navigate the Stealthwatch Cloud Portal
Scenario 2. Manage Stealthwatch Cloud Alerts
Scenario 3. Interact with Supporting Observations
Scenario 4. Explore Stealthwatch Cloud Models
Scenario 5. Customize Alerts
Scenario 6. AWS-specific Instrumentation and Features
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 49
Instant Demo Guide
Cisco dCloud
About this Solution
Cisco Stealthwatch Cloud provides comprehensive network visibility and threat detection from the campus, branch and datacenter to the
cloud, allowing advanced threat analytics across public and private cloud to traditional on-premise networks. Cisco Stealthwatch Cloud is
primarily different from Stealthwatch Enterprise in that it is a Software as a Service (SaaS) solution which leverages the public cloud for
analytics, storage and portal access. Both Stealthwatch Cloud and Enterprise use collected network telemetry to provide visibility into
advanced threats by identifying suspicious patterns of traffic and host behavior deviations.
About Public Cloud Monitoring
Integrated with Stealthwatch Enterprise via an API, Stealthwatch Cloud includes these features:
•
Simplifies security efforts by having complete network visibility in public cloud environments.
•
Provides a cloud platform-agnostic solution, using APIs in Amazon Web Services, Google Cloud Platform, and Microsoft
Azure to collect network telemetry.
•
Offers complete network monitoring and security for the cloud network and leverages entity modeling to build an
understanding of cloud resource behavior that helps identify the point where suspicious changes occur.
•
Integrates with Stealthwatch Enterprise or Stealthwatch Cloud PNM (Private Network Monitoring) for premises monitoring.
Tip: To demonstrate how public cloud monitoring works with Stealthwatch Cloud, download the Cisco Stealthwatch Cloud Public Cloud
Monitoring Instant Demo Guide from the Related Content tab in the demo profile.
About Private Network Monitoring
Private network monitoring is simple to deploy and use. It includes these features and benefits:
•
Monitors behavior near real-time for automated threat detection.
•
Delivers from the cloud precise, actionable threat-activity information as it happens.
•
Generates deep behavioral analytics for any network at scale based on anomalous behavior.
•
Delivers Network-Based Anomaly Detection by ingesting NetFlow (v9/IPFIX), SPAN, NSEL and Firewall Connection, IPS, and
more to generate Observations and where applicable Alerts.
Tip: To demonstrate how private networkng monitoring works with Stealthwatch Cloud, download the Cisco Stealthwatch Cloud Private
Network Monitoring Instant Demo Guide from the Related Content tab in the demo profile.
Requirements to Run this Demo
The table below outlines the requirements for this preconfigured demonstration.
Required
● Laptop or desktop computer with Internet access
● Cisco dCloud account
● Google Chrome or Mozilla Firefox web browser
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 49
Instant Demo Guide
Cisco dCloud
Scenario 1. Navigate the Stealthwatch Cloud Portal
The Stealthwatch Cloud Portal is your entry point to Stealthwatch Cloud, and it is where you begin investigating the alerts, observations
and other information collected for a given deployment. This scenario demonstrates these elements within the portal:
1.
•
Dashboard—most recent Open Alerts, Endpoints, Traffic, and Sensors
•
Alerts—all Open Alerts, with the Status for each and the Tags, Assignee, Excessive Attempts, Hostnames, and more
•
Observations—Date, Time, Device, Port, Connected IP, and related data for a selected Alert
•
Models—Roles, Traffic, and Session Traffic
You are initially brought to the portal Dashboard page.
Tip: To return to this page at any time, select Dashboard > Dashboard.
2.
On the Dashboard home page, you will see:
a.
The most recent open Alerts raised by Stealthwatch Cloud:
Note: Alerts displayed on the Dashboard will vary, based on occurring activity in the demo environment.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 49
Instant Demo Guide
Cisco dCloud
b. The past 30 days’ worth of total device counts for all deployed sensors connected to the account:
c.
The traffic summary for all endpoints for the last 24 hours, with the bandwidth monitored:
d.
The amount of encrypted traffic, including the ratios of encryption in inbound and outbound direction:
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 49
Instant Demo Guide
Cisco dCloud
e.
