csna

Cisco Secure Network Analytics (formerly Stealthwatch) app for Splunk SOAR (formerly Splunk Phantom)

Integrating Splunk SOAR and Cisco Secure Network Analytics

published

Asset Configuration

The asset definition requires these fields:

  • Userid
  • Password
  • Hostname / IP address
  • Tenant (Domain) display name

The Tenant (Domain) display name (displayName) is specified in the Management Console GUI and should be entered in the asset configuration. This enables creating an separate asset in Splunk SOAR for each Tenant (Domain). If you have a multi-domain system, You can create the same tag name for multiple assets and pass that tag to the act() function in playbooks. The action runs on all assets with that tag.

App Actions

This app implements these actions.

test connectivity

The test connectivity action is required of all apps. This action authenticates with the Management Console, verifying network reachability and a valid username and password. It does not validate the Tenant (Domain) exists on the Management Console. This validation step is a function of the retrieve flows action.

retrieve flows

The retrieve flows action uses the Stealthwatch Reporting - Version 2 API call to create flow searches and retrieve the searches' results.

To retrieve data, a start and end date and time must be calculated and a record limit specified (or a default value).

As an example, if the parameters specify:

"start_time": "2022-01-05T15:30:0Z",
"timespan": 60

The app calculates a flow filter with these values:

"startDateTime": "2022-01-05T15:30:00Z",
"endDateTime": "2022-01-05T16:30:00Z"

If no values are specified for start_time and timespan, the startDateTime is 60 minutes from the current time, and the endDateTime is the current time. Effectively returning data from the past hour.

The flow search uses an IP address specified by the user to bound the search filter.

With the above information, a POST command is sent with the search filter in the body of the request. The app waits for the results to be generated and returns the action_result.data results (if any). Additionally action_result.extra_data includes the flow query id (flow.query.id) and the search filter (flow.filter) generated from the parameters specified, along with all configured Tenant display names and IDs. The Tenant ID (tenantId) is also included in the result data.

References

How to Information

In addition to the DEVELOPMENT_NOTES.md file, there is an internal WWT Stream channel with video recordings of the working sessions. The channel name is Splunk> SOAR.

Author

Joel W. King @joelwking

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.