Overview
Use the Cisco Secure Cloud Analytics (Stealthwatch Cloud) integration to manage threats to your networks.
This integration was integrated and tested with Cisco Secure Cloud Analytics (Stealthwatch Cloud) v1.0.0.
Use cases
-
Fetch incidents
-
Block domains (Block list)
-
Update alerts
Configure Cisco Secure Cloud Analytics (Stealthwatch Cloud) on Cortex XSOAR
-
Navigate to
Settings
>
Integrations
>
Servers & Services
.
-
Search for Stealthwatch Cloud.
-
Click
Add instance
to create and configure a new integration instance.
-
Name
: a textual name for the integration instance.
-
Stealthwatch server URL
-
Stealthwatch Cloud API key. Should be in the form of "ApiKey :<api_key>"
-
Use system proxy settings
-
Trust any certificate (not secure)
-
Fetch incidents
-
Incident type
-
Click
Test
to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
-
Get information for an alert: sw-show-alert
-
Update an alert: sw-update-alert
-
Get a list of all alerts: sw-list-alerts
-
Block a domain or IP: sw-block-domain-or-ip
-
Unblock a domain: sw-unblock-domain
-
Get a list of blocked domains: sw-list-blocked-domains
-
Get a list of observations: sw-list-observations
-
Get a list of sessions by session occurrence time: sw-list-sessions
1. Get information for an alert
Returns information about a specific alert by the alert ID.
Base Command
sw-show-alert
Input
|
Argument Name
|
Description
|
Required
|
|
alertID
|
The id of the required alert
|
Required
|
|
addComments
|
Add comments information, can be long
|
Optional
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Alert.id
|
number
|
Alert ID
|
|
Stealthwatch.Alert.assigned_to
|
string
|
Alert assignee
|
|
Stealthwatch.Alert.obj_created
|
date
|
Alert creation date
|
|
Stealthwatch.Alert.last_modified
|
date
|
Alert last modification
|
|
Stealthwatch.Alert.resolved
|
boolean
|
Alert state
|
|
Stealthwatch.Alert.source_info.ips
|
string
|
IP of the alert's source
|
|
Stealthwatch.Alert.source_info.hostnames
|
string
|
Hostname of the alert's source
|
Command Example
!sw-show-alert alertID=275
Context Example
{
"assigned_to": null,
"assigned_to_username": null,
"created": "2018-07-23T15:30:00Z",
"description": "Source has started a port scan on a device internal to your network.",
"hostname": "",
"id": 275,
"ips_when_created": [],
"last_modified": "2018-10-02T22:41:07.749868Z",
"merit": 3,
"natural_time": "1 month ago",
"obj_created": "2018-07-23T16:34:01.566717Z",
"priority": 2,
"publish_time": "2018-07-23T16:34:01.531458+00:00",
"resolved": true,
"resolved_time": "2018-11-17T05:00:01.458445Z",
"resolved_user": null,
"rules_matched": null,
"snooze_settings": null,
"source": 48858,
"source_info": {
"created": "2018-09-23T15:49:39.025415+00:00",
"hostnames": [],
"ips": [
"5.5.255.25"
],
"name": "test.com",
"namespace": "default"
},
"source_name": "5.5.255.25",
"source_params": {
"id": 48852,
"meta": "net-link",
"name": "test.com"
},
"tags": [],
"text": "Internal Port Scanner on 5.5.255.25",
"time": "2018-10-02T21:49:00Z",
"type": "Internal Port Scanner"
}
2. Update an alert
Updates an alert.