Top devices and top DNS devices in the network:
f.
Traffic summaries for countries configured as high risk by the user. Countries in red have recent traffic. Countries in dark gray
have no traffic but have been configured as high risk:
g.
The number of observations triggered today, yesterday and last seven days, including how many of them are highlighted.
Observations are simply facts about the endpoint traffic that can be classified and tracked.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 49
Instant Demo Guide
Cisco dCloud
3.
Select the cloud Icon (
) to see all Sensors that are active for this portal, and then click Sensors.
4.
The Welcome to Stealthwatch Cloud! window opens, with the Sensors tab displaying information about an example we have preconfigured called Dcloud_SWC_Sensor.
5.
Click Change settings at the bottom of one of the sections at bottom of the screen for a specific sensor.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 49
Instant Demo Guide
Cisco dCloud
6.
Here, we can configure the following:
•
Networks this sensor will monitor, including the rate of packets captured.
•
Syslog options, such as server and port.
•
SNMP traps.
About Sensors
Note: Sensors can be on-premise, collecting network telemetry Routers, Switches, Firewalls, and SPAN traffic, as well as API integrations
with Public Cloud providers such as AWS, GCP and MS Azure. Different functionality is available for the various sensor types. The onpremises sensor allows you to configure flow input types, Syslog output, sensor name, etc. The cloud integrations do not have these
fields as they are using their respective API. For example, in AWS the flow type will always be VPC flow logs and the name of the
sensor is always the name of the VPC flow log from their account. Any changes to the cloud sensor would be done on the
Integrations page.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 49
Instant Demo Guide
Cisco dCloud
7.
At the top of the main dashboard click the drop down, select Subnet Report to see all subnets and their associated traffic metrics.
This is useful to confirm you are collecting traffic for all customer subnets and if the endpoint count matches the customer
expectations. It also shows which subnets only have one-way communication; this indicates there might be a telemetry issue.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 49
Instant Demo Guide
Cisco dCloud
8.
Let’s go back to the drop-down menu and select Visibility Assessment to view the Visibility Assessment Report. A quick way to
summarize risky traffic in the portal, this report summarizes information within the portal for the past 30 days and organizes it in the
following categories: Internal Monitored Network, External SMB Risk, DNS Risk, Remote Access Breach and Traffic to High-Risk
Countries.
Tip: This assessment is included in every portal and can be published at any time.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 49
Instant Demo Guide
Cisco dCloud
Scenario 2. Manage Stealthwatch Cloud Alerts
Stealthwatch Cloud has over 60 built-in alerts which gradually enable during the 36 day baseline period. This baseline process employs
entity modeling to learn what is normal behavior for an endpoint. A simple example is a machine that hosts remote access connections,
such as Remote Desktop or SSH. During the learning period, the model geo-codes any external IP that appears to successfully
authenticate. This allows the service to know what countries typically access the environment. If an “unusual” country appears to
successfully authenticate then the service produces an Alert. This alert, “Geographically Unusual Access,” requires 30 days of history.
Each alert will reference one or more “Observations” consider these as the evidence for the alert. Users can view all observations, not
just those referenced for alerts. For example, if a user wanted to see all remote access sessions--not just ones to unusual countries--they
could select that Observation Type.
Note: The 60-plus built-in alerts each have a default sensitivity level the user can adjust. Changing the sensitivity to a higher level will
allow more of those alert types to fire. Users are not able to change the underlying detection for the alert. This is built into the
Stealthwatch Cloud analytics engine.
1.
The Stealthwatch Cloud dashboard displays the most recently triggered alerts. Select Alerts to view all open Alerts.
2.
A list of all Open alerts is displayed.
Note: Because alerts in dCloud are dynamic, some of the underlying flow data may age-out over time. Alerts are never deleted.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 10 of 49
Instant Demo Guide
Cisco dCloud
3.
You can filter and sort displayed Alerts by different criteria.
a.
