stealthwatch and securex integration guide v7...regionlink supportedstealthwatch integrations...

Cisco StealthwatchCiscoSecureX Integration Guide 7.3

Table of ContentsIntroduction 4

What's New 4

Upgrading from 7.2 to 7.3 4

SecureX Regional Clouds 5

Guidelines and Limitations for Choosing a Regional Cloud 6

Contacting Support 6

Stealthwatch Data and SecureX 7

About the SecureX Ribbon and Pivot Menu 7

SecureX Ribbon 7

SecureX Pivot Menu 7

About Stealthwatch Tiles for the SecureX Dashboard 8

About Sending Stealthwatch Alarms to Cisco Threat Response 10

About Stealthwatch Enrichment Data for SecureX 11

About the Cisco Threat Intel Model 11

About Translating Stealthwatch Alarms to CTIM Objects 12

About Translating Stealthwatch Security Events to CTIM Objects 12

Cisco Cloud Accounts 14

Required Account for SecureX Access 14

Create an Account to Access SecureX 14

Manage Access To Your Organization's Cisco Security Account 14

Configuring Stealthwatch and SecureX 15

Configuring the SecureX Integration 15

Prerequisites 15

Procedure 15

Authorize the SecureX Ribbon and Pivot Menu 18

Authorize from SecureX Ribbon 18

Authorize from the SecureX Configuration Page 19

© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 2 -

Unauthorize the current SecureX Ribbon 19

Configure the Threat Response Incident Action 19

Verification 21

Register your SMC in the Cisco Cloud 22

Automatic Registration Procedure 22

Link your Accounts 23

Manual Registration Procedure 23

Configuring Stealthwatch Integration Module in SecureX 26

Prerequisites 26

Procedure 26

Configuring the SecureX Dashboard with Stealthwatch Tiles 28

Known Issues and Limitations 30


IntroductionCisco SecureX is the platform in the Cisco cloud that helps you detect, investigate,analyze, and respond to threats using data aggregated from multiple products andsources.

This integration enables you to do the following in Stealthwatch:

l Use Stealthwatch tiles on the SecureX dashboard to monitor key operationalmetrics.

l Utilize the SecureX context menu to pivot to your other Cisco Security and third-party integrations.

l Provide access to your SecureX ribbon.

l Sending Stealthwatch Alarms to the Cisco Threat Response Private IntelligenceStore.

l Allow SecureX to request Security Events from Stealthwatch to enrich theinvestigation context in Threat Response workflows.

To learn more about SecureX, go to the following links:

l SecureX websitel SecureX documentation

What's NewVersion 7.3 includes several enhancements to the integration:

l The configuration options for sending Stealthwatch Alarms to Cisco ThreatResponse Private Intelligence Store have been moved from the SecureXConfiguration page to Response Management. You can configure rules with aThreat Response Incident action to promote alarms to Cisco Threat Response asincidents. For more information, refer to the About Sending Stealthwatch Alarmsto Cisco Threat Response section.

l Added an option that allows automatic registration of your StealthwatchManagement Console (SMC) in Cisco Security Service Exchange (SSE). For moreinformation, refer to the Register your SMC in the Cisco Cloud section.

Upgrading from 7.2 to 7.3If your SecureX configuration in 7.2 had the option to send Stealthwatch alarms to CiscoThreat Response enabled, the Threat Response Incident action will be automatically


Introduction

https://www.cisco.com/c/en/us/products/security/securex/index.htmlhttps://www.cisco.com/c/en/us/support/security/securex/tsd-products-support-series-home.html

configured to continue sending alarms to Cisco Threat Response.

