/
CiscoStealthwatch.yml
293 lines (293 loc) · 12 KB
/
CiscoStealthwatch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
category: Analytics & SIEM
commonfields:
id: Cisco Stealthwatch
version: -1
configuration:
- additionalinfo: 'Server URL for Cisco Stealthwatch console e.g.: https://ip:port/.'
display: Server URL
name: server_url
required: true
type: 0
- display: User Credentials
name: credentials
required: true
type: 9
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
description: Scalable visibility and security analytics.
display: Cisco Secure Network Analytics (Stealthwatch)
name: Cisco Stealthwatch
script:
commands:
- arguments:
- description: The ID of the tenant for which to initialize its flow search.
name: tenant_id
required: true
- description: 'Start time in the format: YYYY-mm-ddTHH:MM:SSZ. If start_time is provided but end_time is not provided, the end_time will be set to the current time.'
name: start_time
- description: 'End time in the format: YYYY-mm-ddTHH:MM:SSZ. '
name: end_time
- description: 'An optional time range, for example: 3 months, 1 week, 1 day ago, etc.'
name: time_range
- default: true
defaultValue: '20'
description: The maximum number of records to retrieve.
name: limit
- description: The IP address by which to filter the results.
name: ip_addresses
description: Initializes the flow search based on specified arguments. Must provide a start time, time range, or start time and end time.
name: cisco-stealthwatch-query-flows-initialize
outputs:
- contextPath: CiscoStealthwatch.FlowStatus.id
description: The ID of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowStatus.searchJobStatus
description: The search job status of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowStatus.percentComplete
description: The percent of the flow that was completed.
type: str
- arguments:
- description: The ID of the tenant for which to check its flow search status.
name: tenant_id
required: true
- description: The ID of the search from the cisco-stealthwatch-query-flows-initialize command.
name: search_id
required: true
description: Checks the flow search status.
name: cisco-stealthwatch-query-flows-status
outputs:
- contextPath: CiscoStealthwatch.FlowStatus.id
description: The ID of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowStatus.percentComplete
description: The percent of the flow that was completed.
type: str
- arguments:
- description: The ID of the tenant for which to retrieve its flow search results.
name: tenant_id
required: true
- description: The ID of the search from the cisco-stealthwatch-query-flows-initialize command.
name: search_id
required: true
description: Retrieves the flow search results. Use this command after the search job completes.
name: cisco-stealthwatch-query-flows-results
outputs:
- contextPath: CiscoStealthwatch.FlowResults.id
description: The ID of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.tenantId
description: The tenant ID of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.flowCollectorId
description: The collector ID of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.protocol
description: The protocol of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.serviceId
description: The service ID of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.statistics
description: The statistics of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.peer
description: The peer of the flow.
type: str
- contextPath: CiscoStealthwatch.FlowResults.subject
description: The subject of the flow.
type: str
- arguments:
- description: The ID of the tenant for which to get its tags.
name: tenant_id
required: true
description: Lists the host groups (called tags in the API).
name: cisco-stealthwatch-list-tags
outputs:
- contextPath: CiscoStealthwatch.Tag.id
description: The ID of the tag.
type: str
- contextPath: CiscoStealthwatch.Tag.displayName
description: The display name of the tag.
type: str
- arguments:
- description: The ID of the tenant for which to get its tag.
name: tenant_id
required: true
- description: The tag for which to get more information.
name: tag_id
required: true
description: Gets a single host group (called tag in the API).
name: cisco-stealthwatch-get-tag
outputs:
- contextPath: CiscoStealthwatch.Tag.id
description: The name of the tag.
type: str
- contextPath: CiscoStealthwatch.Tag.name
description: The ID of the tag.
type: str
- contextPath: CiscoStealthwatch.Tag.location
description: The location of the tag.
type: str
- contextPath: CiscoStealthwatch.Tag.domainId
description: The domain ID of the tag.
type: str
- arguments:
- description: The ID of the tenant for which to retrieve information.
name: tenant_id
description: Lists all domains if no domain is specified or gets a specified domain (called tenant(s) in the API).
name: cisco-stealthwatch-list-tenants
outputs:
- contextPath: CiscoStealthwatch.Tenant.id
description: The ID of the tenant.
type: str
- contextPath: CiscoStealthwatch.Tenant.displayName
description: The display name of the tenant.
type: str
- arguments:
- description: The ID of the tenant for which to get its host information.
name: tenant_id
required: true
- description: The ID of the tag for which to get its information.
name: tag_id
required: true
description: Gets the hourly traffic summary of the byte count for a single host group (called tenant in the API).
name: cisco-stealthwatch-get-tag-hourly-traffic-report
outputs:
- contextPath: CiscoStealthwatch.TagHourlyTraffic.timestamp
description: Timestamp of the hourly traffic summary for a single host group (called tag on the API).
type: str
- contextPath: CiscoStealthwatch.TagHourlyTraffic.inboundByteCount
description: Inbound byte count of the hourly traffic summary for a single host group (called tag on the API).
type: str
- contextPath: CiscoStealthwatch.TagHourlyTraffic.outboundByteCount
description: Outbound byte count of the hourly traffic summary for a single host group (called tag on the API).
type: str
- contextPath: CiscoStealthwatch.TagHourlyTraffic.withinByteCount
description: Within the byte count of the hourly traffic summary for a single host group (called tag on the API).
type: str
- contextPath: CiscoStealthwatch.TagHourlyTraffic.tenant_id
description: The tenant ID of the hourly traffic summary for a single host group (called tag on the API).
type: str
- contextPath: CiscoStealthwatch.TagHourlyTraffic.tag_id
description: The tag ID of the hourly traffic summary for a single host group (called tag on the API).
type: str
- arguments:
- description: The ID of the tenant for which to get its top alarming hosts.
name: tenant_id
required: true
description: Gets the top alarming host groups (called tags on the API) for a specific domain (called tenant in the API).
name: cisco-stealthwatch-get-top-alarming-tags
outputs:
- contextPath: CiscoStealthwatch.AlarmingTag.ipAddress
description: The IP address of the alarming tag.
type: str
- contextPath: CiscoStealthwatch.AlarmingTag.hostGroupIds
description: The host group IDs of the alarming tag.
type: str
- contextPath: CiscoStealthwatch.AlarmingTag.typeId
description: The type ID of the alarming tag.
type: str
- contextPath: CiscoStealthwatch.AlarmingTag.severity
description: The severity of the alarming tag.
type: str
- contextPath: CiscoStealthwatch.AlarmingTag.alwaysBadCount
description: The always bad count of the alarming tag.
type: str
- arguments:
- description: The ID of the tenant for which to initialize its list security events.
name: tenant_id
required: true
- description: 'Start time. Format: YYYY-mm-ddTHH:MM:SSZ. Given only the start_time, the end_time will be set to the current time.'
name: start_time
- description: 'End time. Format: YYYY-mm-ddTHH:MM:SSZ.'
name: end_time
- description: 'An optional time range. For example: 3 months, 1 week, 1 day ago, etc.'
name: time_range
description: Initializes the list of security events for a domain (called tenant on the API).
name: cisco-stealthwatch-list-security-events-initialize
outputs:
- contextPath: CiscoStealthwatch.SecurityEventStatus.id
description: The ID of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventStatus.searchJobStatus
description: The status of the search job for the security event.
type: str
- contextPath: 'CiscoStealthwatch.SecurityEventStatus.percentComplete'
description: The percent of the security event that is completed.
type: str
- arguments:
- description: The ID of the tenant for which to get its list of security events status.
name: tenant_id
required: true
- description: The ID of the search from the initialize command.
name: search_id
required: true
description: Lists the security events status.
name: cisco-stealthwatch-list-security-events-status
outputs:
- contextPath: CiscoStealthwatch.SecurityEventStatus.id
description: The ID of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventStatus.percentComplete
description: The percent of the security event that is completed.
type: str
- arguments:
- description: The ID of the tenant for which to retrieve its list security events results.
name: tenant_id
required: true
- description: The ID of the search from the initialize command.
name: search_id
required: true
- default: true
defaultValue: '50'
description: The maximum number of security events.
name: limit
required: true
description: Lists the security events results. Use this command after the search job completes.
name: cisco-stealthwatch-list-security-events-results
outputs:
- contextPath: CiscoStealthwatch.SecurityEventResults.id
description: The ID of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.domainId
description: The domain ID of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.deviceId
description: The device ID of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.securityEventType
description: The type of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.firstActiveTime
description: The first active time of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.lastActiveTime
description: The last active time of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.source
description: The source of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.target
description: The target of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.details
description: The details of the security event.
type: str
- contextPath: CiscoStealthwatch.SecurityEventResults.hitCount
description: The hit count of the security event.
type: str
dockerimage: demisto/python3:3.10.12.68714
runonce: false
script: '-'
subtype: python3
type: python
tests:
- Cisco Stealthwatch Test
fromversion: 5.5.0