Status is the alert’s workflow status assigned by users, including:
i. All: Display all Alerts triggered in your environment, regardless of status.
ii. Open: Display all currently triggered Alerts that have not been closed or snoozed.
iii. Closed: Display Alerts that have been closed by users. If the same behavior is detected again, the alert will most likely trigger
again.
iv. Snoozed: Display Alerts “silenced” by users who specify the time period for
snoozing. When the snooze period expires, the alert could trigger again.
b. Tags: View Alerts with custom descriptions that you create to track and organize Alerts.
Note: Alert customization is not required but can be used to achieve better
alert-to-noise ratio.
c.
Assignee: View Alerts assigned to the specified user for investigation/remediation.
d. Sort: View the selected alerts by newest, oldest, type, or source of Alert.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 11 of 49
Instant Demo Guide
Cisco dCloud
Alert Sensitivity
Alert sensitivity is directly related to the sensitivity of the subnet. For example, if a subnet is rated as Low sensitivity, only High sensitivity
Alerts will fire. If a subnet is rated as High sensitivity, then Low, Normal and High sensitivity Alerts will all trigger.
Tip: You can adjust the sensitivity of the alerts to be Normal, Low, High, or None. However, “None” is not generally recommended, since
this provides no sensitivity and thus these alerts do not trigger at all.
4.
Select (?) > Alert Types and Priorities.
5.
For each alert, click the Edit (
6.
For this next exercise, make sure the Alerts list displays only Open Alerts, sorted by Newest.
7.
At the top of the dashboard, select one of the alerts displayed.
) icon to display and then select the sensitivity options for each alert.
Note: The current Open Alerts displayed here may vary.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 12 of 49
Instant Demo Guide
Cisco dCloud
The details screen will open for the selected Alert.
8.
Alert Details display, like the Name of the Alert and the associated device name/IP address. Other information provided includes:
a.
Status: Current Status of the Alert (Open or Closed).
b. ID: Identification number of the Alert. This is an incrementing number based on all triggered Alerts.
c.
Description: A description of the alert explaining what it means and why it is important.
d. Updated: When the Alert most recently had activity related to it occur
e.
Created: When the Alert was first triggered.
f.
The IP addresses of all observed entities involved in the alert. (may not be displayed for all alerts)
g.
Hostnames of the entities when the Alert triggered (may not be displayed for all alerts)
h. Assignee: Who the alert is assigned to. Useful for triage and tracking.
i.
9.
Tags: The custom tags currently associated with an alert. This also allows you to assign custom tags to an alert for
organization and tracking purposes.
Note the Supporting Observations: All Alerts are based on observations. These are the related activities that caused the alert to
trigger. Depending on the type of Alert, there can be multiple kinds of Observations listed here. The associated table for each
observation displays the connection details for the activity.
10. Note the Additional Observations: You can explore additional information and context about the device that triggered the alarm.
11. Note the Comments: You can enter any related or relevant comments or information about the Alert, as well as provides updates
about when additional related Observations are added.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 13 of 49
Instant Demo Guide
Cisco dCloud
Alert Export Options
Cisco Stealthwatch Cloud can export alerts to several popular tools like Spark, Slack, PagerDuty, etc. In addition, Amazon and Google have
built-in notification tools like SNS that can be used to deliver alerts. The on-premises virtual appliance can generate SNMP or Syslog data
and pass it to a local collector (e.g. SIEM).
Services & Webhooks
12. Click (
) > Services/Webhooks to view all current supported integrations.
13. Cisco Stealthwatch Cloud can export alert data using a variety of services and webhooks. Current capabilities are displayed on the
Services/Webhooks tab and can be explored. A new event is exported when an alert is created. The services page has limited
customization. The API allows for custom querying of the data, including alerts.
The following screenshot shows an example of a Slack Integration alert:
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 49
Instant Demo Guide
Cisco dCloud
Syslog or SNMP
14. Select the Sensors tab to access Syslog and SNMP configuration options based on the individual sensors.
15. Click Change settings for one of the sensors.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 15 of 49
Instant Demo Guide
Cisco dCloud
16. Select the Syslog tab to adjust the local sensor settings for publishing.
17. Select the SNMP tab to configure SNMP reporting functionality.
18. Click Close.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 16 of 49
Instant Demo Guide
Cisco dCloud
Scenario 3. Interact with Supporting Observations
Supporting Observations for an Alert contain a lot of useful data to drill into, the information presented will vary based on the kind of
Observation but in general there will be Date, Time, Device, Port, Connected IP, and any related data to the specific Observation such as
shown in the screenshot below which illustrates TLS Version related to an Insecure Transport Protocol.
Note: The connected IP is not always the source of the traffic; Stealthwatch Cloud does not make that distinction.
1.
At the top of the Stealthwatch Cloud Dashboard, click Alerts. Notice there often is a red circle to the right showing the number of
alerts.
2.
For this example, we have chosen Unusual External Server.
3.
Scroll down until you see Supporting Observations.
4.
CSV: Enables you to export all Observations in the table as a .CSV formatted file.
Note: The kinds of Observations and fields displayed will vary depending on the Alert you are investigating.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 17 of 49
Instant Demo Guide
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 18 of 49
Instant Demo Guide
Cisco dCloud
5.
Click an Observation’s Time to open the session information screen and view all related network activity for that observation’s entry.
Note: To return to the alarm you selected, click Back in your browser.
6.
Click the down-arrow ( ) icon beside a Source IP/Name to drill down into additional reports for that device. This includes:
a.
Alerts currently involving the selected device
b. Observations involving the selected device
Device information, which displays information about what is known about the selected device.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 19 of 49
Instant Demo Guide
Cisco dCloud
7.
Using the Active Filters option, you can define and filter your search for specific segments, your IP space, or individual hosts.
For example, in the screen capture below, we can see filtered the Session Traffic search for all traffic using port 445 over the past 24
hours.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 20 of 49
Instant Demo Guide
Cisco dCloud
8.
Search for all DNS traffic that is not going to the Umbrella DNS servers of 208.67.222.222 and 208.67.222.220.
9.
Optional: Create your own unique filters and search for different types of traffic.
a.
Device Models for more information)
b. All Session Traffic related to the selected device
Additionally, you can Copy the device IP or name into the clipboard for pasting elsewhere. You can also click Back to return to the
alarm you selected.
10. Click the down-arrow ( ) icon beside a Connected IP/Device to drill into additional reports, as well as pivot out for additional context
for the host.
This additional information about the host includes:
a.
IP Traffic: Displays an overview of network traffic the IP address has been involved in, including amounts of data, internal
entities it connected to, and the ports used in communication.
b. Session Traffic: All network traffic related to the selected IP.
c.
AbuseIPDB, Cisco Umbrella, Google Search, or Talos Intelligence: Pivot into external data stores for additional context
about the host.
d. Add IP to watchlist: Create a watchlist rule for the IP that will trigger an Alert when network activity is detected from it in
the future.
e.
Find IP on multiple days: View the amount of traffic and the number of connections this entity was involved with per day,
over the past 30 days.
11. Optional: Explore other Alerts triggered in the demo system.
It is recommended that you investigate several different Alerts to get an idea of the kinds of Observations that can trigger an Alert, as
well as the kind of information that is collected and analyzed by Stealthwatch Cloud as part of its operation. Supporting Observations
pane can be displayed specific to each Alert type so fields may vary.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 21 of 49
Instant Demo Guide
Cisco dCloud
About Observations
Observations are facts about the traffic that have been recorded. Most observations are not attached to Alerts. When an Alert is triggered
because of bad behavior, an observation indicating this is recorded. For example, a new high-throughput connection to an Akamai stream
server is not necessarily relevant to security and will only be noted as an observation but not associated with/trigger an Alert. However, a
new or persistent high-throughput connection to a known or suspected Command & Control server would become an observation
associated with an Alert.
An Alert generates when combinations of observations represent a security concern, either immediately (a DDoS attack, for example) or
over time, through baseline analysis such as a Role Change. Observations are the building blocks of Alerts.
12. Click Observations.
13. You are shown a list of Observations made by Stealthwatch Cloud about the deployment. Isolated Observations aren't security
threats; they are records of activity considered remarkable by Stealthwatch Cloud’s entity models and algorithms.
14. Click the Recent Highlights tab display recent observations of interesting behaviors, and then review them.
15. Notice that beside each Observation’s name are two icons:
a.
Click the information (
b. Click the right (
) icon to view a brief definition of the Observation, to supplement the explanation.