SecureX Regional Clouds

Region LinkSupportedStealthwatchIntegrations

NorthAmerica

l Threat Response Web Console:https://visibility.amp.cisco.com

l SecureX Portal:https://securex.us.security.cisco.com

l SecureX PivotMenu

l SecureX Ribbon

l SendingStealthwatchAlarms to CiscoThreat Response

l Enrichment withStealthwatchSecurity Events

Europe

l Threat Response Web Console:https://visibility.eu.amp.cisco.com

l SecureX Portal:https://securex.eu.security.cisco.com

l SecureX PivotMenu

l SecureX Ribbon


l Enrichment withStealthwatchSecurity Events

Asia(APJC)

l Threat Response Web Console:https://visibility.apjc.amp.cisco.com

l SecureX Portal:https://securex.apjc.security.cisco.com

l SecureX PivotMenu

l SecureX Ribbon



Introduction

https://visibility.amp.cisco.com/https://securex.us.security.cisco.com/https://visibility.eu.amp.cisco.com/https://securex.eu.security.cisco.com/https://visibility.apjc.amp.cisco.com/https://securex.apjc.security.cisco.com/

Guidelines and Limitations for Choosing a Regional Cloudl When possible, use the regional cloud nearest to your Stealthwatch deployment.

l Data in different clouds cannot be aggregated or merged.

l If you need to aggregate data from multiple regions, devices in all regions mustsend data to the same regional cloud.

l You can create an account on each regional cloud. Data on each cloud will beseparate.

Contacting SupportIf you need technical support, please do one of the following:

l Contact your local Cisco Partner

l Contact Cisco Stealthwatch Support

l To open a case by web:http://www.cisco.com/c/en/us/support/index.html

l To open a case by email: [email protected] For phone support: 1-800-553-2447 (U.S.)

l For worldwide support numbers:www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html


Introduction

http://www.cisco.com/c/en/us/support/index.htmlhttp://[email protected]/http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.htmlhttp://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

Stealthwatch Data and SecureXAbout the SecureX Ribbon and PivotMenuSecureX RibbonThe SecureX ribbon is a widget that appears in your SMC UI at the bottom of the page.The ribbon provides a distributed set of capabilities that unify visibility, enableautomation, accelerate incident response workflows, and improve threat hunting. Thesecapabilities are presented in the form of applications (apps) and tools in the ribbon.

With the ribbon configured, you can manage your incidents, casebooks, search forobservables, initiate investigation and threat hunting, access your other productsintegrated with SecureX, and more from any page in your SMC.

To configure the ribbon, refer to the Authorize the SecureX ribbon and Pivot Menusection.

For more information about the ribbon, refer to the Cisco SecureX Ribbon section of theCisco SecureX Getting Started Guide.

SecureX PivotMenuWith the Pivot menu, SecureX provides a central point of access that allows you toleverage Cisco threat intelligence resources with data from other Cisco products.

The Pivot menu links to other products and groups that are integrated with SecureX. Youcan perform some actions directly in the Pivot menu, or pivot to the integrated productto perform additional actions.

In Stealthwatch, the Pivot menu is available by clicking the (Ellipsis) icon besideapplicable IP addresses in the SMC after the SecureX integration is configured.


Stealthwatch Data and SecureX

https://www.cisco.com/c/en/us/td/docs/security/securex/getting-started-guide/b-securex-getting-started/m-ribbon.htmlhttps://www.cisco.com/c/en/us/td/docs/security/securex/getting-started-guide/b-securex-getting-started.html

For more information about functions available from the Pivot menu, refer to theSecureX Pivot menu help topic.

You have to log in to SecureX to view the Pivot menu help.

About Stealthwatch Tiles for the SecureX DashboardThe following Stealthwatch tiles are available for the SecureX dashboard:

Tile Name Description Available TimePeriod Pivots to...

Top Alarming Hosts

Provides Top 7 insidehosts, sorted byalarm severity, thathave been active onyour network sincethe last reset hour.

Last 24 hours Host Report

Alarming Hosts byCategory

Top 7 inside hosts,sorted by alarm Last 24 hours

Network SecurityDashboard



https://securex.us.security.cisco.com/help/pivot-menu

Tile Name Description Available TimePeriod Pivots to...

severity, that havebeen active on yournetwork since thelast reset hour.

Top Alarms ByCount

Represents Top 10alarms by count.

Last 24 hours

Last 7 daysNetwork SecurityDashboard

VisibilityAssessment

Number of hosts inthe VisibilityAssessmentCategories includingInternal NetworkScanners, RemoteAccess Breach,Possible Malware,Vulnerable ProtocolServers, DNS Risk.

Last 24 hours

Last 7 days

VisibilityAssessmentDashboard

Network Visibility

Provides statistics forthe number of hostsand the amount oftraffic.

Last 24 hours

Last 7 days

VisibilityAssessmentDashboard

Top Inside HostGroups by Traffic

Top 10 Inside hostgroups by trafficcommunicated witheach other.

Last 12 hoursHost Group Reportfor Inside HostGroup

Top Outside HostGroups by Traffic

Top 10 Outside hostgroups by trafficcommunicated withInside Hosts Group.

Last 12 hoursHost Group Reportfor Inside HostGroup

To learn how to configure your SecureX dashboard with Stealthwatch tiles, refer to theConfiguring the SecureX Dashboard with Stealthwatch Tiles section.



About Sending Stealthwatch Alarms to Cisco ThreatResponseWhen the SecureX integration is configured, you can enable your system to promoteStealthwatch alarms to the CIsco Threat Response Private Intelligence store as Incidentswith corresponding Sightings, Observables and Indicators objects created from thealarms metadata.

This information will be available in the Incident Manager during the investigationprocess as corresponding Sightings and Indicators derived from the Incident, and in theCisco Threat Response web console.

The Threat Response Incident action in Response Management, besides general actionparameters, allows you to configure the following options:

l Incident Confidence Level: Allows you to choose the confidence level that youwant to set for the Incidents sent to Cisco Threat Response.

l Create a new Target entity: Allows you to enable Stealthwatch to designatehosts from the Alarm as Targets in Cisco Threat Response. For more information,refer to the About Translating Stealthwatch Alarms to CTIM Objects section.

o If you want only internal IP addresses to be included when determiningwhich host information should be sent to Cisco Threat Response, select theCreate Targets in Threat Response for internal hosts only option.

o If you want both internal and external IP addresses to be included whendetermining which host information should be sent to Cisco ThreatResponse, select the Create Targets in Threat Response for internaland external hosts option.

l Use host details from the alarm data: Allows you to specify whether the Targetobject should be built for Source and Target host, just the Source host, or just theTarget host.

For more information, refer to the Configuring Response Management help topic.

l If you configured sending Stealthwatch Alarms to Cisco Threat Responsein previous Stealthwatch versions, the Threat Response Incident actionwill be automatically created.

l Incidents created for Alarms derived from Relationship policy will notinclude IP addresses as observables as this information is not availablein the Alarm.

l Incident will include the Target object in certain conditions specified in



the About Translating Stealthwatch Alarms to CTIM Objects section.

l Incidents created from Stealthwatch Alarms can be viewed from theCTR console located with regional clouds. For more information, refer tothe SecureX Regional Clouds section.

About Stealthwatch Enrichment Data for SecureXOnce your SMC is registered with the Cisco Security Services Exchange and theStealthwatch module is configured in SecureX, you will be able to see the enrichmentdata from Stealthwatch in the Threat Response workflow.

For every valid IP address requested in the investigation, Stealthwatch will returnsecurity events associated with this IP in the form of corresponding Sightings andIndicator objects.

You can configure the following parameters for the security events returned in theSecureX Configuration form:

l Whether to allow investigation requests from SecureX.

l Which Stealthwatch domains to return Security Events.

l Number of top events to be sent.

l What time period to return Security Events.

About the Cisco Threat Intel ModelBefore sending to SecureX, Stealthwatch alarms and security events are transformed toCisco Threat Intel Model (CTIM) objects.

To read more about CTIM, refer to the Threat Intel Model documentation.

The key entities used in this translation are listed below:

l Incident - Discrete instance of indicators affecting an organization, as well asinformation associated with incident response.

l Sighting - A record of the appearance of a cyber observable at a given date andtime.

l Observable - A simple, atomic value which has a consistent identity and is stableenough to be attributed an intent or nature: domain names, IP addresses, filehashes, specific devices or users. Stealthwatch shares information only aboutobservables of IP address type.

l Target - The device, identity, or resource that a threat has targeted. Target isidentified by one or more Observables.



https://github.com/threatgrid/ctim/tree/master/doc

l Indicator - Describes a pattern of behavior or a set of conditions which indicatemalicious behavior.

About Translating Stealthwatch Alarms to CTIMObjectsEvery alarm sent with the Threat Response Incident action is translated to an Incident, aSighting, an Indicator object, and the relationships between them. The picture belowshows the representation of Stealthwatch alarm in CTIM model (simplified):

When building a Sighting object for the Incident, Stealthwatch includes Observableswith the following constraints:

l Alarms derived from the Relationship Policy Event will not have Observables in theSighting object.

l Alarms that have Source as “Multiple Source” or Target as “Multiple Destinations”will not include corresponding Observables in the Sighting object.

Rules for building a Target object for the Sighting are taken from the Threat ResponseIncident action that process the alarm with the following additional constraint:

l Target object is not included if alarm source or destination is “MultipleDestinations”.

About Translating Stealthwatch Security Events to CTIMObjectsUpon an investigation request from SecureX, Stealthwatch returns Security Eventsassociated with an IP address.

Every Security Event is translated to the CTIM model Sighting and Indicator objects, withthe relationships, as shown on the picture below:

When translating Stealthwatch Security Events to a CTIM object, the followingconstraints and rules apply:



l Target objects are not included in the Sighting objects for Security Events.



Cisco Cloud AccountsRequired Account for SecureX AccessIn order to use SecureX and associated tools, you must have one of the followingaccounts on the regional cloud you will use:

l Cisco Security Account

l AMP for Endpoints account

l Cisco Threat Grid account

If you or your organization already has any of the above accounts on theregional cloud you will use, use the existing account. Do not create a newaccount.

Create an Account to Access SecureXRefer to the SecureX Sign-On Guide for more information on creating your account.

Manage Access To Your Organization's Cisco SecurityAccountIf you are a Cisco Security Account owner or administrator, you can grant additionalusers access to your organization's Cisco Security Account and manage existing users,including resending the account activation email.

To manage users, complete the following steps:

1. In a browser window, go to your regional Cisco Security Account:l North America: https://castle.amp.cisco.coml Europe: https://castle.eu.amp.cisco.com

l Asia (APJC): https://castle.apjc.cisco.com

2. Click Users.3. Add or edit user access.

If you select Account Administrator, the user will have permissions to grant andmanage user access.


Cisco Cloud Accounts

https://www.cisco.com/c/en/us/td/docs/security/securex/sign-on/securex-sign-on-guide.htmlhttps://castle.amp.cisco.com/https://castle.eu.amp.cisco.com/https://castle.apjc.cisco.com/

Configuring Stealthwatch and SecureXConfiguring the SecureX IntegrationConfiguring the SecureX integration in Stealthwatch will enable:

l SecureX Pivot Menu in Stealthwatch UI.

l SecureX Ribbon in Stealthwatch UI.

l Sending Stealthwatch Alarms to the Cisco Threat Response Private IntelligenceStore.

Prerequisites

l SMC v7.2.1 or later

l You have an account to access SecureX (see Required Account for SecureXAccess).

l Your SMC must be able to connect outbound to the Cisco clouds:o North America clouds:

n api-sse.cisco.com, port 443

n visibility.amp.cisco.com, port 443o EU clouds:

n api.eu.sse.itd.cisco.com, port 443

n visibility.eu.amp.cisco.com, port 443o Asia (APJC) clouds:

n api.eu.sse.itd.cisco.com, port 443

n visibility.apjc.amp.cisco.com, port 443

l Your Stealthwatch deployment is generating security events and Alarms asexpected.

