Skip to main content

Cisco Secure Network Analytics (Stealthwatch)

This Integration is part of the Cisco Secure Network Analytics (Stealthwatch) Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Scalable visibility and security analytics. This integration was integrated and tested with version 7.2.1 of Cisco Secure Network Analytics (Stealthwatch). Due to changes in the product API, versions grater than 7.3.2 (including) are currently not supported.

Configure Cisco Stealthwatch in Cortex#

ParameterDescriptionRequired
Server URLServer URL for Cisco Stealthwatch console e.g.: https://ip:port/.True
User CredentialsTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cisco-stealthwatch-query-flows-initialize#


Initializes the flow search based on specified arguments. Must provide a start time, time range, or start time and end time.

Base Command#

cisco-stealthwatch-query-flows-initialize

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to initialize its flow search.Required
start_timeStart time in the format: YYYY-mm-ddTHH:MM:SSZ. If start_time is provided but end_time is not provided, the end_time will be set to the current time.Optional
end_timeEnd time in the format: YYYY-mm-ddTHH:MM:SSZ. .Optional
time_rangeAn optional time range, for example: 3 months, 1 week, 1 day ago, etc.Optional
limitThe maximum number of records to retrieve. Default is 20.Optional
ip_addressesThe IP address by which to filter the results.Optional

Context Output#

PathTypeDescription
CiscoStealthwatch.FlowStatus.idstrThe ID of the flow.
CiscoStealthwatch.FlowStatus.searchJobStatusstrThe search job status of the flow.
CiscoStealthwatch.FlowStatus.percentCompletestrThe percent of the flow that was completed.

Command Example#

!cisco-stealthwatch-query-flows-initialize tenant_id=102 limit=3 time_range="1 week"

Context Example#

{
"CiscoStealthwatch": {
"FlowStatus": {
"domainId": "102",
"id": "604f7115e4b0bbedc8c77d8d",
"percentComplete": 100,
"status": "IN_PROGRESS"
}
}
}

Human Readable Output#

Query Flows Initializing Information:#

IdStatusPercent Complete
604f7115e4b0bbedc8c77d8dIN_PROGRESS100.0

cisco-stealthwatch-query-flows-status#


Checks the flow search status.

Base Command#

cisco-stealthwatch-query-flows-status

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to check its flow search status.Required
search_idThe ID of the search from the cisco-stealthwatch-query-flows-initialize command.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.FlowStatus.idstrThe ID of the flow.
CiscoStealthwatch.FlowStatus.percentCompletestrThe percent of the flow that was completed.

Command Example#

!cisco-stealthwatch-query-flows-status tenant_id=102 search_id=604f64afe4b0bbedc8c77a9d

Context Example#

{
"CiscoStealthwatch": {
"FlowStatus": {
"domainId": "102",
"id": "604f64afe4b0bbedc8c77a9d",
"percentComplete": 100,
"status": "COMPLETED"
}
}
}

Human Readable Output#

Query Flows Status Information:#

IdPercent Complete
604f64afe4b0bbedc8c77a9d100.0

cisco-stealthwatch-query-flows-results#


Retrieves the flow search results. Use this command after the search job completes.

Base Command#

cisco-stealthwatch-query-flows-results

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to retrieve its flow search results.Required
search_idThe ID of the search from the cisco-stealthwatch-query-flows-initialize command.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.FlowResults.idstrThe ID of the flow.
CiscoStealthwatch.FlowResults.tenantIdstrThe tenant ID of the flow.
CiscoStealthwatch.FlowResults.flowCollectorIdstrThe collector ID of the flow.
CiscoStealthwatch.FlowResults.protocolstrThe protocol of the flow.
CiscoStealthwatch.FlowResults.serviceIdstrThe service ID of the flow.
CiscoStealthwatch.FlowResults.statisticsstrThe statistics of the flow.
CiscoStealthwatch.FlowResults.peerstrThe peer of the flow.
CiscoStealthwatch.FlowResults.subjectstrThe subject of the flow.

Command Example#

!cisco-stealthwatch-query-flows-results tenant_id=102 search_id=604f64afe4b0bbedc8c77a9d