) icon to view all Observations of the specified type.
16. Click the down-arrow ( ) icon beside IPs/device names to bring up contextual menus for each, and then drill-down into additional
collected information or pivot to other data sources for more context.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 22 of 49
Instant Demo Guide
Cisco dCloud
17. Select the Types tab to display a list of all Observations that Stealthwatch Cloud can generate, as well as the number of these
Observations made for the account.
a.
Click the right-arrow (
) icon to view all Observations of the specified type.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 23 of 49
Instant Demo Guide
Cisco dCloud
18. Click the By Device tab to see the endpoints responsible for the highest number of detected Observations.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 24 of 49
Instant Demo Guide
Cisco dCloud
Scenario 4. Explore Stealthwatch Cloud Models
The Models tab contains several functions, such as reporting on endpoints, traffic, and subnets, or viewing detailed flow records query
(Session Traffic). Portions of the reported endpoint and traffic information are presented on the initial Dashboard. For this section, we will
look more closely at Roles, Traffic and Session Traffic.
Roles
1.
Select the Models tab to see the various models aggregated by Stealthwatch Cloud.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 25 of 49
Instant Demo Guide
Cisco dCloud
2.
Select Models > Roles to view the device types identified on the network.
3.
The Roles displayed will vary based upon implementation, for the purposes of the dCloud lab a mix of typical LAN devices such as
DNS, database servers, and Domain Controllers, as well as Amazon Resources & Instances (AWS EC2 Instance) are shown.
Note: Stealthwatch Cloud observes endpoint behavior as part of the entity modeling process to determine roles.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 26 of 49
Instant Demo Guide
Cisco dCloud
4.
Click the plus (+) icon to the left of a role to see all devices on the network identified for the given role.
5.
Hover your mouse pointer over the information (
) icon beside a device under Matching Sources for an informational pop-up.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 27 of 49
Instant Demo Guide
Cisco dCloud
6.
Click the down-arrow ( ) icon beside a Source IP/Name to drill down into additional reports for that device.
a.
Alerts currently involving the selected device
b. Observations involving the selected device
c.
Device information, which displays information about what is known about the selected device
Session Traffic, showing the Traffic, Traffic Chart, and Connections Graph tabs.
7.
Using the Active Filters option, you can define and filter your search for specific segments, your IP space, or individual hosts.
For example, in the screen capture below, we can see filtered the Session Traffic search for all traffic using port 445 over the past 24
hours.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 28 of 49
Instant Demo Guide
Cisco dCloud
8.
Search for all DNS traffic that is not going to the Umbrella DNS servers of 208.67.222.222 and 208.67.222.220.
9.
Optional: Create your own unique filters and search for different types of traffic.
a.
Device Models for more information)
b. All Session Traffic related to the selected device
c.
Additionally, you can Copy the device IP or name into the clipboard for pasting elsewhere.
10. Optional: Explore other detected roles and the devices associated with them.
11. Select Models > Traffic to view the device types identified on the network.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 29 of 49
Instant Demo Guide
Cisco dCloud
You will see a Traffic window similar this one:
12. Notice that at the top of the page, you can use the filter to change the dates.
13. The Overview graph provides data that Stealthwatch Cloud has seen over the set time interval. By default, the time interval
is set to 24 hours.
14. You can also select Sources to see the different Subnets that are generating traffic.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 30 of 49
Instant Demo Guide
Cisco dCloud
15. Scroll down the page to find Top IPs.
16. Further down the page, find Top Ports. Here, you can find the ports being used the most on the networks being
monitored by Stealthwatch Cloud.
17. Note that you can move between the Internal and External tabs at the top of the chart.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 31 of 49
Instant Demo Guide
Cisco dCloud
Now, let’s look at the Session Traffic model.
18. Select Models > Session Traffic to view the device types identified on the network.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 32 of 49
Instant Demo Guide
Cisco dCloud
19. Using the Active Filters option, you can define and filter your search for specific segments, your IP space, or individual hosts.
For example, in the screen capture below, we can see filtered the Session Traffic search for all traffic using port 445 over the past 24
hours.
