Cisco Stealthwatch Cloud

On-Premise Sensor Deployment Lab

LTRSEC-2240
Speakers:
Peter Johnson
Bob Baughman

1|Page
About This Lab
Stealthwatch Cloud is a cloud-based, Software-as-a-Service (SaaS)-delivered solution and consists of
two primary offerings: Public Cloud Monitoring and Private Network Monitoring.
Public Cloud Monitoring can be used in combination with Private Network Monitoring or Cisco
Stealthwatch Enterprise to provide visibility and threat detection across the entire network, such as
AWS, GCP and Microsoft Azure infrastructures. It is a cloud-delivered, SaaS-based solution that can
be deployed easily and quickly.
In AWS environments, Stealthwatch Cloud can be deployed without software agents, instead relying
on native AWS sources of telemetry, such as its Virtual Private Cloud (VPC) flow logs. Using VPC flow
logs, Stealthwatch Cloud models all IP traffic generated by an organization’s resources and functions
whether they are inside the VPC, between VPCs, or to external IP addresses. Stealthwatch Cloud is
also integrated with additional AWS services like Cloud Trail, Cloud Watch, Config, Inspector, Identity
and Access Management (IAM), Lambda, and more.
Stealthwatch Cloud can additionally be deployed without software agents on Google Cloud Platform
(GCP) and Microsoft Azure. GCP refers to their flow as VPC logs, Azure’s are referred to as NSG flow
logs. Additional cloud service integrations are forthcoming.
Private Network Monitoring provides visibility and threat detection for the on-premises network,
delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer
SaaS products and desire better awareness and security in their on-premises environments while
reducing capital expenditure and operational overhead. It works by deploying lightweight software
in a virtual machine or server that can consume a variety of native sources of telemetry or extract
metadata from network packet flow. It encrypts this metadata and sends it to the Stealthwatch
Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only. The packet
payloads are never retained or transferred outside the network.
This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM)
Sensor, in order to provide visibility and effectively identify active threats, and monitors user and
device behavior within on-premises networks.
The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being
utilized in a number of different deployment scenarios. It can be deployed as a complete Ubuntu
based virtual appliance on different hypervisors (e.g. – VMware, VirtualBox). It can be deployed on
hardware running a number of different Linux-based operating systems.
See Appendix E for supported deployment options.
In this lab, the sensor software is being run on a modified CentOS 7-based VM made to work/behave
as the Ubuntu-based VM appliance would when deployed in a VMWare-based hypervisor.

2|Page
Limitations
Certain parts of the deployment and configuration process were skipped, due to dCloud
environment restrictions.
• This lab skips the initial OVF deployment procedures required for the PNM Sensor, the
assignment/configuration of management IP addresses for the Sensor, and the creation of
admin user account. The process for this is documented in the Appendix C for reference.
• This lab contains information for integrating Amazon Web Services (AWS) with SWC, but
requires the lab user to provide their own AWS account.
• This lab contains information for integrating Google Private Cloud (GPC) with SWC, but requires
the lab user to provide their own GPC account.
• This lab contains information for integrating Microsoft Azure with SWC, but requires the lab user
to provide their own Azure account.

Requirements
The table below outlines the requirements for this deployment lab.
Required Optional

Laptop Cisco AnyConnect®

Stealthwatch Cloud Account AWS Account

Google Cloud Account

Microsoft Azure Account

About This Solution

In a multi-cloud world, IT managers are quickly realizing the benefits of cloud computing services
such as infrastructure as a service. IaaS providers such as AWS allow organizations to more rapidly
and cost-effectively prototype new applications. Instead of procuring, installing, and managing
hardware – which could take months to accomplish – you can easily use the on-demand and scalable
compute services within AWS. This allows you to focus your resources on applications rather than on
managing the data center and physical infrastructure. With the use of IaaS, expenses shift from fixed
costs for hardware, software, and data center infrastructure to variable costs based on the usage of
compute resources and the amount of data transferred between the private data center and the
IaaS provider. Therefore, you must also be able to monitor the usage of such resources for cost
tracking and/or internal billing purposes.
Cisco® Stealthwatch Cloud (SWC) improves security and incident response across the distributed
network - from the private network and branch office to the public cloud. This solution addresses
the need for digital businesses to quickly identify threats posed by their network devices and cloud
resources, and to do so with minimal management, oversight, and security manpower.

3|Page
Topology
This lab includes preconfigured users and components to complete the configuration process. Most
components are fully configurable with predefined administrative user accounts. You can see the IP
address and user account credentials to use to access a component by clicking the component icon
in the Topology menu of your active session and in the scenario steps that require their use.

4|Page
Equipment Details

Name Description IP Address Username Password

SWC-PNMS Stealthwatch Cloud Private Network 198.18.128.141 swcadmin C1sco12345
Monitoring Sensor
SWC-CDS Network Traffic Simulator for 198.18.128.140 root lan1cope
Stealthwatch Cloud
Workstation1 Windows 7 198.18.133.36 administrator C1sco12345
Stealthwatch Cloud Lab portal for Stealthwatch Cloud at: N/A – see URL swcadmin 2019CLUS##x
Account https://cisco-sevt.obsrvbl.com

Equipment Present but not used for this lab

* FS Stealthwatch Flow Sensor 198.18.128.138 admin lan411cope
* FC Stealthwatch Flow Collector 198.18.128.137 admin lan411cope
* SMC Stealthwatch Management Console 198.18.128.136 admin lan411cope
* UDPD Stealthwatch UDP Director 198.18.128.139 admin lan411cope
* CDS Network Traffic Simulator 198.18.128.134 root lan1cope

* Not used in this lab

5|Page
Get Started
Follow these steps to access your lab environment.

Do you have a dCloud Account? If so, continue:

1. The easiest way to access your dCloud session’s work environment is to connect to the
workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud Remote
Desktop client works best for accessing an active session with minimal interaction.
2. If you prefer to VPN to the session, and access the work environment’s workstation PC via
Remote Desktop, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and
the local RDP client on your laptop [Show Me How]
• Workstation 1: 198.18.133.36
• Username: wkst1\Administrator
• Password: C1sco12345
3. When you have successfully logged in, you will be at your Workstation’s Windows desktop.

If you do not have a dCloud account, click the link for this appendix and follow the
instructions to connect, and then return to this page to continue. You will need to talk to
the instructor to get the login information for this method.

6|Page
Task 1: Configuring the Stealthwatch Cloud Private Network Monitoring
Sensor to link with the Stealthwatch Cloud portal
Most customers will have their internal staff be responsible for physical installation of appliances or
the provisioning of virtual appliances. You will most likely need to be involved in assisting those
efforts by providing product documentation and guidance on physical and virtual networking ports
to various internal customer teams. You may also be called on to assist with the initial IP
configuration process.
For this environment, the Stealthwatch PNM Sensor has already had its management IP address
assigned and administrative user configured by the customer’s IT team.

NOTE: If you would like information regarding the OVF deployment procedure, see Appendix C.

By default, a sensor creates flow records from the traffic on its Ethernet interfaces. This default
configuration assumes that the sensor is attached to a SPAN or mirror Ethernet port. If devices on
your network can generate flow records, you can configure the sensor to collect flow records from
these sources.
If the network devices generate different types of NetFlow telemetry, it is recommended to
configure the sensor to collect each type over a different UDP port. This also makes the
troubleshooting easier.
You can configure the collection of the following flow types:
• NetFlow v5
• NetFlow v9
• IPFIX
• SFLOW
Certain network appliances should be identified due to their flow data format. These devices
include:
• Meraki
• Cisco ASA
In your network environment you have infrastructure capable of exporting NetFlow natively. You
have a mixture of devices with different export capabilities. In this case, you have devices exporting
the following NetFlow types:
• NetFlow v9, on port 2055/udp

7|Page
 • IPFIX, on port 4739/udp
You will now access the SWC PNM Sensor via its management IP address from the Workstation
within your dCloud session to complete the configuration and establish connection to your
Stealthwatch Cloud portal.

Steps
Accessing the Stealthwatch Cloud Portal and retrieving the Service Key
1. Log into the lab portal for Stealthwatch Cloud at:
• https://cisco-sevt.obsrvbl.com
2. With the following credentials:
• Username: swcadmin
• Password: 2019CLUS##x

3. Select Settings > Sensors.

8|Page
4. Navigate to the end of the sensor list and copy the Service key. See the following screenshot for
an example.

Customizing config.local on the Stealthwatch Cloud Private Network

Monitoring Sensor for Sensor Name and Service Key
You will now edit a sensor’s config.local configuration file to modify the sensor’s name as it will
appear in the portal, and manually add a portal’s service key to associate the sensor with the portal.

