StealthWatch SMC Client Part 1 - Overview

In this post, we're going to dig in to the SMC Client and learn the structure a bit better. This will help us navigate around the StealthWatch system and find valuable information. 

You can reach the StealthWatch SMC Client by going to the SMC URL and signing in. After you sign in, click on the blue button on the top of the browser that says Launch SMC. This will open the following client:

The SMC Client has three main parts of the interface:

  • The Main Menu which is the top bar. This allows you to perform various activities within the SMC and configure different options. You may or may not see the whole thing depending on your login privileges, what you have selected in the enterprise tree, and what you clicked in a particular SMC dashboard
  • The Enterprise Tree on the left-hand side which is a visual representation of your monitored network. What you select in this tree affects what you see in the main menu and other SMC dashboards.
  • The Dashboard/Document area is the middle work pane which is where you see detailed contextual data about the monitored network. This area allows you to filter the information and drill into specific data.

Main Menu

  • File - Use to save, print, share, and schedule documents
  • Edit - Use to change how dates display in the SMC client, defined the preferred PDF reader for viewing SMC documents for printing, enable/disable Tip of the Day feature, and define preferred web browser for viewing the Appliance Administration user interface
  • View - Use to open a new instance of the SMC client interface, create a custom SMC dashboards, filter data in an open SMC dashboards, and refresh the enterprise tree
  • Top - Use to view ad hoc dashboards that display data specifically related to the characteristics noted in the option name
  • Status - Use to view ad hoc dashboards that display data specifically related to the characteristics notes in the option name
  • Security - Use to view data related to questionable behavior such as hosts that are the source or victims of threats, unauthorized file-sharing activities, and worms
  • Hosts - Use to view data about hosts including individual host activity, trends in host behavior, active and inactive hosts, and individual user activity
  • Traffic - Use to view traffic trends and statistics according to the specific criteria including Domains, Interfaces and Host Groups
  • Reports - Use to run common queries
  • Flows - Use to analyze real-time and historical flow data in various ways including flows across a domain, host groups, FlowCollectors, etc, Network and server performance, Flow Traffic, Peer vs peer or port reports, Time vs peer or port reports, and so on
  • Configuration - Use to perform administrative tasks such as: Add elements to the monitored network such as domains, host groups, and FlowCollectors, modify system settings, configure services and applications and manage users
  • Help - Use to find answers about any function or feature of the SMC client and to manage licenses for StealthWatch features

Enterprise Tree

The enterprise tree shows you the structure of your monitored network. What you see in the work pane and the main menu depends on what you have selected in the enterprise tree. The enterprise branch in the enterprise tree represents the top collection point of all the SMC management options.

  • The top two levels are the SMC and the SLIC feed. The SLIC Threat Feed is an online intelligence service from Lancope that delivers a regular feed of threats to StealthWatch via a secure channel. The service provides dynamic information about specific command and control servers that are suspected of being responsible for bot activity. 
  • Channel in the above screenshot represents a domain. Domains are distinct areas of the network that the SMC is monitoring and it has it's own reporting structure to keep data and policies separate from other domains. The domain will be the top level of reporting for host groups, network devices and entities.
  • Host Groups are virtual containers for multiple host IP addresses with similar attributes such as location, function, topology, etc. There are a few default host groups included in the SMC:
    • Inside Hosts - Contains all hosts that have been specifically defined as part of your network
    • Outside Hosts - Contains all hosts that are not specifically defined as part of your network. By default the Outside Hosts contain the Countries host group where outside hosts are categorized according to the country where each resides
    • Command & Control Servers - Contains malicious hosts that SLIC has identified as known sources of malicious activity and this list is updated dynamically. 
  • VM Servers - Represents the VMs being monitored by the StealthWatch FlowSensor VE on the network.
  • FlowCollectors - Will allow you to see the list of FlowCollectors sending information to the SMC in the domain. If you expand the FlowCollector, you can see any associated FlowSensor appliances, exporters, and firewalls. 
  • Identity Services - Represents identity sources such as Cisco ISE, ASA, Palo Alto, etc

 

Alarms

From the branches in the Enterprise Tree, you can see if you have an alarm condition somewhere in the network based on the color:

To view an alarm on any given object, right-click on the object and navigate to Status>Alarm Summary

 

This will open up the Alarm Summary dashboard:

 

Host Group Dashboard

The Host Group Dashboard provides information about high concern and high target hosts as well as alarm trend information affecting the selected host group. To navigate to the Host Group Dashboard, right-click on a host group and choose Host Group Dashboard:

 

The Host Group Dashboard should display:

Click on the Alarm Summary tab to view the alarms for this host group in graphical format:

By right-clicking the IP address and choosing Host Snapshot, the tabular view will pop-up a host snapshot which contains information the dashboard is presenting:

 

This should display the Host Snapshot:

There will be a few other details on this page:

  • Filter button - Provides the ability to narrow the information you are seeing using this filter
  • Domain - This is the domain where the host is located
  • Host - IP address of the host being observed
  • Time - Timeframe during which the data was observed
  • << >> - To move forward and backward through the data in the dashboard
  • <Refresh-Button> - Any time you want to manually refresh the data in the dashboard

By default, the top flows show for the active flows for the selected hosts. When you click on the down arrow on top,you have the ability to turn on or off Auto Refresh. If you see a check mark, the data will automatically refresh every few minutes. 

Some of the different tabs on the Host Snapshot tab include the following:

Identification tab - Identifies the host, lists the status and information on the alerts,  FlowCollector that observed this client, client services, domain, operating system, server applications, and server services.

Alarms tab will list summary and detailed information about the alarms associated with the host

Security tab - This displays information about security indices, touch information and traffic summary. 

Security Events tab - Gives you information on the security events reported for this host.

Top Active Flows tab - Lists information about the most recent flows and the high traffic flows for the host

Identity, DHCP & Host Notes tab - In this lab I'm using, it's just replaying PCAP data so there's nothing to display here but in a production environment, it would show information about the host provided by IDentity or Cisco ISE. 

Exporter Interfaces tab - This is to view the closest interface, the interfaces seeing the source and destination in the active flows:

One thing to drill into here on the current utilization bar:

The first small line showing on the bar above is the  maximum utilization show for this time period. The second longer line is the threshold which would trigger an alert for the utilization being high. 

Interface Summary Dashboard and Interface Traffic Dashboard

If you want to dig into the traffic of an above interface a little more, right-click on the current utilization for that interface and choose Interface Summary Dashboard.

This will open the Interface Summary Dashboard where you can quickly view the Top Active Conversations inbound/outbound for this particular interface as well the the utilization and traffic seen. This shows the last 6 hours in this window but you can filter it for any amount of time you want:

Another useful thing you can do from this page is drill into any of these graphs by hitting the Go To button which is represented by an green arrow:

Pressing the Go To button for the Utilization Inbound graph, I get taken to a dashboard where I can drill into different graphs on traffic, packets, utilization and a tabular view:

 

Going back to the Current Utilization, we can also navigate to the Interface Traffic Dashboard as well:

This page provides you a nice graphical format of the interface service traffic, utilization over time, application traffic, and DSCP traffic. You can move your cursor over these graphs and see what kind of traffic as well for each variation in color:

 

Flow Table

From the Host Group Dashboard, you can highlight any row, right-click and choose Flow>Flow Table to drill down on that flow:

The Flow Table opens for the host you are viewing. The Flow Table includes data for hosts that have translated IP addresses.  You can click the Filter button on top to focus on a larger or smaller timeframe if needed. 

One thing to note with the color scheme: 
-Tables that are blue indicate the client-side data that is being displayed
-Tables that are yellow indicate that server-side data is being displayed in that table

You can show and hide data by right-clicking on the top field of a column.

 

Quick View

Another way to look at more information is the table through the the Quick View. To display the Quick View for a flow, select a table and press the space bar:

From here, you can see a graphical view of the selected flow from the client to the server and back as well as detailed information about the interface:

Some of the key highlights here:

  • Active Duration - This shows the active duration of a conversation between the client and the server
  • Service Summary and Application - Information for which services/applications were used over which ports
  • Bytes and packet information - Shows how much data was transferred 
  • Client - Shows which hosts acted as a client vs a server
  • Server - Shows which server on the network is in communication with the client

 

Click on the Interfaces tab of the Quick View to display information about interfaces for the specific flow:

Click on the Table tab of the Quick View to display a quick and easy view of data:

In some cases, it provides a quick way to view filtered data in other dashboards. 

 

help and other navigational help

One thing to be aware of is that if you need any help or more information on any dashboard in the SMC Client, just hit F1 and help with appear with information about the specific dashboard you are on. The online Help will load in a webpage and it will open pertaining to the active dashboard you are on.

You can close all of the open tabs by right-clicking on the top and selecting Close All

In the top right of the SMC Client, you can search all documents for any particular username or IP address:

After searching for a IP address, if you double-click on an IP in the search result, you will launch the Host Snapshot dashboard: