Secure Network Analytics Integration

Cisco Secure Network Analytics (formerly known as Stealthwatch Enterprise) provides full visibility across your network and uses advanced analytics to detect and respond to threats in real time. These threats include command-and-control (C&C) attacks, ransomware, distributed denial-of-service (DDoS) attacks, illicit cryptomining, unknown malware, and insider threats.

Secure Network Analytics uses agentless behavioral monitoring and anomaly detection to identify suspicious activities, helping detect and respond to threats without needing software agents installed on devices.

By integrating with other global threat intelligence sources and internal visibility tools, Secure Network Analytics validates its findings using confirmed threat information and local data. Additionally, integration with Cisco control devices enables quick, two-click mitigation and resolution of detected threats.

The telemetry sources for Secure Network Analytics integrated with Cisco XDR are shown below:

Once Secure Network Analytics is integrated with Cisco XDR, Critical and Major security alarms are sent from the Security Services Exchange and analyzed by the current platform to support investigations. These alarms are converted into incidents, complete with details like sightings, observables, and indicators based on the alarm metadata.

During an investigation, for every valid IP address requested, Secure Network Analytics provides:

  • A list of associated security events from the last 30 days,

  • The most recent 100 security events, and

  • Events where the IP was involved as either the source or destination.

More information on configuring your Secure Network Analytics Manager to send security alarms to Security Services Exchange and providing access to the alarms is available on the Secure Network Analytics Configuration Guides page.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Network Analytics integration.

  3. Click Get Started. The Secure Network Analytics integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Network Analytics integration in Cisco XDR.

You can configure the following alarm data in Secure Network Analytics to be promoted to Cisco XDR as incidents using a webhook through Response Management:

  • Bot Infected Host - Successful C&C Activity

  • Suspect Data Hording

  • Suspect Data Loss

You must configure webhook through Response Management in Secure Network Analytics to send the alarms to Cisco XDR. For information on configuring the alarms, see the Alarm Configuration for Cisco XDR Guide 7.4.2 or Alarm Configuration for Cisco XDR Guide 7.5.0, depending on your Secure Network Analytics version.

You can perform the following tasks after you integrate Secure Network Analytics with Cisco XDR:

  • Incidents - View the incidents that are promoted from Secure Network Analytics alarm data that is used in Endpoint Detection and Response correlated attack chains and alerts. The source of the incidents is displayed as XDR Analytics on the Incidents page.
  • Dashboard Tiles - Add Secure Network Analytics tiles to a dashboard in Control Center to view data, such as top endpoint compromises. For details, see Configure Dashboards and Tiles. For a list of available Secure Network Analytics tiles, see Integration Tiles.

  • Pivot Menu - Use the Pivot menu to access actions in Secure Network Analytics.

  • Atomic Actions - The atomic actions for Secure Network Analytics can be used as building blocks in custom workflows. See Atomic Actions.