ProcedureTo configure the SecureX integration, complete the following steps:

1. Go to your regional SecureX cloud:l North America cloud: https://visibility.amp.cisco.coml Europe cloud: https://visibility.eu.amp.cisco.coml Asia (APJC) cloud: https://visibility.apjc.amp.cisco.com


Configuring Stealthwatch and SecureX

https://visibility.amp.cisco.com/https://visibility.eu.amp.cisco.com/https://visibility.apjc.amp.cisco.com/

2. Sign in using the credentials for your AMP for Endpoints, Cisco Threat Grid, orCisco Security account.

3. Go to the Integrations tab and then click API Clients under the Settings menu.4. Click Generate API Client.

5. In the opened dialog, fill in the name and description for the API Client and selectthe following scopes:

l Casebook l Enrich:read l Feedbackl Global Intel:read l Inspect:read l Integrationl Notification l Oauth l Orbitall Private Intel l Profile l Registryl Response l Telemetry:write l Usersl Webhook

The scopes cannot be changed after the API Client has been generated.

6. Click Add New Client.

7. The system will create a Client ID and Client Password for you.

The Client Password cannot be recovered once you close this window.



8. Log in to your SMC as Primary Admin or Configuration manager.

9. From the navigation menu, click the (Global Settings) icon and selectSecureX Configuration.

10. In the SecureX Configuration section, click Add New Configuration.

11. In the opened form, select the regional cloud used to create the API Client andpaste the Client ID and Client Password from Step 6.

12. Select which Integration Options you want to enable, then click Save.



13. System will validate and store the API credentials.

Authorize the SecureX Ribbon and PivotMenuOnce the SecureX configuration is complete, you can authorize the SecureX ribbon andPivot menu from the ribbon on any page on your SMC or from the SecureX configurationpage.

The SecureX ribbon authentication widget on the SecureX configuration page showsyou the current status of ribbon authorization and allows you to authorize or unauthorizethe ribbon.

Authorize fromSecureX Ribbon

1. Expand the SecureX ribbon located at the bottom of the page on your SMC.

2. Click Get SecureX. You will be redirected to the SecureX login page.

3. Log in to SecureX with your credentials.



4. You will be asked to authorize the SMC SecureX ribbon client to access SecureXwith scopes specified.

5. Grant Access. You will be redirected to your SMC page with the ribbon open andyou can start using the ribbon on your SMC.

Authorize from the SecureX Configuration Page

1. Log in to your SMC.

2. Click the (Global Settings) icon, then click SecureX Configuration.3. Open the Actions menu in the SecureX Security Ribbon Authentication widget and

click Authorize. You will be redirected to the SecureX login page.

4. Log in to SecureX with your credentials.

5. You will be asked to authorize the SMC SecureX ribbon client to access SecureXwith scopes specified.

6. Grant Access. You will be redirected to your SMC page with the ribbon open andyou can start using the ribbon on your SMC.

In case you need to use the SecureX Ribbon under another SecureX account you needto unauthorize your current user and authorize again with a new one.

Unauthorize the current SecureX Ribbon

1. On the SecureX Configuration page, open the Actions menu in the SecureXSecurity Ribbon Authentication widget and click Unauthorize.

2. Authorize with another user following the steps above.

Configure the Threat Response Incident Action

If you configured sending Stealthwatch Alarms to Cisco Threat Response inprevious Stealthwatch versions, the Threat Response Incident action will beautomatically created.

To configure the Threat Response Incident action in Response Management, completethe following steps:



1. Log in to Stealthwatch Management Console.

2. Click on Configure > Response Management.

3. Click on the Actions tab, then click Add New Action > Threat ResponseIncident.

4. Fill out the form and click Save.

For more information about the action options, refer to the About Sending StealthwatchAlarms to Cisco Threat Response section and the Configuring ResponseManagement help topic.



Verification1. Verify that your SMC has the SecureX Pivot menu and ribbon available.

l For SecureX Pivot menu:o Open any page in the SMC that contains a relevant IP address.o Click the (Ellipsis) icon beside the applicable IP address.o In the pop-up menu that appears, click the arrow next to SecureX. Asecondary pop-up menu appears with menu content.

l For SecureX ribbon:

o Navigate to any page in your SMC. Click the (SecureXribbon) icon on the bottom of the page to expand the widget.