NOTE: Manually adding the Service Key is not typically required in the field unless you are dealing
with specific deployment scenarios. For example, if multiple sensors are staged in a central location,
such as an MSSP, and they are intended for different portals. In this case, if a public IP address of the
staging environment is used for multiple sensors, a sensor could be incorrectly attached to the
wrong portal.

In this exercise, you are doing it to expedite Sensor setup for this lab.
1. Open the PuTTY shortcut on the desktop of the dCloud admin workstation.
2. In the Saved Sessions section of the PuTTY screen, select and load the SWC PNM Sensor entry
and click the Open button.

3. When prompted login to the appliance with:

• Username: swcadmin
• Password: C1sco12345

9|Page
4. To manually make changes to the sensor’s configuration, at the command prompt, enter:
sudo nano /opt/obsrvbl-ona/config.local
5. Press Enter to edit the config.local configuration file.
6. Locate the following entry in the config.local file:
OBSRVBL_ONA_NAME=SENSORNAME
7. Replace the value listed in the SENSORNAME space to your name to identify the sensor in the
Stealthwatch Cloud portal, add quotes before and after the name.
OBSRVBL_ONA_NAME=”myname”

NOTE: In production environments, a deployed sensor will have a randomly generated name similar
to the value originally defined in the config.local file. Modifying the sensor name is not necessary but
can make it easier to identify if it is one of many in a network. For lab purposes, it will make it easier
to locate on the SWC sensor dashboard.
8. Add the following line, replacing <service-key> with the portal’s service key:
OBSRVBL_SERVICE_KEY="<service-key>"

NOTE: If you copy the Service Key from the portal using CTRL-C (or CMD-C on a Mac), you can right
click in Putty’s SSH session window to paste the text at the cursor’s location.
9. Press Ctrl + 0 and press Enter to save your changes.
10. Press Ctrl + x to exit.
11. At the command prompt, enter:
sudo service obsrvbl-ona restart
to restart the Stealthwatch Cloud service. This also restarts the other configured services.

Identifying the public IP for the sensor and adding it to the Stealthwatch
Cloud Portal
1. At the command prompt, enter:
curl https://sensor.ext.obsrvbl.com
2. And press Enter.
3. The error value of "unknown identity" means that the sensor is not associated with a portal.

4. Copy or make note of the IP address listed for the "identity" value. This is your public IP address
for the SWC PNM Sensor.

10 | P a g e
5. If needed, log into your portal for Stealthwatch Cloud with the credentials for your admin level
account.

6. Select Settings > Sensors > Public IP.

7. Here you will tell Stealthwatch Cloud to accept Sensor communications from your public facing
IP address. Enter the "identity" IP address in the Public IP field.

8. Click Add IP. After the portal and sensor exchange keys, they establish future connections using
the keys, and not the public IP address.

NOTE: It may take up to 5 minutes for the sensor to be recognized in the portal
9. Identify that your sensor has been successfully added to the portal.
10. Select Settings > Sensors.

11 | P a g e
11. You should be able to locate your Sensor in the Sensor List, displayed with the
OBSRVBL_ONA_NAME= value you entered previously in the lab.

12. If your sensor is displayed and shows an active Heartbeat and that it’s Receiving Data, you have
successfully added it to the account portal.

Task Summary
You have successfully added the deployed Stealthwatch Cloud PNM Sensor to the Stealthwatch
Cloud Portal account.

12 | P a g e
Task 2: Configure Netflow telemetry collection
1. To configure Netflow and IPFIX collection setting, click Change settings.

2. Select the Netflow/IPFIX tab.

3. Click “Add New Probe” to define collection settings.
4. Input the flow settings:
• NetFlow v9, on port 2055/udp
• IPFIX, on port 4739/udp
5. Click Save when complete.

6. Once saved, the portal will update the local sensor.

NOTE: It may take 5-10 minutes for the configuration changes to sync with the Sensor, fully update
its configuration and flow telemetry to start being processed.

13 | P a g e
7. You will notice the “Active Data Types” will contain PNA + IPFIX when the flows are starting to
collect.

Task Summary
You have successfully configured your deployed Stealthwatch Cloud Sensor to ingest NetFlow v9 and
IPFIX telemetry on ports 2055 and 4739, respectively.

14 | P a g e
Task 3: Verifying Running Configuration, Netflow Collection and Sensor
Services
Here you will learn how to verify configuration defined in the Cloud Portal has been successfully
applied to the PNM Sensor. You will see how to verify that the various Stealthwatch Cloud related
core services are running on the PNM Senor from the sensor command line, as well as learning how
to verify Netflow is reaching the sensor.

Steps
1. If required, open the PuTTY shortcut on the desktop of the dCloud admin workstation. If not,
skip to step 4.
2. In the Saved Sessions section of the PuTTY screen, select and load the SWC PNM Sensor entry
and click the Open button.

3. When prompted login to the appliance with:

• Username: swcadmin
• Password: C1sco12345
4. At the command prompt, enter:
sudo nano /opt/obsrvbl-ona/config.auto
5. Verify the changes made via the portal are reflected in the configuration file.

15 | P a g e
6. Press Ctrl + x to exit the nano editor.

Checking for incoming NetFlow telemetry traffic

1. To verify the presence of incoming NetFlow v9 telemetry on the port you specified during
configuration, at the command prompt, enter:
sudo tcpdump -i eth0 -n -c 100 "port 2055"
2. If NetFlow telemetry is successfully being received, you should see results displayed.

3. Repeat the process for IPFIX telemetry by entering the command again and changing the port
number from 2055 to 4739.

16 | P a g e
Note: IPFIX traffic in this environment is sparse. For purposes of this lab, if you do not see results for
IPFIX appear in a timely manner, make sure you have entered the tcpdump command in the terminal
to listen for traffic on port 4739 and launch the traffic generating script from the Windows Start
Menu (Start SWC Traffic) to force traffic to occur.

Verifying Running Services

You can verify that the various Stealthwatch Cloud related core services are running from the sensor
command line.
1. At the command prompt, enter:
ps -ef | grep obsrvbl
2. Press Enter.

17 | P a g e
3. These are the Stealthwatch Cloud Related core services that can be running on a Sensor device.
Service Enabled by Description
default?
obsrvbl-ona Yes Monitors for configuration changes and handles
automatic updates. Starting this service also starts the
other configured services.
log-watcher Yes Tracks the sensor's authentication logs.
pdns-capturer Yes Collects passive DNS queries.
pna-monitor Yes Collects IP traffic metadata.
pna-pusher yes Sends IP traffic metadata to the cloud.
hostname-resolver yes Resolves active IP addresses to local hostnames.
flowcap no Listens for NetFlow data sent by routers and switches.
ipfix-pusher no Sends NetFlow data to the cloud.
notification-publisher no Relays observations and alerts over syslog or SNMP.

4. If you see the flowcap and ipfix_pusher services in the results, the NetFlow consumption
capabilities are operational.

5. You are done with this part of the configuration process and may proceed to the next steps.

Task Summary
You have verified you correctly configured the services by making sure they are running on the
sensor, as well as verified that the sensor is collecting telemetry from the network.

18 | P a g e
Task 4: Using the Stealthwatch Cloud Portal
Now you will use the portal to view telemetry collected from the deployed and configured sensor.

View session traffic

1. If required, log into your portal for Stealthwatch Cloud with the credentials for your admin level
account.
1. If not, skip to step 3.
2. From the main Dashboard, select Models > Session Traffic

3. Leave the default values of current day and click Update.

4. Collected network traffic will be displayed. You can click the other tabs present to change the
data and visualizations displayed for the data in the range specified.

Build a traffic blacklist rule

A defined blacklist rule will alert you when two IP addresses that shouldn't communicating are
observed exchanging data.

19 | P a g e
1. If required, log into your portal for Stealthwatch Cloud with the credentials for your admin level
account.
2. If not, skip to step 3.
3. From the main Dashboard, select Alerts.
4. Click the Gear icon and select Watchlists.

5. Select the Internal Connection Blacklist tab.

6. Enter the following values:
• Name: <your name> Connection Violation Rule
• Source IP subnet: 172.16.16.0/24
• Destination IP Subnet: 198.18.128.0/24
• Leave source/destination ports empty.

7. Notifications for this will appear in the Alerts list as an “Internal Connection Blacklist” event.

20 | P a g e
8. You can click on the alert to see the supporting observations and details about the event.

View an endpoint in device manager

1. If required, log into your portal for Stealthwatch Cloud with the credentials for your admin level
account.
2. If not, skip to step 3.
3. Login to the portal and go to the search menu and enter the IP address 10.201.3.142.

4. You will see a traffic summary view for that endpoint, including data on the IPs it connected to
and top ports in use.