20. Search for all DNS traffic that is not going to the Umbrella DNS servers of 208.67.222.222 and 208.67.222.220.
21. Optional: Create your own unique filters and search for different types of traffic.
Device Models
The Device page lists the traffic details on a given day, including internal/external connections, byte counts, open alerts and observations
for the Device, the auto-identified role, and traffic profiles. Every internal listed IP in Stealthwatch Cloud has a device model page that can
be used to view historical behavior data.
Device View
22. Select Dashboard > Dashboard to return to the main Dashboard.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 33 of 49
Instant Demo Guide
Cisco dCloud
23. From the Top Devices section of the Dashboard, click one of the devices listed to go to the device page.
You can select any of the devices, and remember the list of devices will vary.
24. Note that every device/host is tracked and modeled, building the baseline you use to track behavior and detect deviations relevant to
security. The Device page displays a trend graph showing an overview of the past month of Connections, and data transfer to and
from the device.
25. Note that the summary page for any given IP or Device shows various statistics which can be useful during investigation.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 34 of 49
Instant Demo Guide
Cisco dCloud
26. In addition to the summarized data collected for the device, select the Traffic tab to investigate traffic details.
27. Click Previous Day and Next Day to cycle through individual days.
28. Select All, Internal, External, or New to filter traffic with more precision.
29. At the bottom of the page, click the CSV icon to export all collected Traffic information in CSV format.
30. An overview of all connections based on type can be found on the Profiling tab.
31. All recorded DNS requests and what they resolved to can be found on the DNS tab. This tab is empty if you only collect NetFlow data.
If using a source such as SPAN, the Stealthwatch Cloud sensor will snoop DNS look-ups.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 35 of 49
Instant Demo Guide
Cisco dCloud
Scenario 5. Customize Alerts
Alert customization is not required but can be used to achieve better alert-to-noise ratio.
Descriptive Subnet Input
Labeling subnets is very useful and recommended to get added value out of the monitoring and alerts Stealthwatch Cloud provides.
AWS and Google Cloud subnet info is automatically imported when integrated with Stealthwatch Cloud.
1.
Select (
2.
This displays Tabs for Local Subnets, AWS Subnets, GCP Subnets, and VPN Subnets.
3.
You have the following options to add subnets:
a.
) > Subnets.
Click Add Subnet to manually add a subnet, or
b. Click Upload CSV to import a properly formatted CSV file.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 36 of 49
Instant Demo Guide
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 37 of 49
Instant Demo Guide
Cisco dCloud
4.
You can also define 3 attributes for a subnet:
a.
Sensitivity: The sensitivity of a subnet is directly related to an Alert’s sensitivity. For example, if a subnet is rated as low
sensitivity, only high sensitivity Alerts will fire. If a subnet is rated as high sensitivity, low, normal, and high sensitivity Alerts
will trigger. No sensitivity will keep any Alerts from triggering and is generally not recommended.
b. Static: Select this if the subnet range is primarily composed of static IP addresses. Stealthwatch Cloud will assume IPs in
these ranges always belong to the same device.
c.
New Device Alerts: Select this to trigger an Alert if a new IP appears in the subnet range. Not recommended for DHCP
ranges.
5.
Click Add Subnet to view the Add Subnet window.
Here, you can define the subnet details and description, as well as define the Alert Sensitivity for devices that appear in this subnet.
6.
Click Cancel.
7.
Select the AWS Subnets tab.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 38 of 49
Instant Demo Guide
Cisco dCloud
8.
The Virtual Cloud Subnets tab is populated automatically and can be used to verify proper configuration of your AWS integration
settings. You can define two attributes for subnets listed here:
a.
Sensitivity: The sensitivity of a subnet is directly related to an Alert’s sensitivity. For example, if a subnet is rated as low
sensitivity, only high sensitivity Alerts will fire. If a subnet is rated as high sensitivity, low and high sensitivity Alerts will
trigger. No sensitivity will keep any Alerts from triggering and is generally not recommended.
b. New Device Alerts: Select this to trigger an Alert if a new IP appears in the subnet range. Not recommended for DHCP
ranges.
9.