2. Verify your Stealthwatch alarm in SecureX:a. Wait until Stealthwatch detects Critical or Major Security Alarm or generate a

test security alarm.b. Log in to your regional SecureX cloud.

c. Navigate to Incidents app in the SecureX ribbon, or Incident Manager inCisco Threat Response.

d. Your Alarm should be available in the list.



Register your SMC in the Cisco CloudThe Cisco Security Services Exchange (SSE) cloud is available for your SMC in CentralManagement. Registering your SMC in the SSE cloud will allow SecureX to retrieveenrichment data, such as Security Events, from your SMC to be included in theinvestigation workflows and retrieve Stealthwatch tiles for SecureX dashboard.

For more details, refer to the About Stealthwatch Enrichment Data for SecureX andAbout Stealthwatch Tiles for SecureX Dashboard sections.

l SSE is enabled by default.

l If you use Automatic Registration, you will need to link your SSE accountand your Smart Licensing Account.

If you’re using a custom SMC Identity certificate that is different from the oneprovided by the default SMC Identity certificate, contact technical support asyour SMC may require additional configuration steps.

Automatic Registration ProcedureYour SMC will automatically register in the SSE cloud if the following conditions are met:

l SSE option is enabled for your SMC under External Services.

l Your SMC is not already registered in SSE.

l Your product is registered with Cisco Smart Software Licensing. For moreinformation, refer to the Smart Software Licensing guide.

To enable or disable SSE, complete the following steps:

1. Log in to Stealthwatch Management Console.

2. Click the (Global Settings) icon, and then click Central Management.3. Click the (Ellipsis) icon under the Actions column for your SMC, then click Edit

Appliance Configuration.4. Click General.5. Under External Services, check or uncheck the Cisco Security Services

Exchange check box to enable or disable automatic registration.6. Click Apply Settings.



https://www.cisco.com/c/en/us/support/security/stealthwatch/products-licensing-information-listing.html

Link your AccountsTo link your Smart Licensing Account with your Cisco Security Services Exchangeaccount, complete the following steps:

1. Go to your regional SecureX cloud and log in using the credentials for your AMPfor Endpoints, Cisco Threat Grid, or Cisco Security account.

2. Click the Administration tab. Choose Devices > Manage Devices to be takento Security Services Exchange.

3. Click the (Tools) icon, then click Link Smart/Virtual Accounts.

4. Select your Smart account from the pop-up with the list of accounts.

Manual Registration ProcedureTo manually register your SMC in Cisco Secured Exchange Cloud, complete thefollowing steps:


2. Click the Administration tab. Choose Devices > Manage Devices to be takento Security Services Exchange.

3. Click the Devices tab and then click the (Add Devices and GenerateTokens) icon located on the right of the page, above the table with your devices.



4. In the opened dialog, click Continue and let system generate a token for yourdevice.

5. Copy the generated token into the memory buffer or save the generated token intothe file.

6. Log in to your SMC as Primary Admin or Configuration Manager.

7. From the navigation menu, click the (Global Settings) icon and selectSecureX Configuration.



8. In the Device Registration section, click New Device Registration.

9. In the opened dialog, select the Cloud Region that matches your SecureX regionalcloud and insert the Security Services Exchange token generated and saved instep 5. Click Save.

10. The device will be registered in Cisco Security Services Exchange and the statuswill show as Enrolled.

11. Verify the status of the device in the Cisco Security Services Exchange portal. Thestatus of the device should show as Registered.



Configuring Stealthwatch IntegrationModule in SecureXFor SecureX to retrieve enrichment data and dashboard tiles from Stealthwatch theintegration module must be configured.

Prerequisites

l Your SMC is registered in the Cisco Security Services Exchange cloud.

l Cisco Threat Response is enabled in Cisco Security Services Exchange portalCloud Services.

Refer to the Register your SMC in the Cisco Cloud section for more details.

