Stealthwatch Cloud

Overview


Use the Cisco Stealthwatch Cloud integration to manage threats to your networks.

This integration was integrated and tested with Cisco Stealthwatch Cloud v1.0.0.

Use cases


  1. Fetch incidents
  2. Block domains (Blacklist)
  3. Update alerts

Configure Stealthwatch Cloud on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Stealthwatch Cloud.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Stealthwatch server URL
    • Stealthwatch Cloud API key. Should be in the form of "ApiKey :<api_key>"
    • Use system proxy settings
    • Trust any certificate (not secure)
    • Fetch incidents
    • Incident type
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get information for an alert: sw-show-alert
  2. Update an alert: sw-update-alert
  3. Get a list of all alerts: sw-list-alerts
  4. Block a domain or IP: sw-block-domain-or-ip
  5. Unblock a domain: sw-unblock-domain
  6. Get a list of blocked domains: sw-list-blocked-domains
  7. Get a list of observations: sw-list-observations
  8. Get a list of sessions by session occurrence time: sw-list-sessions

1. Get information for an alert


Returns information about a specific alert by the alert ID.

Base Command
sw-show-alert
Input
Argument Name Description Required
alertID The id of the required alert Required
addComments Add comments information, can be long Optional
Context Output
Path Type Description
Stealthwatch.Alert.id number Alert ID
Stealthwatch.Alert.assigned_to string Alert assignee
Stealthwatch.Alert.obj_created date Alert creation date
Stealthwatch.Alert.last_modified date Alert last modification
Stealthwatch.Alert.resolved boolean Alert state
Stealthwatch.Alert.source_info.ips string IP of the alert's source
Stealthwatch.Alert.source_info.hostnames string Hostname of the alert's source
Command Example
!sw-show-alert alertID=275
Context Example
{
  "assigned_to": null,
  "assigned_to_username": null,
  "created": "2018-07-23T15:30:00Z",
  "description": "Source has started a port scan on a device internal to your network.",
  "hostname": "",
  "id": 275,
  "ips_when_created": [],
  "last_modified": "2018-10-02T22:41:07.749868Z",
  "merit": 3,
  "natural_time": "1 month ago",
  "obj_created": "2018-07-23T16:34:01.566717Z",
  "priority": 2,
  "publish_time": "2018-07-23T16:34:01.531458+00:00",
  "resolved": true,
  "resolved_time": "2018-11-17T05:00:01.458445Z",
  "resolved_user": null,
  "rules_matched": null,
  "snooze_settings": null,
  "source": 48858,
  "source_info": {
    "created": "2018-09-23T15:49:39.025415+00:00",
    "hostnames": [],
    "ips": [
      "5.5.255.25"
    ],
    "name": "test.com",
    "namespace": "default"
  },
  "source_name": "5.5.255.25",
  "source_params": {
    "id": 48852,
    "meta": "net-link",
    "name": "test.com"
  },
  "tags": [],
  "text": "Internal Port Scanner on 5.5.255.25",
  "time": "2018-10-02T21:49:00Z",
  "type": "Internal Port Scanner"
}

2. Update an alert


Updates an alert.

Base Command
sw-update-alert
Input
Argument Name Description Required
alertID The ID of the alert to update Required
resolved Set the resolved field to true and set the merit field to close an alert. merit can be 8 ("helpful") or 9 ("not helpful") Optional
merit Set the resolved field to true and set the merit field to close an alert. merit can be 8 ("helpful") or 9 ("not helpful") Optional
tags Tags (string) Optional
new_comment Set the new_comment field to add a comment to the alert Optional
publish_time Publish time (string), e.g., publish_time=2018-08-01T07:54:39Z Optional
snooze_settings Snooze settings (string) Optional
resolved_user Username (string) Optional
assigned_to Assigned to (integer) Optional
Context Output
Path Type Description
Stealthwatch.Alert.id number Alert ID
Stealthwatch.Alert.assigned_to string Alert assignee
Stealthwatch.Alert.obj_created date Alert creation date
Stealthwatch.Alert.last_modified date Date the alert was last modified
Stealthwatch.Alert.resolved boolean Alert state
Stealthwatch.Alert.source_info.ips string IP of the alert's source
Stealthwatch.Alert.source_info.hostname string Hostname of the alert's source
Command Example
!sw-update-alert alertID=275 merit=8 tags=test

3. Get a list of all alerts


Get the list of Stealthwatch alerts.

