Configuring Cisco Connector for Secure Cloud Analytics
Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) provides the actionable security intelligence and visibility necessary to identify these kinds of malicious activities in real time. You can quickly respond before a security incident becomes a devastating breach. This guide will walk you through setting up the Cisco Cloud Connector in IOS-XE, on a Cisco Industrial Ethernet Switch.
Note |
For further information about Cisco Secure Cloud Analytics (Stealthwatch Cloud) or Cisco Secure Network Analytics (Stealthwatch) go to the following URL: https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html. |
Limitations and Restrictions
-
Only a predetermined set of fields can be collected - These include 9-tuple flow data of Src IP, Src Port, Dst IP, Dst Port and Protocol along with Flow Start, Flow End, Number of Packets and Bytes
-
The mandatory fields are not enforced through CLI restrictions. In case a record does not have all the mandatory fields and we are unable to collect 9-tuple data, we shall discard that flow.
-
The StealthWatch Connector for Secure Cloud Analytics will rely on the Switch’s routing functionality to send the packet to the Cloud Servers. No additional checks are done. Assumption is that appropriate routes exist.
-
Monitor application restrictions inherent with Flexible Net Flow in terms of monitor application holds true with Secure Cloud Analytics as well. e.g no SVI, no VLAN, no egress monitor.
-
The cloud exporter can’t be used with other exporters.
-
The uploaded file naming convention includes a random string to uniquely identify every file and to prevent file overwrites. Example: https://sensor.ext.obsrvbl.com/sign/ios-xe-17-2/2019/7/5/00:00:00/hostname-random_suffix.csv.gz We will aggregate and upload every 1 minute.
Before you begin
The Secure Cloud Analytics Connector is supported on IE3300, IE3400, IE3400H Switches only.
-
Network Advantage and dna-advantage license
SUMMARY STEPS
- stealthwatch-cloud-monitor service-key <you service key> hostname my_sensor
- flow record SWCRec
- flow exporter SWCExp
- interface gi1/0/3
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
stealthwatch-cloud-monitor service-key <you service key> hostname my_sensor Example:
Example:
|
Please have valid root CAs installed based on your URL. Please use below CLI to figure out the ROOT CAs as per your URL Configuring the service-key and hostname, which is used for sensor registration. If no hostname is provided, the serial number of the box is used for registration. |
Step 2 |
flow record SWCRec Example:
|
Configure the fields in flow record for collecting data for Secure Cloud Analytics record. |
Step 3 |
flow exporter SWCExp Example:
|
Configure a Secure Cloud Analytics exporter and attach it to a flow monitor to start exporting to Secure Cloud. |
Step 4 |
interface gi1/0/3 Example:
|
Identify the interface on which you want to monitor the flows and attach the monitor having Secure Cloud Analytics exporter to that interface |
What to do next
For further Secure Cloud Analytics configuration information, refer to the appropriate configuration guide here: https://www.cisco.com/c/en/us/support/security/stealthwatch-cloud/products-installation-and-configuration-guides-list.html.