ProcedureTo configure the Stealthwatch module in SecureX, complete the following steps:


2. Go to the Integrations tab and then click Integrations under the Settings menu.

3. Click Add New Module. The Available Integrations page opens.



4. Find the Stealthwatch Enterprise module and click Add New Module.

5. In the opened dialog:a. Name your module.b. In the Registered Device drop down, locate your SMC.

c. Click Save.

6. Verify that Threat Response can retrieve enrichment data from your SMC. To dothis:a. Review your SMC Security Dashboards and notice an IP that generates

security events.b. Enter this IP into the Investigation search panel in Threat Response.



c. The graph should show you other hosts involved in Security Events with therequested host.

d. The Sightings will represent the security events associated with therequested host.

Configuring the SecureX Dashboard with StealthwatchTiles

The Stealthwatch Enterprise Integration Module has to be configured beforeadding Stealthwatch tiles to the SecureX dashboard.

To add Stealthwatch tiles to the dashboard, complete the following steps:

1. In a browser window, go to your regional SecureX portal:l North America: https://securex.us.security.cisco.coml Europe: https://securex.eu.security.cisco.coml Asia (APJC): https://securex.apjc.security.cisco.com

2. Log in using your Cisco Security or Cisco Threat Grid account.

3. On the dashboard menu bar, click New Dashboard to open the CreateDashboard form.

4. In the opened dialogue, fill in the Dashboard Name and locate the StealthwatchEnterprise module under Available Tiles.

5. Expand Stealthwatch Enterprise and select the tiles you want to add to thedashboard.



https://securex.us.security.cisco.com/https://securex.eu.security.cisco.com/https://securex.apjc.security.cisco.com/

6. Click Save.7. The tiles you selected will appear on the dashboard layout with relevant data.



Known Issues and Limitationsl Failover is not supported for the SecureX integration in v7.3. The configurationneeds to be repeated for the secondary SMC for the integration to work.

l Backup and Restore is not supported for Device Registration in the Cisco SecurityServices Exchange Cloud portal. The Device Registration panel in the SecureXconfiguration on your SMC shows the actual status of the device registration in thecloud. Therefore, restoring configuration from the backup for the deviceregistration is not available. If deleted after the backup, the registration will have tobe re-done again after restore.


Known Issues and Limitations

Copyright InformationCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or itsaffiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned arethe property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

© 2021 Cisco Systems, Inc. and/or its affiliates.

All rights reserved.

https://www.cisco.com/go/trademarks

IntroductionWhat's NewUpgrading from 7.2 to 7.3SecureX Regional CloudsGuidelines and Limitations for Choosing a Regional CloudContacting Support

Stealthwatch Data and SecureXAbout the SecureX Ribbon and Pivot MenuSecureX RibbonSecureX Pivot Menu

About Stealthwatch Tiles for the SecureX DashboardAbout Sending Stealthwatch Alarms to Cisco Threat ResponseAbout Stealthwatch Enrichment Data for SecureXAbout the Cisco Threat Intel ModelAbout Translating Stealthwatch Alarms to CTIM ObjectsAbout Translating Stealthwatch Security Events to CTIM Objects

Cisco Cloud AccountsRequired Account for SecureX AccessCreate an Account to Access SecureXManage Access To Your Organization's Cisco Security Account

Configuring Stealthwatch and SecureXConfiguring the SecureX IntegrationPrerequisitesProcedureAuthorize the SecureX Ribbon and Pivot MenuAuthorize from SecureX RibbonAuthorize from the SecureX Configuration PageUnauthorize the current SecureX Ribbon

Configure the Threat Response Incident ActionVerification

Register your SMC in the Cisco CloudAutomatic Registration ProcedureLink your Accounts

Manual Registration Procedure

Configuring Stealthwatch Integration Module in SecureXPrerequisitesProcedure

Configuring the SecureX Dashboard with Stealthwatch Tiles

Known Issues and Limitations

stealthwatch and securex integration guide v7...regionlink supportedstealthwatch integrations...

Documents