Cisco Secure Network Analytics (Stealthwatch)
Cisco Secure Network Analytics (Stealthwatch) Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Scalable visibility and security analytics. This integration was integrated and tested with version 7.2.1 of Cisco Secure Network Analytics (Stealthwatch). Due to changes in the product API, versions grater than 7.3.2 (including) are currently not supported.
#
Configure Cisco Stealthwatch in CortexParameter | Description | Required |
---|---|---|
Server URL | Server URL for Cisco Stealthwatch console e.g.: https://ip:port/. | True |
User Credentials | True | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cisco-stealthwatch-query-flows-initializeInitializes the flow search based on specified arguments. Must provide a start time, time range, or start time and end time.
#
Base Commandcisco-stealthwatch-query-flows-initialize
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to initialize its flow search. | Required |
start_time | Start time in the format: YYYY-mm-ddTHH:MM:SSZ. If start_time is provided but end_time is not provided, the end_time will be set to the current time. | Optional |
end_time | End time in the format: YYYY-mm-ddTHH:MM:SSZ. . | Optional |
time_range | An optional time range, for example: 3 months, 1 week, 1 day ago, etc. | Optional |
limit | The maximum number of records to retrieve. Default is 20. | Optional |
ip_addresses | The IP address by which to filter the results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.FlowStatus.id | str | The ID of the flow. |
CiscoStealthwatch.FlowStatus.searchJobStatus | str | The search job status of the flow. |
CiscoStealthwatch.FlowStatus.percentComplete | str | The percent of the flow that was completed. |
#
Command Example!cisco-stealthwatch-query-flows-initialize tenant_id=102 limit=3 time_range="1 week"
#
Context Example#
Human Readable Output#
Query Flows Initializing Information:
Id Status Percent Complete 604f7115e4b0bbedc8c77d8d IN_PROGRESS 100.0
#
cisco-stealthwatch-query-flows-statusChecks the flow search status.
#
Base Commandcisco-stealthwatch-query-flows-status
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to check its flow search status. | Required |
search_id | The ID of the search from the cisco-stealthwatch-query-flows-initialize command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.FlowStatus.id | str | The ID of the flow. |
CiscoStealthwatch.FlowStatus.percentComplete | str | The percent of the flow that was completed. |
#
Command Example!cisco-stealthwatch-query-flows-status tenant_id=102 search_id=604f64afe4b0bbedc8c77a9d
#
Context Example#
Human Readable Output#
Query Flows Status Information:
Id Percent Complete 604f64afe4b0bbedc8c77a9d 100.0
#
cisco-stealthwatch-query-flows-resultsRetrieves the flow search results. Use this command after the search job completes.
#
Base Commandcisco-stealthwatch-query-flows-results
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to retrieve its flow search results. | Required |
search_id | The ID of the search from the cisco-stealthwatch-query-flows-initialize command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.FlowResults.id | str | The ID of the flow. |
CiscoStealthwatch.FlowResults.tenantId | str | The tenant ID of the flow. |
CiscoStealthwatch.FlowResults.flowCollectorId | str | The collector ID of the flow. |
CiscoStealthwatch.FlowResults.protocol | str | The protocol of the flow. |
CiscoStealthwatch.FlowResults.serviceId | str | The service ID of the flow. |
CiscoStealthwatch.FlowResults.statistics | str | The statistics of the flow. |
CiscoStealthwatch.FlowResults.peer | str | The peer of the flow. |
CiscoStealthwatch.FlowResults.subject | str | The subject of the flow. |
#
Command Example!cisco-stealthwatch-query-flows-results tenant_id=102 search_id=604f64afe4b0bbedc8c77a9d
#
Context Example#
Human Readable Output#
Query Flows Results Information:
Id Tenant Id Flow Collector Id Protocol Service Id Statistics Peer Subject 10142775 102 121 UDP 38 activeDuration: 320000
numCombinedFlowRecords: 2
firstActiveTime: 2021-03-15T13:36:15.000+0000
lastActiveTime: 2021-03-15T13:41:35.000+0000
tcpRetransmissions: -1
byteCount: 21403751
packetCount: 15667
byteRate: 267546.8875
packetRate: 195.8375
tcpConnections: 0
roundTripTime: 0
serverResponseTime: 0
subjectPeerRatio: 100.0
rttAverage: -1
rttMaximum: -1
rttMinimum: -1
srtAverage: -1
srtMaximum: -1
srtMinimum: -1
flowTimeSinceStart: 240673
tcpRetransmissionsRatio: -0.006382842918235782hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 2055, "protocol": "UDP", "serviceId": 0}
percentBytes: 0.0
bytes: 0
packets: 0
byteRate: 0.0
packetRate: 0.0
orientation: server
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 59315, "protocol": "UDP", "serviceId": 0}
percentBytes: 100.0
bytes: 21403751
packets: 15667
byteRate: 267546.8875
packetRate: 195.8375
orientation: client
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -110142776 102 121 UDP 38 activeDuration: 320000
numCombinedFlowRecords: 2
firstActiveTime: 2021-03-15T13:36:15.000+0000
lastActiveTime: 2021-03-15T13:41:35.000+0000
tcpRetransmissions: -1
byteCount: 21403751
packetCount: 15667
byteRate: 267546.8875
packetRate: 195.8375
tcpConnections: 0
roundTripTime: 0
serverResponseTime: 0
subjectPeerRatio: 100.0
rttAverage: -1
rttMaximum: -1
rttMinimum: -1
srtAverage: -1
srtMaximum: -1
srtMinimum: -1
flowTimeSinceStart: 240673
tcpRetransmissionsRatio: -0.006382842918235782hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 2055, "protocol": "UDP", "serviceId": 0}
percentBytes: 0.0
bytes: 0
packets: 0
byteRate: 0.0
packetRate: 0.0
orientation: server
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 52656, "protocol": "UDP", "serviceId": 0}
percentBytes: 100.0
bytes: 21403751
packets: 15667
byteRate: 267546.8875
packetRate: 195.8375
orientation: client
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -110142778 102 121 UDP 73 activeDuration: 320000
numCombinedFlowRecords: 2
firstActiveTime: 2021-03-15T13:36:15.000+0000
lastActiveTime: 2021-03-15T13:41:35.000+0000
tcpRetransmissions: -1
byteCount: 213807311
packetCount: 173345
byteRate: 2672591.3875
packetRate: 2166.8125
tcpConnections: 0
roundTripTime: 0
serverResponseTime: 0
subjectPeerRatio: 100.0
rttAverage: -1
rttMaximum: -1
rttMinimum: -1
srtAverage: -1
srtMaximum: -1
srtMinimum: -1
flowTimeSinceStart: 240673
tcpRetransmissionsRatio: -0.0005768842481756036hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 514, "protocol": "UDP", "serviceId": 0}
percentBytes: 0.0
bytes: 0
packets: 0
byteRate: 0.0
packetRate: 0.0
orientation: server
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1hostGroupIds: 65534
countryCode: XR
ipAddress: x.x.x.x
natPort: -1
portProtocol: {"port": 48861, "protocol": "UDP", "serviceId": 0}
percentBytes: 100.0
bytes: 213807311
packets: 173345
byteRate: 2672591.3875
packetRate: 2166.8125
orientation: client
finPackets: 0
rstPackets: 0
synPackets: 0
synAckPackets: 0
tlsVersion: NONE
trustSecId: -1
#
cisco-stealthwatch-list-tagsLists the host groups (called tags in the API).
#
Base Commandcisco-stealthwatch-list-tags
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to get its tags. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.Tag.id | str | The ID of the tag. |
CiscoStealthwatch.Tag.displayName | str | The display name of the tag. |
#
Command Example!cisco-stealthwatch-list-tags tenant_id=102
#
Context Example#
Human Readable Output#
Tags for tenant_id: 102:
Display Name Id Internal Host Tags 1 Servers 2 Employee Wired 3 Client IP Ranges (DHCP Range) 5 Other 6 Protected Asset Monitoring 10 Proxies 11 VoIP 12 VoIP Gateways 13 Multicast 14 Link-Local 17 Broadcast 18 Localhost 19 By Function 23 DMZ 24 Antivirus Servers 25 Backup Servers 26 DNS Servers 27 File Servers 28 Mail Servers 30 NTP Servers 31 Employee VPN 33 Web Servers 34 DHCP Servers 36 VoIP Endpoints 37 Domain Controllers 38 By Location 43 Employee Wireless 44 Guest Wireless 45 Network Scanners 48 SMS Servers 50 NAT Gateway 51 Internet Facing Load Balancer VIPs 50067 Internet Services 50068 Protected Trapped Hosts - Honeypot 50069 Database Servers 50075 Trusted Users 50076 Untrusted Users 50077 Load Balancer VIPs 50079 Internal Facing Load Balancer VIPs 50080 Catch All 65534
#
cisco-stealthwatch-get-tagGets a single host group (called tag in the API).
#
Base Commandcisco-stealthwatch-get-tag
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to get its tag. | Required |
tag_id | The tag for which to get more information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.Tag.id | str | The name of the tag. |
CiscoStealthwatch.Tag.name | str | The ID of the tag. |
CiscoStealthwatch.Tag.location | str | The location of the tag. |
CiscoStealthwatch.Tag.domainId | str | The domain ID of the tag. |
#
Command Example!cisco-stealthwatch-get-tag tenant_id=102 tag_id=1
#
Context Example#
Human Readable Output#
Tag 1 with tenant id 102 results:
Id Name Location Domain Id 1 Inside Hosts INSIDE 102
#
cisco-stealthwatch-list-tenantsLists all domains if no domain is specified or gets a specified domain (called tenant(s) in the API).
#
Base Commandcisco-stealthwatch-list-tenants
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to retrieve information. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.Tenant.id | str | The ID of the tenant. |
CiscoStealthwatch.Tenant.displayName | str | The display name of the tenant. |
#
Command Example!cisco-stealthwatch-list-tenants
#
Context Example#
Human Readable Output#
Tenants:
Id Display Name 102 companyname
#
cisco-stealthwatch-get-tag-hourly-traffic-reportGets the hourly traffic summary of the byte count for a single host group (called tenant in the API).
#
Base Commandcisco-stealthwatch-get-tag-hourly-traffic-report
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to get its host information. | Required |
tag_id | The ID of the tag for which to get its information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.TagHourlyTraffic.timestamp | str | Timestamp of the hourly traffic summary for a single host group (called tag on the API). |
CiscoStealthwatch.TagHourlyTraffic.inboundByteCount | str | Inbound byte count of the hourly traffic summary for a single host group (called tag on the API). |
CiscoStealthwatch.TagHourlyTraffic.outboundByteCount | str | Outbound byte count of the hourly traffic summary for a single host group (called tag on the API). |
CiscoStealthwatch.TagHourlyTraffic.withinByteCount | str | Within the byte count of the hourly traffic summary for a single host group (called tag on the API). |
CiscoStealthwatch.TagHourlyTraffic.tenant_id | str | The tenant ID of the hourly traffic summary for a single host group (called tag on the API). |
CiscoStealthwatch.TagHourlyTraffic.tag_id | str | The tag ID of the hourly traffic summary for a single host group (called tag on the API). |
#
Command Example!cisco-stealthwatch-get-tag-hourly-traffic-report tenant_id=102 tag_id=1
#
Context Example#
Human Readable Output#
Hourly Tag Traffic Report for tenant id 102 and tag id 1:
Timestamp Inbound Byte Count Outbound Byte Count Within Byte Count 2021-03-15T14:00:00Z 0 150258936 1945701335 2021-03-15T13:00:00Z 0 463352098 3505279985 2021-03-15T12:00:00Z 0 262327649 3529956221 2021-03-15T11:00:00Z 0 1122353436 3457833934 2021-03-15T10:00:00Z 0 984529611 3386016372 2021-03-15T09:00:00Z 0 733104221 3412418846 2021-03-15T08:00:00Z 0 1918126235 3637012947 2021-03-15T07:00:00Z 0 237026285 3280803860 2021-03-15T06:00:00Z 0 72918411 3192625646 2021-03-15T05:00:00Z 0 41484822 3562885609 2021-03-15T04:00:00Z 0 35827947 3164436072 2021-03-15T03:00:00Z 0 38951660 3157242110 2021-03-15T02:00:00Z 0 45113923 3198141336 2021-03-15T01:00:00Z 0 41711097 3494995049 2021-03-15T00:00:00Z 0 37973773 3107836498 2021-03-14T23:00:00Z 0 140825173 3101452647 2021-03-14T22:00:00Z 0 41105061 3076750873 2021-03-14T21:00:00Z 0 43776335 3467001185 2021-03-14T20:00:00Z 0 41122986 3158945548 2021-03-14T19:00:00Z 0 42376273 3231715048 2021-03-14T18:00:00Z 0 44179386 3205740036 2021-03-14T17:00:00Z 0 120232010 3668568860 2021-03-14T16:00:00Z 0 163284711 3246202946 2021-03-14T15:00:00Z 0 674875684 3313179934 2021-03-14T14:00:00Z 0 2049252448 3410264173
#
cisco-stealthwatch-get-top-alarming-tagsGets the top alarming host groups (called tags on the API) for a specific domain (called tenant in the API).
#
Base Commandcisco-stealthwatch-get-top-alarming-tags
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to get its top alarming hosts. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.AlarmingTag.ipAddress | str | The IP address of the alarming tag. |
CiscoStealthwatch.AlarmingTag.hostGroupIds | str | The host group IDs of the alarming tag. |
CiscoStealthwatch.AlarmingTag.typeId | str | The type ID of the alarming tag. |
CiscoStealthwatch.AlarmingTag.severity | str | The severity of the alarming tag. |
CiscoStealthwatch.AlarmingTag.alwaysBadCount | str | The always bad count of the alarming tag. |
#
Command Example!cisco-stealthwatch-get-top-alarming-tags tenant_id=102
#
Context Example#
Human Readable Output#
Top Alarming Tags for tenant id 102:
Host Group Ids Ip Address 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x 1,
65534x.x.x.x
#
cisco-stealthwatch-list-security-events-initializeInitializes the list of security events for a domain (called tenant on the API).
#
Base Commandcisco-stealthwatch-list-security-events-initialize
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to initialize its list security events. | Required |
start_time | Start time. Format: YYYY-mm-ddTHH:MM:SSZ. Given only the start_time, the end_time will be set to the current time. | Optional |
end_time | End time. Format: YYYY-mm-ddTHH:MM:SSZ. | Optional |
time_range | An optional time range. For example: 3 months, 1 week, 1 day ago, etc. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.SecurityEventStatus.id | str | The ID of the security event. |
CiscoStealthwatch.SecurityEventStatus.searchJobStatus | str | The status of the search job for the security event. |
CiscoStealthwatch.SecurityEventStatus.percentComplete | str | The percent of the security event that is completed. |
#
Command Example!cisco-stealthwatch-list-security-events-initialize tenant_id=102 time_range="5 minute"
#
Context Example#
Human Readable Output#
Security Events Initializing Information:
Id Search Job Status Percent Complete 604f7130e4b0bbedc8c77d92 IN_PROGRESS 0
#
cisco-stealthwatch-list-security-events-statusLists the security events status.
#
Base Commandcisco-stealthwatch-list-security-events-status
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to get its list of security events status. | Required |
search_id | The ID of the search from the initialize command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.SecurityEventStatus.id | str | The ID of the security event. |
CiscoStealthwatch.SecurityEventStatus.percentComplete | str | The percent of the security event that is completed. |
#
Command Example!cisco-stealthwatch-list-security-events-status tenant_id=102 search_id=604f64e1e4b0bbedc8c77aa4
#
Context Example#
Human Readable Output#
Security Events Status Information:
Id Percent Complete 604f64e1e4b0bbedc8c77aa4 100.0
#
cisco-stealthwatch-list-security-events-resultsLists the security events results. Use this command after the search job completes.
#
Base Commandcisco-stealthwatch-list-security-events-results
#
InputArgument Name | Description | Required |
---|---|---|
tenant_id | The ID of the tenant for which to retrieve its list security events results. | Required |
search_id | The ID of the search from the initialize command. | Required |
limit | The maximum number of security events. Default is 50. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoStealthwatch.SecurityEventResults.id | str | The ID of the security event. |
CiscoStealthwatch.SecurityEventResults.domainId | str | The domain ID of the security event. |
CiscoStealthwatch.SecurityEventResults.deviceId | str | The device ID of the security event. |
CiscoStealthwatch.SecurityEventResults.securityEventType | str | The type of the security event. |
CiscoStealthwatch.SecurityEventResults.firstActiveTime | str | The first active time of the security event. |
CiscoStealthwatch.SecurityEventResults.lastActiveTime | str | The last active time of the security event. |
CiscoStealthwatch.SecurityEventResults.source | str | The source of the security event. |
CiscoStealthwatch.SecurityEventResults.target | str | The target of the security event. |
CiscoStealthwatch.SecurityEventResults.details | str | The details of the security event. |
CiscoStealthwatch.SecurityEventResults.hitCount | str | The hit count of the security event. |
#
Command Example!cisco-stealthwatch-list-security-events-results tenant_id=102 limit=5 search_id=604f64e1e4b0bbedc8c77aa4
#
Context Example#
Human Readable Output#
Showing 5 Security Events:
Id Domain Id Device Id Security Event Type First Active Time Last Active Time Source Target Details Hit Count 88195 102 121 310 2021-03-15T13:44:29.000+0000 2021-03-15T13:44:29.000+0000 ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}1 88194 102 121 310 2021-03-15T13:44:27.000+0000 2021-03-15T13:44:27.000+0000 ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}1 88193 102 121 310 2021-03-15T13:44:26.000+0000 2021-03-15T13:44:26.000+0000 ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}1 88192 102 121 310 2021-03-15T13:44:25.000+0000 2021-03-15T13:44:25.000+0000 ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}1 88191 102 121 310 2021-03-15T13:44:25.000+0000 2021-03-15T13:44:25.000+0000 ipAddress: x.x.x.x
port: 0
protocol: udp
tags: {'name': 'Catch All', 'id': 65534}ipAddress: x.x.x.x
port: 137
protocol: udp
tags: {'name': 'United States', 'id': 61627}{'key': 'source_host@username', 'value': ''},
{'key': 'source_host@policy_id', 'value': '1'},
{'key': 'source_host@mac_address', 'value': ''},
{'key': 'target_host@username', 'value': ''},
{'key': 'target_host@policy_id', 'value': '0'},
{'key': 'target_host@mac_address', 'value': ''},
{'key': 'category_points@high-concern-index', 'value': '162'},
{'key': 'category_points@high-target-index', 'value': '162'},
{'key': 'category_points@high-recon-index', 'value': '162'},
{'key': 'baseline@baseline', 'value': '0'},
{'key': 'baseline@threshold', 'value': '0'},
{'key': 'baseline@current_value', 'value': '0'},
{'key': 'baseline@tolerance', 'value': '0'},
{'key': 'flow@protocol', 'value': '17'},
{'key': 'flow@service', 'value': '16'},
{'key': 'flow@source_port', 'value': '0'},
{'key': 'flow@target_port', 'value': '137'},
{'key': 'flow@event_port', 'value': '137'},
{'key': 'flow@flow_id', 'value': '0'},
{'key': 'flow@source_is_server', 'value': 'false'},
{'key': 'targetIPAddress', 'value': 'x.x.x.x'},
{'key': 'points', 'value': '162'}1