5. Click the endpoint’s IP address, and a context menu appears. Select Device from the list.

6. You will get an endpoint overview screen showing all collected information for the host.

21 | P a g e
NOTE: There may be limited data if the sensor was recently added, could take up to 30 minutes.

View the complete list of Stealthwatch Cloud alert types

1. If required, log into your portal for Stealthwatch Cloud with the credentials for your admin level
account.
2. If not, skip to step 3.
3. Click the settings cogwheel, and then select Alerts.

22 | P a g e
4. Under Alert Configuration, click Configure Alert Priority.

5. The Alert Types and Priorities screen will display, showing all available alerts in Stealthwatch
Cloud as well as the length of time required to collect telemetry for the alert to go active.

Task Summary
You have successfully completed configuring your Stealthwatch Cloud Private Network Monitoring
Sensor to consume NetFlow telemetry from your network environment. After completing this you
used the Stealthwatch Cloud portal to see details about the traffic observed, as well as learn what
alerts are available in Stealthwatch Cloud as it performs it environment baselining.

You are done with this lab.

23 | P a g e
Appendix A: Integration with Cloud Services
Stealthwatch Cloud uses the collection of VPC flow logs and other APIs inside of Amazon Web
Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure for visibility into these cloud
environments.

Configuring Stealthwatch Cloud with AWS

Cisco Stealthwatch Cloud Public Cloud Monitoring can be deployed easily and quickly in AWS.

NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since
they can change and those changes may not be reflected in this guide.
To enable Stealthwatch Cloud in AWS:
• A policy with the appropriate permissions needs to be created.

• A role needs to be created for Stealthwatch Cloud.

• Amazon VPC flow logs need to be enabled.

Steps
Create a Policy
Step 1. Log in to your Stealthwatch Cloud instance, click the Settings icon and select
Integrations.

Step 2. Ensure that the AWS tab is selected on the left pane, and copy the sample Policy
Document.

24 | P a g e
Step 3. Log in to your AWS console (https://console.aws.amazon.com) and click Services >
IAM. Select Polices on the left pane, and click Create Policy.

Step 4. Click the JSON tab and paste the copied sample Policy Document, and click Review
Policy.

Step 5. Enter a Policy Name and click Create Policy.

25 | P a g e
Create a new role
Step 1. In the IAM view of your AWS console, click Roles > Create Role.
Step 2. Select “Another AWS Account”.
Step 3. In the AWS Integrations page in your Stealthwatch Cloud Dashboard, make a note of
your account ID and External ID. This will be shown below the previously copied sample
policy.
Step 4. In the AWS console, paste the Account ID, select the Require external ID check-box,
and paste the External ID. Click Next > Permissions.

Step 5. Locate and select the previously created policy. Click Next > Review.

Step 6. Enter a role name, and click Create Role.

26 | P a g e
 Step 7. Click on the newly created role and locate a copy of the Role ARN. It will look like:
"arn:aws:iam::<account_id>:role/<role_name>"
Step 8. In the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the
Credentials tab.
Step 9. Paste the copied Role ARN into the text box and enter a name to identify the

instance, and click the icon.

Enable VPC Flow Logs

Step 1. In your AWS dashboard, click Services > CloudWatch > Logs and click Create Log
Group.

Step 2. Enter a name for the group, and click Create Log Group.

27 | P a g e
Step 3. Click on the newly created group, and click Create Log Stream. Enter a name for the
stream.

Step 4. In the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the VPC
Flow Logs tab. Enter the name of the CloudWatch Logs Group, and click Add.

28 | P a g e
Configuring Stealthwatch Cloud with Google Cloud Platform
Cisco Stealthwatch Cloud has added the ability to ingest the Google Cloud Platform VPC Flow Logs.
As this feature currently has frequent updates, the instructions to enable this feature will be
maintained on the GCP Integrations page in the Stealthwatch Cloud Dashboard and will be updated
as the integration matures.

NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since
they can change, and those changes may not be reflected in this guide.

Steps
To enable Stealthwatch Cloud integration with GCP, browse to the GCP Integrations page on the
Stealthwatch Cloud Dashboard, and follow the instructions:

29 | P a g e
Configuring Stealthwatch Cloud with Microsoft Azure
Cisco Stealthwatch Cloud has added the ability to ingest the Microsoft NSG v2 logs. As this feature
currently in beta and has potential for frequent updates, the instructions to enable this feature will
be maintained on the forthcoming Integrations page in the Stealthwatch Cloud Dashboard and will
be updated as the integration matures.

