Document toolboxDocument toolbox

Cisco Stealthwatch

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
3 min read
[ 1 Connect Cisco Stealthwatch with Devo SOAR ] [ 2 Actions for Cisco Stealthwatch ] [ 2.1 List Alerts ] [ 2.1.1 Input Field ] [ 2.2 Get Alert ] [ 2.2.1 Input Field ] [ 2.3 Update Alert ] [ 2.3.1 Input Field ] [ 2.4 Block IP or Domain ] [ 2.4.1 Input Field ] [ 2.5 List Blocked Domain ] [ 2.5.1 Input Field ] [ 2.6 Unblock Domain ] [ 2.6.1 Input Field ] [ 2.7 List Observations ] [ 2.7.1 Input Field ] [ 2.8 List Sessions ] [ 2.8.1 Input Field ] [ 3 Release Notes ]

Cisco stealthwatch is a network analysis tool built to protect your cloud assets and private network.

Connect Cisco Stealthwatch with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Cisco Stealthwatch.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your Cisco Stealthwatch instance.

  9. API Key: The API key to connect to the Cisco Stealthwatch.

  10. After you've entered all the details, click Connect.

Actions for Cisco Stealthwatch

List Alerts

List of alerts matching filtering criteria

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Search Column

Column name from parent table to lookup value for.

Required

Status

Status of the alert.

Required

Tags

Filter by tags.

Required

Assignee

Alerts assigned only to.

Required

Limit Results

Maximum results to return (Default: 1000, Maximum: 50000)

Required

Get Alert

Get specific alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert ID

Column name from parent table to lookup value for.

Required

Update Alert

Update an alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert ID

Column name from parent table to lookup value for.

Required

Set Resolved

Set issue status.

Required

Merit

Set merit of the alert (0, 1, 2, 3, 4, 5, 6, 8, 9).

Required

Tags

Comma separated list of tags to add.

Required

New Comment

Add Comment to alert.

Required

Assigned To

Assigned to user ID.

Required

Block IP or Domain

Block a particular IP or domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Domain or IP Column

Column name from parent table to lookup value for.

Required

List Blocked Domain

List of domains that are blocked.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Search Column

Column name from parent table to lookup value for.

Required

Limit Results

Maximum results to return (Default: 1000, Maximum: 50000).

Required

Unblock Domain

Unblock a specific domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Domain ID Column

Column name from parent table to lookup value for.

Required

List Observations

List of observations matching filtering criteria.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Search Column

Column name from parent table to lookup value for.

Required

Observation ID

Observation ID of a specific observation.

Required

Alert ID

Observations referenced by the alert.

Required

Limit Results

Maximum results to return (Default: 1000, Maximum: 50000).

Required

List Sessions

List of sessions matching filtering criteria.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

IP

Column name from parent table to lookup value for.

Required

Connected IP

Connected to IP.

Required

Start Time (UTC)

Sessions started after (YYYY-MM-DDTHH:MM:SSZ).

Required

End Time (UTC)

Sessions started before (YYYY-MM-DDTHH:MM:SSZ).

Required

Limit Results

Max results to return (Default: 1000, Maximum: 50000).

Required

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.0.10 - Added documentation link in the automation library.