Code ExchangeSearchRepository

DevNet Express - Cisco Secure Network Analytics Mission

Mission: Retrieve security events and create host group​

In this mission, you will use Cisco Secure Network Analytics to identify and retrieve some Security Events and create a TAG (host group) containing the information retrieved.

Prepare for the mission following the Stealthwatch Enterprise learning lab

Objectives

The objective of this mission is to teach the following Cisco Secure Network Analytics:

  • Identify the "Total High Traffic" Security Events.
  • Retrieve all the "Total High Traffic" Security Events
  • Create a TAG (host group) containing the first 10 source IP addresses from the retrieved Security Events.
  • Clean-up the environment (remove the TAG)
    Note: Webex Teams is now known as Webex.

Prerequisites

To complete this mission you need:

A development environment with typical tools and applications. If you are at a DevNet Event using a provided workstation, you are ready to go. If you are working from your own workstation, please click How to setup your own computer at the top of this page and follow the procedures to configure your workstation.
Lab infrastructure to target API calls and code. These labs and code examples will use the Cisco dCloud infrastructure, which is provided to you by your DevNet Express instructors.

You should also have an understanding of these foundational topics:

  • The content in the "An introduction to the Cisco Secure Network Analytics APIs" Learning Lab.
  • Ability to read and understand Python code samples and scripts. You can explore the Programming Fundamentals labs available on DevNet.

Reserve the sandbox

In case you don't have a Secure Network Analytics solution to use, you can take advantage of the DevNet website and reserve a sandbox by following these steps:

  1. Follow this link
  2. Click on "Try It Out" in the Cisco Stealthwatch section (that's the former name for Secure Network Analytics). This will open a second window in yur browser.
  3. In the top of the window, look for a blue bar. At its rightmost end you will find a "Reserve" button. Click on it.
  4. Enter the required details to reserver your instance (there is a maximum of 4 hours of reservation available).
  5. Click on "Reserve".
  6. After 10-15 minutes an email will be sent to you with the details on how to access the sandbox.

Setup the Secure Network Analytics SMC

If you are using a DevNet sandbox instance, you will need to run python3 setup.py since the traffic that the sandbox generates is not enough to trigger the security events. This script will edit the policy for the chosen security event to lower the threashold that would generate the alarm.

To run the script simply type:

python3 setup.py <security_event_id>

Your mission, should you choose to accept it!

Your instructor will provide a code sample. Your mission is to complete the code sample by filling in missing data. The majority of the provided code sample is complete and accurate. You simply need to fix or update sections indicated in the code by MISSION marks. Pay attention to the TODO: and HINT: in the code, they will provide you with additional information and hints to proceed if you get stuck.

The goal

  1. Complete the code with MISSION and TODO indications.
  2. Find the right Secure Network Security Event ID and fill in the API endpoint URLs.
  3. Apply key concepts about Cisco Secure Network REST APIs learned in the labs and hands-on exercises.
  4. Successfully execute the secure_network_mission.py script and review the results: a new TAG with your Webex username has been created containing the first 10 source IP addresses found from the Security Events.

Starting the mission

  1. Open secure_network_mission.py in a text editor.

  2. Search for MISSION and TODO to find the sections to update. For example:

    # TODO: Find the search query ID, so as to later check the status and access the result.
# HINT: The API documentation is your friend ;)
env_lab.print_missing_mission_warn(env_lab.get_line())
search_id = MISSION

  3. Within the code, replace MISSION with the correct value.

    • There may be more than one MISSION section in a code sample.
    • Each MISSION section may contain more than one element that needs updating.
    • Remember to remove the related 'env_lab.print_missing_mission_warn()' line after you filled-in the MISSION task.

Caveats and gotchas

The only file that needs changes is secure_network_mission.py.
Only replace instances of MISSION within the code. Be careful not to replace characters before or after it.
A Cisco Secure Network API key and client key is required to complete the mission. This will be provided by your instructor.

Verifying the solution

Have you successfully completed the mission? Let's find out.

# Running your code
Open a terminal and navigate to the root of the dne-security-code repository.
Navigate to the mission directory, intro-secure-network/mission.

cd intro-secure-network/mission

Run the Python file that you edited for the mission.

python secure_network_mission.py

What to expect

If you successfully completed the mission, the script should complete without errors. The output will be similar to the following:

==> Logging in to the SMC
Login SUCCESSFUL!


==> Finding all Tenants available
Found all the following tenants: [{'displayName': 'abc.inc', 'id': 132}]
Working on Tenant ID is: 132


==> Created query looking for all the hosts that generate high amount of traffic in the last 60 minutes.
Generating results. Please wait...
Search progress: 0.0%
Search progress: 100.0%
Search query completed!
Total found events: 0
Collected the following first 10 IP addresses: set()


==> Creating new TAG named: [Elia Maracani] - High Traffic Hosts
New tag (host group) successfully added
{
    "data": [
        {
            "id": 50081,
            "name": "[Elia Maracani] - High Traffic Hosts",
            "location": "OUTSIDE",
            "ranges": [],
            "description": "Hosts generating or receiving an unusually high amount of traffic.",
            "hostBaselines": false,
            "suppressExcludedServices": false,
            "inverseSuppression": false,
            "hostTrap": false,
            "sendToCta": false,
            "domainId": 132,
            "parentId": 2147483647
        }
    ]
}


==> Sending message to Webex Space bragging for a completed mission! :D
Message sent, StealthWatch Enterprise Mission Completed!!!


==> Removing TAG 50081
Tag 50081 has been successfully removed

# Summary
Congratulations! You have used the Cisco Secure Network REST APIs to identify and retrieve some Security Events and create a TAG (host group) containing the information retrieved.

  • You found the correct Security Event ID
  • You identified all the "Total High Traffic" Security Events.
  • You retrieved the first 10 source IP addresses from the Security Events.
  • You created a TAG (host group) containing the IP addresses.
  • You deleted a TAG from Cisco Secure Network.

Nice work! Now click the final right arrow below to complete this lab!

Use Case

Detect, notify and create a Host Group containing all the IP addresses generating High Traffic

Tell me more

The use case is quite simple, based on the config files, this script automatically logs in to the targeted Secure Network Analytics SMC and looks for all the IP addresses that in the last hour (parameter that can be modified in the configs), either as source or as target, generated an abnourmally high total traffic. As continuing inbound or outbound traffic (or a mix of the two), is generally a sign of anomalous behavior, the script creates a TAG (host group) to which it adds the source IP addresses, of the inside hosts, that were part of such events. Once the TAG is created, further analysis can be performed. This is of extreme importance especially in a cloud environment, where the client has less control and visibility over what the devices are actually doing and how they are communicating. The script, automating the procedure, saves time potentially detecting a threat before it spreads preventing a security incident.

Possible future improvements include:

  • Integration with Umbrella, to analyze the destination IP addresses and gather more information about them so as to determine whether the High Total Traffic was a signal for an actual threat.
  • Integration with Secure Endpoint, to provide context as per which process is responsible for this abnormal amount of traffic.
  • Integration with Webex, to signal the discovery of a new host (or IP) that triggered the alarm, and providing in the message the additianl context and info gathered from Umbrella and Secure Workload.
  • Integration with Secure Workload, to automatically block the connection with the IP and blacklist it if the evidence gathered is enough to have a certain degree of certainty.

Try it yourself

In case you don't have a Secure Network Analytics solution to use, you can take advantage of the DevNet website and reserve a sandbox by following these steps:

  1. Follow this link
  2. Click on "Try It Out" in the Cisco Stealthwatch section (that's the former name for Secure Network Analytics). This will open a second window in yur browser.
  3. In the top of the window, look for a blue bar. At its rightmost end you will find a "Reserve" button. Click on it.
  4. Enter the required details to reserver your instance (there is a maximum of 4 hours of reservation available).
  5. Click on "Reserve".
  6. After 10-15 minutes an email will be sent to you with the details on how to access the sandbox.

Setup the Secure Network Analytics SMC

If you are using a DevNet sandbox instance, you will need to run python3 setup.py since the traffic that the sandbox generates is not enough to trigger the security events. This script will edit the policy for the chosen security event to lower the threashold that would generate the alarm.

To run the script simply type:

python3 setup.py <security_event_id>
```</div>
View code on GitHub
Related code repos

    Code Exchange Community

    Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
    Disclaimer:
    Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.