NOTE: It is best practice to log into the Stealthwatch Cloud and review the procedures for
integration in the portal, since they can change, and those changes may not be reflected in this
guide.

Retrieve AD name and Subscription ID: You'll need to provide an Azure AD URL and an Azure
Subscription ID to grant Stealthwatch Cloud access to the metadata services.
• Navigate to Azure Active Directory > Overview.
• Copy your AD URL (e.g., example.onmicrosoft.com) - this is the Azure AD URL.
• Navigate to Subscriptions and select your subscription.
• Copy the Subscription ID.
Create the application: This application will be used to read metadata from your resource groups.
Creating the application will provide you with an Application ID and its associated Application key.
• Navigate to Azure Active Directory > App Registrations > New Application Registration
• Fill in the form as follows:
o Name: swc-reader
o Application type: Web app / API
o Sign-on URL: https://obsrvbl.com/azure-api/swc-reader
• After the application is created, copy the Application ID.
• Select Settings > Keys.
• In the Passwords section, fill out the form as follows:
o Description: SWC Reader
o Expires: Never expires
• Click the Save button and copy the generated value. This is the Application key.
Grant access to the application: To enable Stealthwatch Cloud to read metadata for your
subscription's resource groups:
• Navigate to Subscriptions and select your subscription.
• Select Access Control (IAM)
• Click the Add button and fill out the form as follows:
o Role: Network Contributor
o Assign access to: Azure AD user, group, or application
o Select: swc-reader
• Click the Save button.
The "Network Contributor" role is needed to retrieve the NSG Flow Log status with the POST method
- see Microsoft's documentation.

30 | P a g e
Grant storage access: To store NSG Flow Logs, you'll need a Storage Account in the same location
(e.g. East US) as your target resource groups. If you don't have one there, you'll want to create one
with Blob storage capabilities.
Stealthwatch Cloud uses a Shared Access Signature (SAS) to retrieve NSG Flow Logs from the storage
account. To obtain the Blob service SAS URL:
• Navigate to Storage Accounts and select the account you used for NSG Flow Logs.
• Select Shared access signature and fill out the form as follows:
o Allowed services: Blob
o Allowed resource types: Service, Container, and Object
o Allowed permissions: Read and List
o Start and end times: Set these to begin now and end some point in the future (at
least one year)
o Allowed protocols: HTTPS
• Click Generate SAS and connection string. Copy the Blob service SAS URL.
Enable Network Watcher: You'll need to set up the Network Watcher service for the regions where
you have resource groups to monitor:
• Navigate to Network Watcher > Overview and click the on the regions list to expand it.
• Click the ... icon next to a target region and select Enable Network Watcher. Repeat as
necessary.
Enable NSG Flow Logs: For the NSGs you want to monitor, you'll need to enable Flow Logging:
• Navigate to Network Watcher > NSG Flow Logs. The list of Network Security Groups appears.
• Select an NSG to display the Flow Logs settings screen. Fill out the form as follows:
o Status: On
o Storage account: Select the storage account from above.
o Retention (days): 7 (you may optionally increase this number)
o Traffic Analytics status: Off (you may optionally enable this)
• Click the Save button and repeat the Flow Logs setup for each NSG.
You will need to enable NSG Flow Logs for any new Resource Groups you create that you wish to
monitor.

Appendix B: Netflow Exporter Configuration

Steps
NetFlow configuration on a Cisco device consists of four steps:
1. Define a flow record
2. Configure a flow exporter
3. Configure a flow Monitor
4. Apply the flow monitor on an interface

31 | P a g e
Define a flow record
The flow record defines the information that NetFlow gathers, such as packets in the flow and the
types of counters gathered per flow. If you would like to build a custom flow record outside of the
predefined netflow-original, you would specify a series of match and collect commands that tell the
device which fields to include in the outgoing NetFlow PDU.
The match fields are the key fields. They are used to determine the uniqueness of the flow. The
collect fields are just extra info that we include to provide more detail to the collector for reporting
and analysis.
You don’t want to modify the match fields much. The seven match entries shown below should
always be included in your config. The collect fields however can vary quite a bit depending on how
much info you want to send to the collector.
The configuration listed below is recommended for Stealthwatch installations.
The fields marked with required below, are fields required for Stealthwatch to accept and build a
flow record.