Context Example#

{
"CiscoStealthwatch": {
"FlowResults": [
{
"applicationId": 170,
"cipherSuite": {
"authAlgorithm": "N/A",
"encAlgorithm": "N/A",
"id": "N/A",
"keyExchange": "N/A",
"keyLength": "N/A",
"messageAuthCode": "N/A",
"name": "N/A",
"protocol": "N/A"
},
"flowCollectorId": 121,
"id": 10142775,
"mplsLabel": -1,
"peer": {
"byteRate": 0,
"bytes": 0,
"countryCode": "XR",
"finPackets": 0,
"hostGroupIds": [
65534
],
"ipAddress": "x.x.x.x",
"natPort": -1,
"orientation": "server",
"packetRate": 0,
"packets": 0,
"percentBytes": 0,
"portProtocol": {
"port": 2055,
"protocol": "UDP",
"serviceId": 0
},
"rstPackets": 0,
"synAckPackets": 0,
"synPackets": 0,
"tlsVersion": "NONE",
"trustSecId": -1
},
"protocol": "UDP",
"serviceId": 38,
"statistics": {
"activeDuration": 320000,
"byteCount": 21403751,
"byteRate": 267546.8875,
"firstActiveTime": "2021-03-15T13:36:15.000+0000",
"flowTimeSinceStart": 240673,
"lastActiveTime": "2021-03-15T13:41:35.000+0000",
"numCombinedFlowRecords": 2,
"packetCount": 15667,
"packetRate": 195.8375,
"roundTripTime": 0,
"rttAverage": -1,
"rttMaximum": -1,
"rttMinimum": -1,
"serverResponseTime": 0,
"srtAverage": -1,
"srtMaximum": -1,
"srtMinimum": -1,
"subjectPeerRatio": 100,
"tcpConnections": 0,
"tcpRetransmissions": -1,
"tcpRetransmissionsRatio": -0.006382842918235782
},
"subject": {
"byteRate": 267546.8875,
"bytes": 21403751,
"countryCode": "XR",
"finPackets": 0,
"hostGroupIds": [
65534
],
"ipAddress": "x.x.x.x",
"natPort": -1,
"orientation": "client",
"packetRate": 195.8375,
"packets": 15667,
"percentBytes": 100,
"portProtocol": {
"port": 59315,
"protocol": "UDP",
"serviceId": 0
},
"rstPackets": 0,
"synAckPackets": 0,
"synPackets": 0,
"tlsVersion": "NONE",
"trustSecId": -1
},
"tenantId": 102,
"tlsVersion": "NONE",
"vlanId": -1
},
{
"applicationId": 170,
"cipherSuite": {
"authAlgorithm": "N/A",
"encAlgorithm": "N/A",
"id": "N/A",
"keyExchange": "N/A",
"keyLength": "N/A",
"messageAuthCode": "N/A",
"name": "N/A",
"protocol": "N/A"
},
"flowCollectorId": 121,
"id": 10142776,
"mplsLabel": -1,
"peer": {
"byteRate": 0,
"bytes": 0,
"countryCode": "XR",
"finPackets": 0,
"hostGroupIds": [
65534
],
"ipAddress": "x.x.x.x",
"natPort": -1,
"orientation": "server",
"packetRate": 0,
"packets": 0,
"percentBytes": 0,
"portProtocol": {
"port": 2055,
"protocol": "UDP",
"serviceId": 0
},
"rstPackets": 0,
"synAckPackets": 0,
"synPackets": 0,
"tlsVersion": "NONE",
"trustSecId": -1
},
"protocol": "UDP",
"serviceId": 38,
"statistics": {
"activeDuration": 320000,
"byteCount": 21403751,
"byteRate": 267546.8875,
"firstActiveTime": "2021-03-15T13:36:15.000+0000",
"flowTimeSinceStart": 240673,
"lastActiveTime": "2021-03-15T13:41:35.000+0000",
"numCombinedFlowRecords": 2,
"packetCount": 15667,
"packetRate": 195.8375,
"roundTripTime": 0,
"rttAverage": -1,
"rttMaximum": -1,
"rttMinimum": -1,
"serverResponseTime": 0,
"srtAverage": -1,
"srtMaximum": -1,
"srtMinimum": -1,
"subjectPeerRatio": 100,
"tcpConnections": 0,
"tcpRetransmissions": -1,
"tcpRetransmissionsRatio": -0.006382842918235782
},
"subject": {
"byteRate": 267546.8875,
"bytes": 21403751,
"countryCode": "XR",
"finPackets": 0,
"hostGroupIds": [
65534
],
"ipAddress": "x.x.x.x",
"natPort": -1,
"orientation": "client",
"packetRate": 195.8375,
"packets": 15667,
"percentBytes": 100,
"portProtocol": {
"port": 52656,
"protocol": "UDP",
"serviceId": 0
},
"rstPackets": 0,
"synAckPackets": 0,
"synPackets": 0,
"tlsVersion": "NONE",
"trustSecId": -1
},
"tenantId": 102,
"tlsVersion": "NONE",
"vlanId": -1
},
{
"applicationId": 176,
"cipherSuite": {
"authAlgorithm": "N/A",
"encAlgorithm": "N/A",
"id": "N/A",
"keyExchange": "N/A",
"keyLength": "N/A",
"messageAuthCode": "N/A",
"name": "N/A",
"protocol": "N/A"
},
"flowCollectorId": 121,
"id": 10142778,
"mplsLabel": -1,
"peer": {
"byteRate": 0,
"bytes": 0,
"countryCode": "XR",
"finPackets": 0,
"hostGroupIds": [
65534
],
"ipAddress": "x.x.x.x",
"natPort": -1,
"orientation": "server",
"packetRate": 0,
"packets": 0,
"percentBytes": 0,
"portProtocol": {
"port": 514,
"protocol": "UDP",
"serviceId": 0
},
"rstPackets": 0,
"synAckPackets": 0,
"synPackets": 0,
"tlsVersion": "NONE",
"trustSecId": -1
},
"protocol": "UDP",
"serviceId": 73,
"statistics": {
"activeDuration": 320000,
"byteCount": 213807311,
"byteRate": 2672591.3875,
"firstActiveTime": "2021-03-15T13:36:15.000+0000",
"flowTimeSinceStart": 240673,
"lastActiveTime": "2021-03-15T13:41:35.000+0000",
"numCombinedFlowRecords": 2,
"packetCount": 173345,
"packetRate": 2166.8125,
"roundTripTime": 0,
"rttAverage": -1,
"rttMaximum": -1,
"rttMinimum": -1,
"serverResponseTime": 0,
"srtAverage": -1,
"srtMaximum": -1,
"srtMinimum": -1,
"subjectPeerRatio": 100,
"tcpConnections": 0,
"tcpRetransmissions": -1,
"tcpRetransmissionsRatio": -0.0005768842481756036
},
"subject": {
"byteRate": 2672591.3875,
"bytes": 213807311,
"countryCode": "XR",
"finPackets": 0,
"hostGroupIds": [
65534
],
"ipAddress": "x.x.x.x",
"natPort": -1,
"orientation": "client",
"packetRate": 2166.8125,
"packets": 173345,
"percentBytes": 100,
"portProtocol": {
"port": 48861,
"protocol": "UDP",
"serviceId": 0
},
"rstPackets": 0,
"synAckPackets": 0,
"synPackets": 0,
"tlsVersion": "NONE",
"trustSecId": -1
},
"tenantId": 102,
"tlsVersion": "NONE",
"vlanId": -1
}
]
}
}

Human Readable Output#

Query Flows Results Information:#

IdTenant IdFlow Collector IdProtocolService IdStatisticsPeerSubject
10142775102121UDP38activeDuration: 320000
numCombinedFlowRecords: 2
firstActiveTime: 2021-03-15T13:36:15.000+0000
lastActiveTime: 2021-03-15T13:41:35.000+0000
tcpRetransmissions: -1
byteCount: 21403751
packetCount: 15667
byteRate: 267546.8875
packetRate: 195.8375
tcpConnections: 0
roundTripTime: 0
serverResponseTime: 0
subjectPeerRatio: 100.0
rttAverage: -1
rttMaximum: -1
rttMinimum: -1
srtAverage: -1
srtMaximum: -1
srtMinimum: -1
flowTimeSinceStart: 240673
tcpRetransmissionsRatio: -0.006382842918235782
hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 2055, "protocol": "UDP", "serviceId": 0}
percentBytes: 0.0
bytes: 0
packets: 0
byteRate: 0.0
packetRate: 0.0
orientation: server
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1
hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 59315, "protocol": "UDP", "serviceId": 0}
percentBytes: 100.0
bytes: 21403751
packets: 15667
byteRate: 267546.8875
packetRate: 195.8375
orientation: client
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1
10142776102121UDP38activeDuration: 320000
numCombinedFlowRecords: 2
firstActiveTime: 2021-03-15T13:36:15.000+0000
lastActiveTime: 2021-03-15T13:41:35.000+0000
tcpRetransmissions: -1
byteCount: 21403751
packetCount: 15667
byteRate: 267546.8875
packetRate: 195.8375
tcpConnections: 0
roundTripTime: 0
serverResponseTime: 0
subjectPeerRatio: 100.0
rttAverage: -1
rttMaximum: -1
rttMinimum: -1
srtAverage: -1
srtMaximum: -1
srtMinimum: -1
flowTimeSinceStart: 240673
tcpRetransmissionsRatio: -0.006382842918235782
hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 2055, "protocol": "UDP", "serviceId": 0}
percentBytes: 0.0
bytes: 0
packets: 0
byteRate: 0.0
packetRate: 0.0
orientation: server
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1
hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 52656, "protocol": "UDP", "serviceId": 0}
percentBytes: 100.0
bytes: 21403751
packets: 15667
byteRate: 267546.8875
packetRate: 195.8375
orientation: client
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1
10142778102121UDP73activeDuration: 320000
numCombinedFlowRecords: 2
firstActiveTime: 2021-03-15T13:36:15.000+0000
lastActiveTime: 2021-03-15T13:41:35.000+0000
tcpRetransmissions: -1
byteCount: 213807311
packetCount: 173345
byteRate: 2672591.3875
packetRate: 2166.8125
tcpConnections: 0
roundTripTime: 0
serverResponseTime: 0
subjectPeerRatio: 100.0
rttAverage: -1
rttMaximum: -1
rttMinimum: -1
srtAverage: -1
srtMaximum: -1
srtMinimum: -1
flowTimeSinceStart: 240673
tcpRetransmissionsRatio: -0.0005768842481756036
hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 514, "protocol": "UDP", "serviceId": 0}
percentBytes: 0.0
bytes: 0
packets: 0
byteRate: 0.0
packetRate: 0.0
orientation: server
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1
hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 48861, "protocol": "UDP", "serviceId": 0}
percentBytes: 100.0
bytes: 213807311
packets: 173345
byteRate: 2672591.3875
packetRate: 2166.8125
orientation: client
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1

cisco-stealthwatch-list-tags#


Lists the host groups (called tags in the API).

Base Command#

cisco-stealthwatch-list-tags

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to get its tags.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.Tag.idstrThe ID of the tag.
CiscoStealthwatch.Tag.displayNamestrThe display name of the tag.

Command Example#

!cisco-stealthwatch-list-tags tenant_id=102

Context Example#

{
"CiscoStealthwatch": {
"Tag": [
{
"displayName": "Internal Host Tags",
"id": 1
},
{
"displayName": "Servers",
"id": 2
},
{
"displayName": "Employee Wired",
"id": 3
},
{
"displayName": "Client IP Ranges (DHCP Range)",
"id": 5
},
{
"displayName": "Other",
"id": 6
},
{
"displayName": "Protected Asset Monitoring",
"id": 10
},
{
"displayName": "Proxies",
"id": 11
},
{
"displayName": "VoIP",
"id": 12
},
{
"displayName": "VoIP Gateways",
"id": 13
},
{
"displayName": "Multicast",
"id": 14
},
{
"displayName": "Link-Local",
"id": 17
},
{
"displayName": "Broadcast",
"id": 18
},
{
"displayName": "Localhost",
"id": 19
},
{
"displayName": "By Function",
"id": 23
},
{
"displayName": "DMZ",
"id": 24
},
{
"displayName": "Antivirus Servers",
"id": 25
},
{
"displayName": "Backup Servers",
"id": 26
},
{
"displayName": "DNS Servers",
"id": 27
},
{
"displayName": "File Servers",
"id": 28
},
{
"displayName": "Mail Servers",
"id": 30
},
{
"displayName": "NTP Servers",
"id": 31
},
{
"displayName": "Employee VPN ",
"id": 33
},
{
"displayName": "Web Servers",
"id": 34
},
{
"displayName": "DHCP Servers",
"id": 36
},
{
"displayName": "VoIP Endpoints",
"id": 37
},
{
"displayName": "Domain Controllers",
"id": 38
},
{
"displayName": "By Location",
"id": 43
},
{
"displayName": "Employee Wireless",
"id": 44
},
{
"displayName": "Guest Wireless",
"id": 45
},
{
"displayName": "Network Scanners",
"id": 48
},
{
"displayName": "SMS Servers",
"id": 50
},
{
"displayName": "NAT Gateway",
"id": 51
},
{
"displayName": "Internet Facing Load Balancer VIPs",
"id": 50067
},
{
"displayName": "Internet Services",
"id": 50068
},
{
"displayName": "Protected Trapped Hosts - Honeypot",
"id": 50069
},
{
"displayName": "Database Servers",
"id": 50075
},
{
"displayName": "Trusted Users",
"id": 50076
},
{
"displayName": "Untrusted Users",
"id": 50077
},
{
"displayName": "Load Balancer VIPs",
"id": 50079
},
{
"displayName": "Internal Facing Load Balancer VIPs",
"id": 50080
},
{
"displayName": "Catch All",
"id": 65534
}
]
}
}

Human Readable Output#

Tags for tenant_id: 102:#

Display NameId
Internal Host Tags1
Servers2
Employee Wired3
Client IP Ranges (DHCP Range)5
Other6
Protected Asset Monitoring10
Proxies11
VoIP12
VoIP Gateways13
Multicast14
Link-Local17
Broadcast18
Localhost19
By Function23
DMZ24
Antivirus Servers25
Backup Servers26
DNS Servers27
File Servers28
Mail Servers30
NTP Servers31
Employee VPN33
Web Servers34
DHCP Servers36
VoIP Endpoints37
Domain Controllers38
By Location43
Employee Wireless44
Guest Wireless45
Network Scanners48
SMS Servers50
NAT Gateway51
Internet Facing Load Balancer VIPs50067
Internet Services50068
Protected Trapped Hosts - Honeypot50069
Database Servers50075
Trusted Users50076
Untrusted Users50077
Load Balancer VIPs50079
Internal Facing Load Balancer VIPs50080
Catch All65534

cisco-stealthwatch-get-tag#


Gets a single host group (called tag in the API).

Base Command#

cisco-stealthwatch-get-tag

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to get its tag.Required
tag_idThe tag for which to get more information.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.Tag.idstrThe name of the tag.
CiscoStealthwatch.Tag.namestrThe ID of the tag.
CiscoStealthwatch.Tag.locationstrThe location of the tag.
CiscoStealthwatch.Tag.domainIdstrThe domain ID of the tag.

Command Example#

!cisco-stealthwatch-get-tag tenant_id=102 tag_id=1

Context Example#

{
"CiscoStealthwatch": {
"Tag": {
"display": {
"domainId": 102,
"editable": false,
"id": 1,
"idPath": [
1
],
"location": "INSIDE",
"name": "Inside Hosts",
"path": []
},
"domainId": 102,
"hostBaselines": true,
"hostTrap": false,
"id": 1,
"inverseSuppression": false,
"location": "INSIDE",
"name": "Inside Hosts",
"parentId": 2147483647,
"sendToCognitiveFilter": "CROSS_PERIMETER",
"sendToCta": false,
"suppressExcludedServices": true
}
}
}

Human Readable Output#

Tag 1 with tenant id 102 results:#

IdNameLocationDomain Id
1Inside HostsINSIDE102

cisco-stealthwatch-list-tenants#


Lists all domains if no domain is specified or gets a specified domain (called tenant(s) in the API).

Base Command#

cisco-stealthwatch-list-tenants

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to retrieve information.Optional

Context Output#

PathTypeDescription
CiscoStealthwatch.Tenant.idstrThe ID of the tenant.
CiscoStealthwatch.Tenant.displayNamestrThe display name of the tenant.

Command Example#

!cisco-stealthwatch-list-tenants

Context Example#

{
"CiscoStealthwatch": {
"Tenant": {
"displayName": "companyname",
"id": 102
}
}
}

Human Readable Output#

Tenants:#

IdDisplay Name
102companyname

cisco-stealthwatch-get-tag-hourly-traffic-report#


Gets the hourly traffic summary of the byte count for a single host group (called tenant in the API).

Base Command#

cisco-stealthwatch-get-tag-hourly-traffic-report

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to get its host information.Required
tag_idThe ID of the tag for which to get its information.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.TagHourlyTraffic.timestampstrTimestamp of the hourly traffic summary for a single host group (called tag on the API).
CiscoStealthwatch.TagHourlyTraffic.inboundByteCountstrInbound byte count of the hourly traffic summary for a single host group (called tag on the API).
CiscoStealthwatch.TagHourlyTraffic.outboundByteCountstrOutbound byte count of the hourly traffic summary for a single host group (called tag on the API).
CiscoStealthwatch.TagHourlyTraffic.withinByteCountstrWithin the byte count of the hourly traffic summary for a single host group (called tag on the API).
CiscoStealthwatch.TagHourlyTraffic.tenant_idstrThe tenant ID of the hourly traffic summary for a single host group (called tag on the API).
CiscoStealthwatch.TagHourlyTraffic.tag_idstrThe tag ID of the hourly traffic summary for a single host group (called tag on the API).

Command Example#

!cisco-stealthwatch-get-tag-hourly-traffic-report tenant_id=102 tag_id=1

Context Example#

{
"CiscoStealthwatch": {
"TagHourlyTraffic": [
{
"inboundByteCount": 0,
"outboundByteCount": 150258936,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T14:00:00Z",
"withinByteCount": 1945701335
},
{
"inboundByteCount": 0,
"outboundByteCount": 463352098,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T13:00:00Z",
"withinByteCount": 3505279985
},
{
"inboundByteCount": 0,
"outboundByteCount": 262327649,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T12:00:00Z",
"withinByteCount": 3529956221
},
{
"inboundByteCount": 0,
"outboundByteCount": 1122353436,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T11:00:00Z",
"withinByteCount": 3457833934
},
{
"inboundByteCount": 0,
"outboundByteCount": 984529611,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T10:00:00Z",
"withinByteCount": 3386016372
},
{
"inboundByteCount": 0,
"outboundByteCount": 733104221,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T09:00:00Z",
"withinByteCount": 3412418846
},
{
"inboundByteCount": 0,
"outboundByteCount": 1918126235,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T08:00:00Z",
"withinByteCount": 3637012947
},
{
"inboundByteCount": 0,
"outboundByteCount": 237026285,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T07:00:00Z",
"withinByteCount": 3280803860
},
{
"inboundByteCount": 0,
"outboundByteCount": 72918411,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T06:00:00Z",
"withinByteCount": 3192625646
},
{
"inboundByteCount": 0,
"outboundByteCount": 41484822,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T05:00:00Z",
"withinByteCount": 3562885609
},
{
"inboundByteCount": 0,
"outboundByteCount": 35827947,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T04:00:00Z",
"withinByteCount": 3164436072
},
{
"inboundByteCount": 0,
"outboundByteCount": 38951660,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T03:00:00Z",
"withinByteCount": 3157242110
},
{
"inboundByteCount": 0,
"outboundByteCount": 45113923,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T02:00:00Z",
"withinByteCount": 3198141336
},
{
"inboundByteCount": 0,
"outboundByteCount": 41711097,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T01:00:00Z",
"withinByteCount": 3494995049
},
{
"inboundByteCount": 0,
"outboundByteCount": 37973773,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-15T00:00:00Z",
"withinByteCount": 3107836498
},
{
"inboundByteCount": 0,
"outboundByteCount": 140825173,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T23:00:00Z",
"withinByteCount": 3101452647
},
{
"inboundByteCount": 0,
"outboundByteCount": 41105061,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T22:00:00Z",
"withinByteCount": 3076750873
},
{
"inboundByteCount": 0,
"outboundByteCount": 43776335,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T21:00:00Z",
"withinByteCount": 3467001185
},
{
"inboundByteCount": 0,
"outboundByteCount": 41122986,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T20:00:00Z",
"withinByteCount": 3158945548
},
{
"inboundByteCount": 0,
"outboundByteCount": 42376273,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T19:00:00Z",
"withinByteCount": 3231715048
},
{
"inboundByteCount": 0,
"outboundByteCount": 44179386,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T18:00:00Z",
"withinByteCount": 3205740036
},
{
"inboundByteCount": 0,
"outboundByteCount": 120232010,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T17:00:00Z",
"withinByteCount": 3668568860
},
{
"inboundByteCount": 0,
"outboundByteCount": 163284711,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T16:00:00Z",
"withinByteCount": 3246202946
},
{
"inboundByteCount": 0,
"outboundByteCount": 674875684,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T15:00:00Z",
"withinByteCount": 3313179934
},
{
"inboundByteCount": 0,
"outboundByteCount": 2049252448,
"tag_id": "1",
"tenant_id": "102",
"timestamp": "2021-03-14T14:00:00Z",
"withinByteCount": 3410264173
}
]
}
}

Human Readable Output#

Hourly Tag Traffic Report for tenant id 102 and tag id 1:#

TimestampInbound Byte CountOutbound Byte CountWithin Byte Count
2021-03-15T14:00:00Z01502589361945701335
2021-03-15T13:00:00Z04633520983505279985
2021-03-15T12:00:00Z02623276493529956221
2021-03-15T11:00:00Z011223534363457833934
2021-03-15T10:00:00Z09845296113386016372
2021-03-15T09:00:00Z07331042213412418846
2021-03-15T08:00:00Z019181262353637012947
2021-03-15T07:00:00Z02370262853280803860
2021-03-15T06:00:00Z0729184113192625646
2021-03-15T05:00:00Z0414848223562885609
2021-03-15T04:00:00Z0358279473164436072
2021-03-15T03:00:00Z0389516603157242110
2021-03-15T02:00:00Z0451139233198141336
2021-03-15T01:00:00Z0417110973494995049
2021-03-15T00:00:00Z0379737733107836498
2021-03-14T23:00:00Z01408251733101452647
2021-03-14T22:00:00Z0411050613076750873
2021-03-14T21:00:00Z0437763353467001185
2021-03-14T20:00:00Z0411229863158945548
2021-03-14T19:00:00Z0423762733231715048
2021-03-14T18:00:00Z0441793863205740036
2021-03-14T17:00:00Z01202320103668568860
2021-03-14T16:00:00Z01632847113246202946
2021-03-14T15:00:00Z06748756843313179934
2021-03-14T14:00:00Z020492524483410264173

cisco-stealthwatch-get-top-alarming-tags#


Gets the top alarming host groups (called tags on the API) for a specific domain (called tenant in the API).

Base Command#

cisco-stealthwatch-get-top-alarming-tags

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to get its top alarming hosts.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.AlarmingTag.ipAddressstrThe IP address of the alarming tag.
CiscoStealthwatch.AlarmingTag.hostGroupIdsstrThe host group IDs of the alarming tag.
CiscoStealthwatch.AlarmingTag.typeIdstrThe type ID of the alarming tag.
CiscoStealthwatch.AlarmingTag.severitystrThe severity of the alarming tag.
CiscoStealthwatch.AlarmingTag.alwaysBadCountstrThe always bad count of the alarming tag.

Command Example#

!cisco-stealthwatch-get-top-alarming-tags tenant_id=102

Context Example#

{
"CiscoStealthwatch": {
"AlarmingTag": [
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.3333333333333333,
"typeId": 1028
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0.058823529411764705,
"typeId": 1028
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
},
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 286
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
},
{
"hostGroupIds": [
1,
65534
],
"ipAddress": "x.x.x.x",
"sourceCategoryEvents": [],
"sourceSecurityEvents": [
{
"alwaysBadCount": 0,
"severity": 0,
"typeId": 276
}
],
"targetCategoryEvents": [],
"targetSecurityEvents": [],
"tenant_id": "102"
}
]
}
}

Human Readable Output#

Top Alarming Tags for tenant id 102:#

Host Group IdsIp Address
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x
1,
65534
x.x.x.x

cisco-stealthwatch-list-security-events-initialize#


Initializes the list of security events for a domain (called tenant on the API).

Base Command#

cisco-stealthwatch-list-security-events-initialize

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to initialize its list security events.Required
start_timeStart time. Format: YYYY-mm-ddTHH:MM:SSZ. Given only the start_time, the end_time will be set to the current time.Optional
end_timeEnd time. Format: YYYY-mm-ddTHH:MM:SSZ.Optional
time_rangeAn optional time range. For example: 3 months, 1 week, 1 day ago, etc.Optional

Context Output#

PathTypeDescription
CiscoStealthwatch.SecurityEventStatus.idstrThe ID of the security event.
CiscoStealthwatch.SecurityEventStatus.searchJobStatusstrThe status of the search job for the security event.
CiscoStealthwatch.SecurityEventStatus.percentCompletestrThe percent of the security event that is completed.

Command Example#

!cisco-stealthwatch-list-security-events-initialize tenant_id=102 time_range="5 minute"

Context Example#

{
"CiscoStealthwatch": {
"SecurityEventStatus": {
"id": "604f7130e4b0bbedc8c77d92",
"percentComplete": 0,
"searchJobStatus": "IN_PROGRESS"
}
}
}

Human Readable Output#

Security Events Initializing Information:#

IdSearch Job StatusPercent Complete
604f7130e4b0bbedc8c77d92IN_PROGRESS0

cisco-stealthwatch-list-security-events-status#


Lists the security events status.

Base Command#

cisco-stealthwatch-list-security-events-status

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to get its list of security events status.Required
search_idThe ID of the search from the initialize command.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.SecurityEventStatus.idstrThe ID of the security event.
CiscoStealthwatch.SecurityEventStatus.percentCompletestrThe percent of the security event that is completed.

Command Example#

!cisco-stealthwatch-list-security-events-status tenant_id=102 search_id=604f64e1e4b0bbedc8c77aa4

Context Example#

{
"CiscoStealthwatch": {
"SecurityEventStatus": {
"id": "604f64e1e4b0bbedc8c77aa4",
"percentComplete": 100,
"status": "COMPLETED"
}
}
}

Human Readable Output#

Security Events Status Information:#

IdPercent Complete
604f64e1e4b0bbedc8c77aa4100.0

cisco-stealthwatch-list-security-events-results#


Lists the security events results. Use this command after the search job completes.

Base Command#

cisco-stealthwatch-list-security-events-results

Input#

Argument NameDescriptionRequired
tenant_idThe ID of the tenant for which to retrieve its list security events results.Required
search_idThe ID of the search from the initialize command.Required
limitThe maximum number of security events. Default is 50.Required

Context Output#

PathTypeDescription
CiscoStealthwatch.SecurityEventResults.idstrThe ID of the security event.
CiscoStealthwatch.SecurityEventResults.domainIdstrThe domain ID of the security event.
CiscoStealthwatch.SecurityEventResults.deviceIdstrThe device ID of the security event.
CiscoStealthwatch.SecurityEventResults.securityEventTypestrThe type of the security event.
CiscoStealthwatch.SecurityEventResults.firstActiveTimestrThe first active time of the security event.
CiscoStealthwatch.SecurityEventResults.lastActiveTimestrThe last active time of the security event.
CiscoStealthwatch.SecurityEventResults.sourcestrThe source of the security event.
CiscoStealthwatch.SecurityEventResults.targetstrThe target of the security event.
CiscoStealthwatch.SecurityEventResults.detailsstrThe details of the security event.
CiscoStealthwatch.SecurityEventResults.hitCountstrThe hit count of the security event.

