Cisco Stealthwatch Alarming Hosts Investigation

How to get additional information about a host present on the Top Alarming Hosts dashboard. Select Top Reports and another pop-up menu appears with options such as Top Applications, Top Ports, Top Protocols etc.

By default, the query looks at the past 5 minutes. The number of Flows for each application category is a live link. Click on the Flows number for the top Application:

The Flow Query shows Flows specific to the Application from the previous view:

Click on the Subject IP on the top line result of the Flow Query, and review the Information screen for this Host. The aggregated data Stealthwatch has collected about this host and its activities on the network:

Details and description for the Suspect Data Hoarding event:

Select Associated Flows:

A pre-populated Flow Search the parameters for the related security event will execute. Note that you can change any of the search parameters after the search completed, should you wish. Do not modify them right now.

Additional host information about Users/Sessions and Application traffic:

Share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *