In the last blog post, I went through the initial installation and setup of StealthWatch. In this blog post, I'll go through the dashboard of the SMC.
My deployment has been up for some time now so it has some traffic but I'm not running any terribly interesting traffic through it. During the course of these blog posts, I'll switch between two systems I have access to in order to show you readers some cooler stuff
To start, navigate to the URL of your SMC in your browser and login. The initial page you will get is the StealthWatch web dashboard. This is the default view of the Web App interface:
The dashboard is broken out to several parts. First we're going to look at the header on the very top:
The first button is the Launch SMC button. This launches the SMC Java App where we'll probably be working in for the majority of these blog posts. By clicking this, it'll launch a Java app that will allow us to view reports and information that StealthWatch has gathered.
Next to that button is the search field. In this field, we can search for both users and IP addresses that StealthWatch has seen on the network:
Next to that is a Help menu to view documentation and help menus. Throughout the entire SMC app, there are many shortcuts for help that provides you information on the page you're on which is very useful if you're starting out:
The last button next to that minimizes the menu bar on the lefthand side of the screen.
Below this top bar are the Alarm summaries:
By clicking on any of these alarm summaries, you will be taken a specific alarms dashboard to see some more information on what violation took place:
By clicking on the details summary, you can gather even more information on why the alarm was triggered. In this case, the IP address 10.201.3.149 which is a host in the Sales and Marketing department performed a scan on three servers:
Let's check the C&C alarm really quickly. From this, we can see that it looks like a host in Sales and Marketing successfully reached out and contacted a Command and Control server:
Drilling into it further, I can see that there were two different C&C servers that were contacted in Germany by this same host:
Going back to the dashboard, there's a graphical summation of alarms which you can see what the top alarms by type for the last 7 days are, today's alarms, and the top applications. In this picture, I'm switching back to a much busier and nastier network so you can get an idea of what this could look like:
On the alarm types and today's alarms, you can click on any of the alarms to pull up more information about the alarm and it'll be filtered by the type and the day you clicked on:
Just like in the last step, you can click on the detail summary to pull up more information about the specific targeted hosts:
On the bottom of the dashboard is the Flow Collection Trend which shows the flows per second that were detected per collector in the last 24 hours:
The Flow Collection trend can show you high level spikes in traffic as well as capacity handling information for a specific collector.
On the left side of the screen is the main menu:
The main menu is broken out in several parts. By clicking on the Admin User option, there's a drop-down that will allow you to either go to the a page where you can administer to the appliance and one to manage the associated appliances:
By choosing Administer Appliance, a page will pop-up with different options to manage the SMC appliance itself:
By clicking on System Management, you'll be taken to a dashboard to manage your different StealthWatch systems including installing updates and viewing update logs:
Back in the main menu, I'll go through some of the options.
Dashboard - This will bring you back to the previous dashboard view
Network - This is where you can view host and user data:
- Clicking on the Hosts sub-tab displays a list of active hosts so you can analyze network activities by IP address
If you click on a host address on here, you will be able to pull up the trend and alarm information for the last 7 days and 24 hours, search flows history, and classify the device in a Host Group (we will cover this later). If StealthWatch is integrated with ISE via pxGrid, you may also be able to quarantine and unquarantine the endpoint here and see additional contextual information such as the user and session history gathered from ISE:
- Clicking on the Users sub-tab displays a list of active users so you can analyse network activities by user:
By clicking on a user, you can see all their active devices on the network and their information.
Flows - From the flows tab, you can perform new flow queries, new host queries, saved queries and view the saved results of previous queries
Tools - Contains mostly administrative functions which I'll go over:
- The Settings sub-tab allows one to integrate with Active Directory, ISE, upload any applicable software updates and install them
- The Network Classification sub-tab allows you to review a lot of hosts presumed to be network scanners and classify them by assigning them to a Host Group
- The Custom Events sub-tab allows you to create security events that are not included by default in the StealthWatch system
- The Custom Applications sub-tab allows you to define applications that are not included in the default list provided by StealthWatch. This could include home-brewed applications that are running in your network that are business critical
- The Job Management sub-tab allows you to view the available results of jobs that are in progress, completed or previously cancelled
That ends my blog post on the StealthWatch Web App Dashboard. In my next posts, I'll dig into the administration of the appliances.