Command Example#

!cisco-stealthwatch-list-security-events-results tenant_id=102 limit=5 search_id=604f64e1e4b0bbedc8c77aa4

Context Example#

{
"CiscoStealthwatch": {
"SecurityEventResults": [
{
"details": [
{
"key": "source_host@username",
"value": ""
},
{
"key": "source_host@policy_id",
"value": "1"
},
{
"key": "source_host@mac_address",
"value": ""
},
{
"key": "target_host@username",
"value": ""
},
{
"key": "target_host@policy_id",
"value": "0"
},
{
"key": "target_host@mac_address",
"value": ""
},
{
"key": "category_points@high-concern-index",
"value": "162"
},
{
"key": "category_points@high-target-index",
"value": "162"
},
{
"key": "category_points@high-recon-index",
"value": "162"
},
{
"key": "baseline@baseline",
"value": "0"
},
{
"key": "baseline@threshold",
"value": "0"
},
{
"key": "baseline@current_value",
"value": "0"
},
{
"key": "baseline@tolerance",
"value": "0"
},
{
"key": "flow@protocol",
"value": "17"
},
{
"key": "flow@service",
"value": "16"
},
{
"key": "flow@source_port",
"value": "0"
},
{
"key": "flow@target_port",
"value": "137"
},
{
"key": "flow@event_port",
"value": "137"
},
{
"key": "flow@flow_id",
"value": "0"
},
{
"key": "flow@source_is_server",
"value": "false"
},
{
"key": "targetIPAddress",
"value": "x.x.x.x"
},
{
"key": "points",
"value": "162"
}
],
"deviceId": 121,
"domainId": 102,
"firstActiveTime": "2021-03-15T13:44:29.000+0000",
"hitCount": 1,
"id": 88195,
"lastActiveTime": "2021-03-15T13:44:29.000+0000",
"securityEventType": 310,
"source": {
"ipAddress": "x.x.x.x",
"port": 0,
"protocol": "udp",
"tags": [
{
"id": 65534,
"name": "Catch All"
}
]
},
"target": {
"ipAddress": "x.x.x.x",
"port": 137,
"protocol": "udp",
"tags": [
{
"id": 61627,
"name": "United States"
}
]
}
},
{
"details": [
{
"key": "source_host@username",
"value": ""
},
{
"key": "source_host@policy_id",
"value": "1"
},
{
"key": "source_host@mac_address",
"value": ""
},
{
"key": "target_host@username",
"value": ""
},
{
"key": "target_host@policy_id",
"value": "0"
},
{
"key": "target_host@mac_address",
"value": ""
},
{
"key": "category_points@high-concern-index",
"value": "162"
},
{
"key": "category_points@high-target-index",
"value": "162"
},
{
"key": "category_points@high-recon-index",
"value": "162"
},
{
"key": "baseline@baseline",
"value": "0"
},
{
"key": "baseline@threshold",
"value": "0"
},
{
"key": "baseline@current_value",
"value": "0"
},
{
"key": "baseline@tolerance",
"value": "0"
},
{
"key": "flow@protocol",
"value": "17"
},
{
"key": "flow@service",
"value": "16"
},
{
"key": "flow@source_port",
"value": "0"
},
{
"key": "flow@target_port",
"value": "137"
},
{
"key": "flow@event_port",
"value": "137"
},
{
"key": "flow@flow_id",
"value": "0"
},
{
"key": "flow@source_is_server",
"value": "false"
},
{
"key": "targetIPAddress",
"value": "x.x.x.x"
},
{
"key": "points",
"value": "162"
}
],
"deviceId": 121,
"domainId": 102,
"firstActiveTime": "2021-03-15T13:44:27.000+0000",
"hitCount": 1,
"id": 88194,
"lastActiveTime": "2021-03-15T13:44:27.000+0000",
"securityEventType": 310,
"source": {
"ipAddress": "x.x.x.x",
"port": 0,
"protocol": "udp",
"tags": [
{
"id": 65534,
"name": "Catch All"
}
]
},
"target": {
"ipAddress": "x.x.x.x",
"port": 137,
"protocol": "udp",
"tags": [
{
"id": 61627,
"name": "United States"
}
]
}
},
{
"details": [
{
"key": "source_host@username",
"value": ""
},
{
"key": "source_host@policy_id",
"value": "1"
},
{
"key": "source_host@mac_address",
"value": ""
},
{
"key": "target_host@username",
"value": ""
},
{
"key": "target_host@policy_id",
"value": "0"
},
{
"key": "target_host@mac_address",
"value": ""
},
{
"key": "category_points@high-concern-index",
"value": "162"
},
{
"key": "category_points@high-target-index",
"value": "162"
},
{
"key": "category_points@high-recon-index",
"value": "162"
},
{
"key": "baseline@baseline",
"value": "0"
},
{
"key": "baseline@threshold",
"value": "0"
},
{
"key": "baseline@current_value",
"value": "0"
},
{
"key": "baseline@tolerance",
"value": "0"
},
{
"key": "flow@protocol",
"value": "17"
},
{
"key": "flow@service",
"value": "16"
},
{
"key": "flow@source_port",
"value": "0"
},
{
"key": "flow@target_port",
"value": "137"
},
{
"key": "flow@event_port",
"value": "137"
},
{
"key": "flow@flow_id",
"value": "0"
},
{
"key": "flow@source_is_server",
"value": "false"
},
{
"key": "targetIPAddress",
"value": "x.x.x.x"
},
{
"key": "points",
"value": "162"
}
],
"deviceId": 121,
"domainId": 102,
"firstActiveTime": "2021-03-15T13:44:26.000+0000",
"hitCount": 1,
"id": 88193,
"lastActiveTime": "2021-03-15T13:44:26.000+0000",
"securityEventType": 310,
"source": {
"ipAddress": "x.x.x.x",
"port": 0,