Base Command
sw-update-alert
Input
|
Argument Name
|
Description
|
Required
|
|
alertID
|
The ID of the alert to update
|
Required
|
|
resolved
|
Set the
resolved
field to
true
and set the
merit
field to
close
an alert. merit can be 8 ("helpful") or 9 ("not helpful")
|
Optional
|
|
merit
|
Set the
resolved
field to
true
and set the
merit
field to
close
an alert. merit can be 8 ("helpful") or 9 ("not helpful")
|
Optional
|
|
tags
|
Tags (string)
|
Optional
|
|
new_comment
|
Set the
new_comment
field to add a comment to the alert
|
Optional
|
|
publish_time
|
Publish time (string), e.g., publish_time=2018-08-01T07:54:39Z
|
Optional
|
|
snooze_settings
|
Snooze settings (string)
|
Optional
|
|
resolved_user
|
Username (string)
|
Optional
|
|
assigned_to
|
Assigned to (integer)
|
Optional
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Alert.id
|
number
|
Alert ID
|
|
Stealthwatch.Alert.assigned_to
|
string
|
Alert assignee
|
|
Stealthwatch.Alert.obj_created
|
date
|
Alert creation date
|
|
Stealthwatch.Alert.last_modified
|
date
|
Date the alert was last modified
|
|
Stealthwatch.Alert.resolved
|
boolean
|
Alert state
|
|
Stealthwatch.Alert.source_info.ips
|
string
|
IP of the alert's source
|
|
Stealthwatch.Alert.source_info.hostname
|
string
|
Hostname of the alert's source
|
Command Example
!sw-update-alert alertID=275 merit=8 tags=test
3. Get a list of all alerts
Get the list of Stealthwatch alerts.
Base Command
sw-list-alerts
Input
|
Argument Name
|
Description
|
Required
|
|
status
|
Filters alerts by status:
open
,
closed
, or
all
. Default is open. The
all
status enables you to see an individual alert whether it is open or closed.
|
Optional
|
|
search
|
Finds a particular string in the alerts, e.g., a particular IP address, hostname, or alert type.
|
Optional
|
|
assignee
|
Filter to only display alerts assigned to a specific user
|
Optional
|
|
tags
|
Tags shows alerts that are assigned a particular incident tag
|
Optional
|
|
limit
|
Number of alerts to list, default is 5
|
Optional
|
|
addComments
|
Add comment to an alert, long-text supported
|
Optional
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Alert.id
|
number
|
Alert ID
|
|
Stealthwatch.Alert.assigned_to
|
string
|
Alert assignee
|
|
Stealthwatch.Alert.obj_created
|
date
|
Alert creation date
|
|
Stealthwatch.Alert.last_modified
|
date
|
Date the alert was last modified
|
|
Stealthwatch.Alert.resolved
|
boolean
|
Alert state
|
|
Stealthwatch.Alert.source_info.ips
|
string
|
IP of the alert's source
|
|
Stealthwatch.Alert.source_info.hostname
|
string
|
Hostname of the alert's source
|
Command Example
{
"assigned_to": null,
"assigned_to_username": null,
"created": "2018-07-23T15:30:00Z",
"description": "Source has started a port scan on a device internal to your network.",
"hostname": "",
"id": 275,
"ips_when_created": [],
"last_modified": "2018-10-02T22:41:07.749868Z",
"merit": 3,
"natural_time": "1 month ago",
"obj_created": "2018-07-23T16:34:01.566717Z",
"priority": 2,
"publish_time": "2018-07-23T16:34:01.531458+00:00",
"resolved": true,
"resolved_time": "2018-11-17T05:00:01.458445Z",
"resolved_user": null,
"rules_matched": null,
"snooze_settings": null,
"source": 48858,
"source_info": {
"created": "2018-09-23T15:49:39.025415+00:00",
"hostnames": [],
"ips": [
"5.5.255.25"
],
"name": "test.com",
"namespace": "default"
},
"source_name": "5.5.255.25",
"source_params": {
"id": 48852,
"meta": "net-link",
"name": "test.com"
},
"tags": [],
"text": "Internal Port Scanner on 5.5.255.25",
"time": "2018-10-02T21:49:00Z",
"type": "Internal Port Scanner"
}
4. Block a domain or IP
Adds a domain or IP to the block list.
Base Command
sw-block-domain-or-ip
Input
|
Argument Name
|
Description
|
Required
|
|
domain
|
Domain to add to the block list
|
Optional
|
|
ip
|
IP to add to the block list
|
Optional
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Domain.identifier
|
string
|
Domain name
|
|
Stealthwatch.Domain.title
|
string
|
Domain title
|
|
Stealthwatch.Domain.id
|
number
|
Domain ID
|
|
Stealthwatch.IP.identifier
|
string
|
IP address
|
|
Stealthwatch.IP.title
|
string
|
IP title
|
|
Stealthwatch.IP.id
|
string
|
IP ID
|
Command Example
!sw-block-domain-or-ip domain=test.com
5. Unblock a domain
Removes a domain from the block list.
Base Command
sw-unblock-domain
Input
|
Argument Name
|
Description
|
Required
|
|
id
|
ID of the domain to remove from the block list. You can find the
id
by running the
sw-list-blocked-domains
command.
|
True
|
Context Output
There is no context output for this command.
Command Example
!sw-unblock-domain id=5
6. Get a list of blocked domains
Returns a list of blocked domains.
Base Command
sw-list-blocked-domains
Input
|
Argument Name
|
Description
|
Required
|
|
search
|
Finds a particular string in the alerts, e.g., a particular IP address, hostname, or alert type.
|
Optional
|
|
domain
|
Search for a specific domain
|
Optional
|
|
limit
|
Number of domains to list, default is 5
|
Optional
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Domain.identifier
|
string
|
Domain name
|
|
Stealthwatch.Domain.title
|
string
|
Domain title
|
|
Stealthwatch.Domain.id
|
number
|
Domain ID
|
Command Example
!sw-list-blocked-domains limit=5
7. Get a list of observations
Returns observations by alert ID, observation ID, or a free search.
Base Command
sw-list-observations
Input
|
Argument Name
|
Description
|
Required
|
|
search
|
Finds a particular string amongst the alerts. For example, a particular IP address, hostname, or alert type.
|
False
|
|
alert
|
Use the alert query parameter with an alert id to only show observations referenced by the alert
|
False
|
|
id
|
Get a specific observation by its ID
|
False
|
|
limit
|
Amount of observations to list. Default is 5
|
False
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Observation.id
|
number
|
Observation ID
|
|
Stealthwatch.Observation.port_count
|
number
|
Observation port count
|
|
Stealthwatch.Observation.creation_time
|
string
|
Observation creation time
|
|
Stealthwatch.Observation.end_time
|
string
|
Observation end time
|
|
Stealthwatch.Observation.scanned_ip
|
string
|
Observation scanned ip
|
|
Stealthwatch.Observation.scanner_ip
|
string
|
Observation scanner ip
|
|
Stealthwatch.Observation.source
|
unknown
|
Observation source
|
Command Example
!sw-list-observations alert=222
Context Example
{
"cidr_range": "5.5.5.179/32",
"connected_ip": null,
"connected_ip_country_code": "",
"creation_time": "2018-07-23T15:30:00Z",
"end_time": "2018-07-23T15:30:00Z",
"id": 12345,
"observation_name": "Port Scanner",
"port_count": 24,
"port_ranges": "0-1023",
"resource_name": "port_scanner_v1",
"scan_type": "internal",
"scanned_packets": 5,
"scanner_packets": 75,
"source": 48822,
"time": "2018-07-23T15:30:00Z"
}
8. Get a list of sessions by session occurrence time
Get sessions by the session's occurrence time ( Time format: YYYY-MM-DDTHH:MM:SSZ)
Base Command
sw-list-sessions
Input
|
Argument Name
|
Description
|
Required
|
|
startTime
|
Session start time (UTC), e.g., startTime="2018-09-30T12:00:00Z"
|
Required
|
|
endTime
|
Session end time (UTC), e.g., endTime="2018-07-31T15:00:00Z"
|
Optional
|
|
limit
|
Number of observations to list, default is 400
|
Optional
|
|
ip
|
Source IP address to filter by
|
Optional
|
|
connectedIP
|
Connected IP to filter by
|
Optional
|
|
connectedDeviceId
|
Connected device ID
|
Optional
|
|
sessionType
|
Type of session - select external/internal to receive data only about this type of session
|
Optional
|
Context Output
|
Path
|
Type
|
Description
|
|
Stealthwatch.Session.id
|
number
|
Session ID
|
|
Stealthwatch.Session.port
|
number
|
Session port
|
|
Stealthwatch.Session.start_timestamp_utc
|
string
|
Session start time
|
|
Stealthwatch.Session.ip
|
string
|
Session IP
|
|
Stealthwatch.Session.connected_ip
|
string
|
Session connected IP
|
|
Stealthwatch.Session.device_id
|
number
|
Source device ID
|
|
Stealthwatch.Session.connected_device_id
|
number
|
Connected device ID
|
|
Stealthwatch.Session.connected_device_is_external
|
boolean
|
Is the connected device external
|
Command Example
!sw-list-sessions startTime="2018-10-30T12:00:00Z" endTime="2018-11-01T12:00:00Z"