You are done with this review.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 39 of 49
Instant Demo Guide
Cisco dCloud
Configure Watchlists
You can also define custom alerts Watchlists in Stealthwatch Cloud from the Settings menu.
10. From Settings (
), click the Alerts tab and then click Configure Watchlists at the bottom of the Alert Configuration list
to display the options available for Stealthwatch Cloud users to input their own watchlists (e.g., TOR) for additional visibility.
11. From the Watchlist Config screen, click the IPs and Domains tab allows you to enter domains and IPs to generate Alerts when activity
is detected between them and internal devices.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 40 of 49
Instant Demo Guide
Cisco dCloud
12. To define custom watchlists to monitor, click the Third Party Watchlists tab from the Watchlist Config page.
13. The Internal Connection Watchlist enables users to create custom alerts when traffic matches specified criteria. For example, you
could create a watchlist for Remote Desktop Traffic from the Internet or if traffic is seen between two internal subnets that should
never communicate.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 41 of 49
Instant Demo Guide
Cisco dCloud
Scenario 6. AWS-specific Instrumentation and Features
Cisco Stealthwatch Cloud leverages AWS APIs and security features and pulls data from additional data sources, like AWS CloudTrail,
to get context about the instances (servers) in the customer account.
1.
Select (
2.
To setup Stealthwatch Cloud to monitor an account, we are required to do the following:
a.
) > Integrations to review what is needed to set up the integration with AWS.
Create a policy with the appropriate permissions, as detailed on the About tab for AWS.
b. Create a role (e.g. user) for Stealthwatch Cloud and link to the previously created policy.
c.
Select the Credentials tab.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 42 of 49
Instant Demo Guide
Cisco dCloud
d. Enter the Role ARN (Amazon Resource Name) into the Stealthwatch portal.
e.
Select the VPC Flow Logs tab.
f.
Enter the Flow Log name in the CloudWatch Logs Group field, then click Add. The users should have VPC flow logs enabled
in their account.
3.
Click the Permissions tab to see the granted permissions for the role.
4.
Note that the Auth Logs tab enables you to leverage the Amazon CloudWatch logs machine agent for EC2 instances. This allows
you to enhance Alerts and Observations. For example, you would be able to see authenticated sessions for a machine.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 43 of 49
Instant Demo Guide
Cisco dCloud
5.
Notice that from the AWS Config and Inspector tabs, you can configure Cisco Stealthwatch Cloud to pull in alerts generated by
the AWS Config and Inspector services. This enables you to assess, audit, and evaluate the configurations of your AWS resources.
AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of
recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships
between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the
configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change
management, and operational troubleshooting.
6.
Notice that Cisco Stealthwatch Cloud can initiate AWS Inspector assessments and pull any generating alerts into the Cisco
Stealthwatch Cloud portal by defining them on the Inspector tab. Amazon Inspector is an automated security assessment service
that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses
applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a
detailed list of security findings prioritized by level of severity.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 44 of 49
Instant Demo Guide
Cisco dCloud
AWS alerts
•
Anomalous AWS Workspace | Normal priority - An AWS Virtual Workspace used a new anomalous behavioral profile (e.g., the
host connected to many devices over BitTorrent). This alert uses the Anomalous Profile observation and may be an indication of
malware or misuse. This alert requires 14 days of history.
•
AWS API Watchlist IP Hit | Normal priority - An AWS API was accessed from an IP on a user-supplied watchlist. This alert uses
the AWS API Watchlist Access observation and may indicate that user credentials are compromised. This alert requires 0 days of
history.
•
AWS Config Rule Violation | Normal priority – An AWS Config rule was violated. This alert requires 0 days of history.
•
AWS Console Login Failures | Normal priority – A user tried and failed to log in to the AWS Console several times. This alert
requires 0 days of history.
•
AWS Inspector Finding | Normal priority – AWS Inspector reported a high-severity finding for the device. This alert requires 0
days of history.
•
AWS Lambda Invocation Spike | Normal priority – A Lambda function was invoked a record number of times. This alert requires
14 days of history.
•
AWS Multifactor Authentication Change | Normal priority – Multifactor authentication was removed from a user account. This
alert requires 0 days of history.
•
AWS Overlapping Subnet | Normal priority – A new AWS subnet has a CIDR that overlaps an existing subnet. This is a violation
of Amazon best practices. This alert requires 0 days of history.
•
AWS Root Account Used | Normal priority – An action was performed using the AWS root account. This alert requires 0 days of
history.
•
CloudTrail Watchlist Hit | Normal priority – AWS CloudTrail reported an event on a user-supplied watchlist. This alert requires 0
days of history.
•
Geographically Unusual AWS API Usage - An AWS API has been accessed from a remote host in a country that doesn't normally
access the API. This alert requires 14 days of history.
•
New AWS Region | Normal priority – An AWS resource was detected in a previously unused region. This alert requires 0 days of
history.
•
New AWS Route53 Target | Normal priority – A new AWS Route53 resource record was assigned to a device that was not
previously associated with a Route53 resource record. This alert requires 0 days of history.
•
Stale AWS Access Key | Normal priority – AWS IAM access key exceeded the configurable age. This alert requires 30 days of
history.
•
Permissive AWS S3 Access Control List | Normal priority – A new ACL has been created that allows permissive access to an S3
bucket. This may be a misconfiguration and might lead to unauthorized access to stored data. This alert requires 0 days of
history.
•
Permissive AWS Security Group Created | Normal priority – A new AWS security group has been created that allows access
from any host on unsafe ports. This alert requires 0 days of history.
•
Public Amazon Route 53 Hosted Zone Created | Normal priority -- A public Amazon Route 53 hosted zone was created. This
alert requires 0 days of history.
•
Unused AWS Resource | Normal priority – No recent activity has been seen for this AWS resource. This alert requires 14 days of
history.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 45 of 49
Instant Demo Guide
Cisco dCloud
CloudTrail Watchlist
When an action is performed in the customer AWS environment, it is recorded in the CloudTrail API. All CloudTrail records are published
in the CloudTrail observation. To view them, select Observations > Types > AWS CloudTrail Event Observation.
For example, when a new network interface is created, modified, or deleted, it will be recorded in the CloudTrail.
You can build watchlists for any specific actions you want to be notified about. This functionality can be accessed on the Settings > Alerts
tab.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 46 of 49
Instant Demo Guide
Cisco dCloud
7.
We can see the AWS Root Account Used alert that has fired.
8.
Under the alert, we can find the supporting AWS CloudTrail Event Observations.
9.
For this exercise, make sure the Alerts list displays only Open Alerts, sorted by Newest.
10. Select one of the top alerts displayed on the screen by clicking it.
Note: The current Open Alerts displayed here will vary. We will be covering how to read and interact with Alerts in general, so any
selection will do.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 47 of 49
Instant Demo Guide
Cisco dCloud
11. Observe that the Details screen will open for the selected Alert.
12. The Alert Details screen displays the Name of the Alert and the associated device name/IP address, and more:
a.
Status: Current Status of the Alert (Open or Closed).
b.
ID: Identification number of the Alert. This is an incrementing number based on all triggered Alerts.
c.
Description: A description of the alert explaining what it means and why it is important.
d.
Updated: When the Alert most recently had activity related to it occur
e.
Created: When the Alert was first triggered.
f.
The IP addresses of all observed entities involved in the alert. (may not be displayed for all alerts)
g.
Hostnames of the entities when the Alert triggered (may not be displayed for all alerts)
h.
Assignee: Who the alert is assigned to. Useful for triage and tracking.
i.
Tags: The custom tags currently associated with an alert. This also allows you to assign custom tags to an alert for
organization and tracking purposes.
13. Supporting Observations: All Alerts are based on Observations. These are the related activities that caused the alert to trigger.
Depending on the type of Alert, there can be multiple kinds of Observations listed here. The associated table for each
observation displays the connection details for the activity.
14. Additional Observations: Lets you explore additional information and context about the device that triggered the alarm.
15. Comments: Allows you to enter any related or relevant comments or information about the Alert, as well as provides updates
about when additional related Observations are added.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 48 of 49
Instant Demo Guide
Cisco dCloud
What’s next?
•
Check out the related information on cisco.com.
•
Talk about it on the dCloud Community.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 49 of 49
Download