"protocol": "udp",
"tags": [
{
"id": 65534,
"name": "Catch All"
}
]
},
"target": {
"ipAddress": "x.x.x.x",
"port": 137,
"protocol": "udp",
"tags": [
{
"id": 61627,
"name": "United States"
}
]
}
},
{
"details": [
{
"key": "source_host@username",
"value": ""
},
{
"key": "source_host@policy_id",
"value": "1"
},
{
"key": "source_host@mac_address",
"value": ""
},
{
"key": "target_host@username",
"value": ""
},
{
"key": "target_host@policy_id",
"value": "0"
},
{
"key": "target_host@mac_address",
"value": ""
},
{
"key": "category_points@high-concern-index",
"value": "162"
},
{
"key": "category_points@high-target-index",
"value": "162"
},
{
"key": "category_points@high-recon-index",
"value": "162"
},
{
"key": "baseline@baseline",
"value": "0"
},
{
"key": "baseline@threshold",
"value": "0"
},
{
"key": "baseline@current_value",
"value": "0"
},
{
"key": "baseline@tolerance",
"value": "0"
},
{
"key": "flow@protocol",
"value": "17"
},
{
"key": "flow@service",
"value": "16"
},
{
"key": "flow@source_port",
"value": "0"
},
{
"key": "flow@target_port",
"value": "137"
},
{
"key": "flow@event_port",
"value": "137"
},
{
"key": "flow@flow_id",
"value": "0"
},
{
"key": "flow@source_is_server",
"value": "false"
},
{
"key": "targetIPAddress",
"value": "x.x.x.x"
},
{
"key": "points",
"value": "162"
}
],
"deviceId": 121,
"domainId": 102,
"firstActiveTime": "2021-03-15T13:44:25.000+0000",
"hitCount": 1,
"id": 88192,
"lastActiveTime": "2021-03-15T13:44:25.000+0000",
"securityEventType": 310,
"source": {
"ipAddress": "x.x.x.x",
"port": 0,
"protocol": "udp",
"tags": [
{
"id": 65534,
"name": "Catch All"
}
]
},
"target": {
"ipAddress": "x.x.x.x",
"port": 137,
"protocol": "udp",
"tags": [
{
"id": 61627,
"name": "United States"
}
]
}
},
{
"details": [
{
"key": "source_host@username",
"value": ""
},
{
"key": "source_host@policy_id",
"value": "1"
},
{
"key": "source_host@mac_address",
"value": ""
},
{
"key": "target_host@username",
"value": ""
},
{
"key": "target_host@policy_id",
"value": "0"
},
{
"key": "target_host@mac_address",
"value": ""
},
{
"key": "category_points@high-concern-index",
"value": "162"
},
{
"key": "category_points@high-target-index",
"value": "162"
},
{
"key": "category_points@high-recon-index",
"value": "162"
},
{
"key": "baseline@baseline",
"value": "0"
},
{
"key": "baseline@threshold",
"value": "0"
},
{
"key": "baseline@current_value",
"value": "0"
},
{
"key": "baseline@tolerance",
"value": "0"
},
{
"key": "flow@protocol",
"value": "17"
},
{
"key": "flow@service",
"value": "16"
},
{
"key": "flow@source_port",
"value": "0"
},
{
"key": "flow@target_port",
"value": "137"
},
{
"key": "flow@event_port",
"value": "137"
},
{
"key": "flow@flow_id",
"value": "0"
},
{
"key": "flow@source_is_server",
"value": "false"
},
{
"key": "targetIPAddress",
"value": "x.x.x.x"
},
{
"key": "points",
"value": "162"
}
],
"deviceId": 121,
"domainId": 102,
"firstActiveTime": "2021-03-15T13:44:25.000+0000",
"hitCount": 1,
"id": 88191,
"lastActiveTime": "2021-03-15T13:44:25.000+0000",
"securityEventType": 310,
"source": {
"ipAddress": "x.x.x.x",
"port": 0,
"protocol": "udp",
"tags": [
{
"id": 65534,
"name": "Catch All"
}
]
},
"target": {
"ipAddress": "x.x.x.x",
"port": 137,
"protocol": "udp",
"tags": [
{
"id": 61627,
"name": "United States"
}
]
}
}
]
}
}

Human Readable Output#

Showing 5 Security Events:#

IdDomain IdDevice IdSecurity Event TypeFirst Active TimeLast Active TimeSourceTargetDetailsHit Count
881951021213102021-03-15T13:44:29.000+00002021-03-15T13:44:29.000+0000ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}
ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}
{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}
1
881941021213102021-03-15T13:44:27.000+00002021-03-15T13:44:27.000+0000ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}
ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}
{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}
1
881931021213102021-03-15T13:44:26.000+00002021-03-15T13:44:26.000+0000ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}
ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}
{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}
1
881921021213102021-03-15T13:44:25.000+00002021-03-15T13:44:25.000+0000ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}
ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}
{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}
1
881911021213102021-03-15T13:44:25.000+00002021-03-15T13:44:25.000+0000ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}
ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}
{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}
1