Overview

The Associated Flows API simplifies obtaining NetFlow records that correspond to host alarms generated by Cisco Secure Network Analytics. It is designed for SOC operators and automated SIEM/SOAR workflows to accelerate investigations and reduce MTTR (Mean Time to Resolution).

This API supplements the existing Secure Network Analytics Manager UI workflow for Host Alarm - Associated Flows by exposing the same data programmatically.

The Associated Flows API accepts an Alarm ID (and an optional maxRecords parameter), and initiates a Flow Search API query on behalf of the consumer, using optimal filter criteria for that alarm. The consumer receives the filter criteria specification used and a Flow Search Job ID, which can be used to check the status of the Flow Search job execution and retrieve results.

For more details about the Flow Search API, refer to Stealthwatch Reporting - Version 2.

Note: The API does not support category alarms, for more details refer to the Alarm Categories in the Security Events and Alarm Categories guide.