Cisco Secure Network Analytics (Stealthwatch) uses NetFlow and other telemetry sources to feed into its analytics engine to detect a variety of threats and effect a response.
We developed the Cisco Secure Network Analytics app for Splunk SOAR to retrieve network traffic meta data from the Stealthwatch management console API. This app increases the efficiency of Security Operations Center (SOC) analysts by enriching the context of information as they investigate security incidents.
The app automates the manual process of logging on the Cisco Secure Network Analytics management console, inputting query parameters, initiating a flow search, waiting for the search to complete, then populating the Splunk SOAR incident with relevant data.
This process is known as data enrichment, the appending and enhancing the SOAR artifact (containing a suspected malicious IP address) with relevant context obtained from an additional source, in this case, Cisco Secure Network Analytics. The source code respository includes a sample SOAR playbook, which can be configured to automatically invoke the app as incidents are created, so the incident owner has telemetry from the network infrastructure immediately upon opening the case.
If your organization uses Splunk SOAR and has, or are considering, Cisco Secure Network Analytics to determine who is on the network and what they are doing, this app provides a seamless integration of both solutions.