Base Command
sw-list-alerts
Input
Argument Name Description Required
status Filters alerts by status: open , closed , or all . Default is open. The all status enables you to see an individual alert whether it is open or closed. Optional
search Finds a particular string in the alerts, e.g., a particular IP address, hostname, or alert type. Optional
assignee Filter to only display alerts assigned to a specific user Optional
tags Tags shows alerts that are assigned a particular incident tag Optional
limit Number of alerts to list, default is 5 Optional
addComments Add comment to an alert, long-text supported Optional
Context Output
Path Type Description
Stealthwatch.Alert.id number Alert ID
Stealthwatch.Alert.assigned_to string Alert assignee
Stealthwatch.Alert.obj_created date Alert creation date
Stealthwatch.Alert.last_modified date Date the alert was last modified
Stealthwatch.Alert.resolved boolean Alert state
Stealthwatch.Alert.source_info.ips string IP of the alert's source
Stealthwatch.Alert.source_info.hostname string Hostname of the alert's source
Command Example
{
  "assigned_to": null,
  "assigned_to_username": null,
  "created": "2018-07-23T15:30:00Z",
  "description": "Source has started a port scan on a device internal to your network.",
  "hostname": "",
  "id": 275,
  "ips_when_created": [],
  "last_modified": "2018-10-02T22:41:07.749868Z",
  "merit": 3,
  "natural_time": "1 month ago",
  "obj_created": "2018-07-23T16:34:01.566717Z",
  "priority": 2,
  "publish_time": "2018-07-23T16:34:01.531458+00:00",
  "resolved": true,
  "resolved_time": "2018-11-17T05:00:01.458445Z",
  "resolved_user": null,
  "rules_matched": null,
  "snooze_settings": null,
  "source": 48858,
  "source_info": {
    "created": "2018-09-23T15:49:39.025415+00:00",
    "hostnames": [],
    "ips": [
      "5.5.255.25"
    ],
    "name": "test.com",
    "namespace": "default"
  },
  "source_name": "5.5.255.25",
  "source_params": {
    "id": 48852,
    "meta": "net-link",
    "name": "test.com"
  },
  "tags": [],
  "text": "Internal Port Scanner on 5.5.255.25",
  "time": "2018-10-02T21:49:00Z",
  "type": "Internal Port Scanner"
}

4. Block a domain or IP


Adds a domain or IP to the blacklist.

Base Command
sw-block-domain-or-ip
Input
Argument Name Description Required
domain Domain to add to the blacklist Optional
ip IP to add to the blacklist Optional
Context Output
Path Type Description
Stealthwatch.Domain.identifier string Domain name
Stealthwatch.Domain.title string Domain title
Stealthwatch.Domain.id number Domain ID
Stealthwatch.IP.identifier string IP address
Stealthwatch.IP.title string IP title
Stealthwatch.IP.id string IP ID
Command Example
!sw-block-domain-or-ip domain=test.com

5. Unblock a domain


Removes a domain from the blacklist.

Base Command
sw-unblock-domain
Input
Argument Name Description Required
id ID of the domain to remove from the blacklist. You can find the id by running the sw-list-blocked-domains command. True
Context Output

There is no context output for this command.

Command Example
!sw-unblock-domain id=5

6. Get a list of blocked domains


Returns a list of blocked domains.

Base Command
sw-list-blocked-domains
Input
Argument Name Description Required
search Finds a particular string in the alerts, e.g., a particular IP address, hostname, or alert type. Optional
domain Search for a specific domain Optional
limit Number of domains to list, default is 5 Optional
Context Output
Path Type Description
Stealthwatch.Domain.identifier string Domain name
Stealthwatch.Domain.title string Domain title
Stealthwatch.Domain.id number Domain ID
Command Example
!sw-list-blocked-domains limit=5

7. Get a list of observations


Returns observations by alert ID, observation ID, or a free search.

Base Command
sw-list-observations
Input
Argument Name Description Required
search Finds a particular string amongst the alerts. For example, a particular IP address, hostname, or alert type. False
alert Use the alert query parameter with an alert id to only show observations referenced by the alert False
id Get a specific observation by its ID False
limit Amount of observations to list. Default is 5 False
Context Output
Path Type Description
Stealthwatch.Observation.id number Observation ID
Stealthwatch.Observation.port_count number Observation port count
Stealthwatch.Observation.creation_time string Observation creation time
Stealthwatch.Observation.end_time string Observation end time
Stealthwatch.Observation.scanned_ip string Observation scanned ip
Stealthwatch.Observation.scanner_ip string Observation scanner ip
Stealthwatch.Observation.source unknown Observation source
Command Example
!sw-list-observations alert=222
Context Example
{
	"cidr_range": "5.5.5.179/32",
	"connected_ip": null,
	"connected_ip_country_code": "",
	"creation_time": "2018-07-23T15:30:00Z",
	"end_time": "2018-07-23T15:30:00Z",
	"id": 12345,
	"observation_name": "Port Scanner",
	"port_count": 24,
	"port_ranges": "0-1023",
	"resource_name": "port_scanner_v1",
	"scan_type": "internal",
	"scanned_packets": 5,
	"scanner_packets": 75,
	"source": 48822,
	"time": "2018-07-23T15:30:00Z"
}

8. Get a list of sessions by session occurrence time


Get sessions by the session's occurrence time ( Time format: YYYY-MM-DDTHH:MM:SSZ)

Base Command
sw-list-sessions
Input
Argument Name Description Required
startTime Session start time (UTC), e.g., startTime="2018-09-30T12:00:00Z" Required
endTime Session end time (UTC), e.g., endTime="2018-07-31T15:00:00Z" Optional
limit Number of observations to list, default is 400 Optional
ip Source IP address to filter by Optional
connectedIP Connected IP to filter by Optional
connectedDeviceId Connected device ID Optional
sessionType Type of session - select external/internal to receive data only about this type of session Optional
Context Output
Path Type Description
Stealthwatch.Session.id number Session ID
Stealthwatch.Session.port number Session port
Stealthwatch.Session.start_timestamp_utc string Session start time
Stealthwatch.Session.ip string Session IP
Stealthwatch.Session.connected_ip string Session connected IP
Stealthwatch.Session.device_id number Source device ID
Stealthwatch.Session.connected_device_id number Connected device ID
Stealthwatch.Session.connected_device_is_external boolean Is the connected device external
Command Example
!sw-list-sessions startTime="2018-10-30T12:00:00Z" endTime="2018-11-01T12:00:00Z"