flow record STEALTHWATCH1

match ipv4 protocol (required; key field)
match ipv4 source address (required; key field)
match ipv4 destination address (required; key field)
match transport source-port (required; key field)
match transport destination-port (required; key field)
match interface input (required; key field)
match ipv4 tos (required; key field)
collect interface output (required; key field)
collect counter bytes (required; key field)
collect counter packets (required; key field)
collect timestamp sys-uptime first (required; for calculating duration)
collect timestamp sys-uptime last (required; for calculating duration)
collect routing next-hop address ipv4 (optional; used for closest interface
determination)
collect ipv4 dscp (optional; used for closest interface
determination)
collect ipv4 ttl minimum (optional; used for closest interface
determination)
collect ipv4 ttl maximum (optional; used for closest interface
determination)
collect transport tcp flags (optional; used for closest interface
determination)
collect routing destination as (optional; used for closest interface
determination)

32 | P a g e
Define the Flow Exporter
Once the Flow Record has been created you would tie it to a Flow exporter
Flow Exporter configuration defines the physical or virtual Flow Collector IP Address to which
NetFlow data is sent. It also defines the source interface from which the Flow Exporter device will
send NetFlow data, this can be a physical or logical address; it is also worth considering using a
Loopback interface to source NetFlow data from as a Loopback typically will remain up even when
other interfaces fail therefore enabling continuous transport (where routing permits) This is also
where the transport protocol (TCP or UDP) and destination port is defined; the destination port is
specific to the NetFlow Collector and in this case refers to the port used by the Stealthwatch Flow
Collector.
To define a Flow Exporter, follow these steps:
flow exporter Stealthwatch_Exporter
description Stealthwatch Export to Flow Collector
destination [Collector_IP_Address]
source [Physical_Interface | Logical_Interface]
transport udp 2055

Define the Flow Monitor

A Flow Monitor ties all of the construct together, referencing the Flow Exporter and the Flow
Record. To define a Flow Monitor, follow these steps:
flow monitor Stealthwatch_Monitor
description Stealthwatch Flow Monitor
exporter Stealthwatch_Exporter
cache timeout active 60
record STEALTHWATCH1

Note the cache timeout line above, this is the recommended setting for Stealthwatch. The default
setting on Cisco devices is 30 minutes which is too long for anomaly reporting.
The Flow Monitor configuration ties the previously configured Flow Exporter and Flow Record
together, the naming convention can be whatever you chose providing you refer to the correct
name; using context sensitive help in IOS will help as it will always show any previously configured
parameters.
See below for an example of how context sensitive help reminds you of configured Flow Records and
Flow Exporters as well as system default Records which are available.
BR_ASW1(config)#flow monitor STEALTHWATCH_MONITOR
BR_ASW1(config-flow-monitor)#record ?
STEALTHWATCH_RECORD User defined
wireless Templates for Wireless Traffic
BR_ASW1(config-flow-monitor)#exporter ?
STEALTHWATCH_EXPORTER Stealthwatch Export to Flow Collector

Finally, you need to apply all of the above NetFlow configuration to each interface on which you
require flow analysis with the following:

33 | P a g e
Apply the flow monitor to interfaces
interface [Interface_ID]
ip flow monitor Stealthwatch_Monitor input

Below are examples of NetFlow configurations:

Cisco NetFlow Configuration

Commands for configuring NetFlow record, fields may differ depending on platform.
flow record Stealthwatch_FlowRecord
description Flow Record for Export to Stealthwatch (optional)

match ipv4 source address

match ipv4 destination address
match ipv4 protocol
match ipv4 tos
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

34 | P a g e
Appendix C: Stealthwatch Cloud PNM Sensor Deployment Process
The sensor is included in the Stealthwatch Cloud service. Users can download the sensor ISO directly
from their customer portal. The sensor image is based on Ubuntu Linux. Its source code is available
at this URL: https://github.com/obsrvbl/ona
To set up a sensor, you need:

• A machine (physical or virtual):

o Network interfaces: At least 2 (1 control, 1+ data).

o RAM: At least 2 GB.

o CPU: At least 2 Cores.

o Disk space: At least 32 GB.

• Internet access (needed during setup):

o See the firewall rules in the following table.

• Installation Media:

o The ISO file from the web portal.

o A USB drive or CD-R (for physical sensors).

Service Domains/IPs Ports Direction

sensor.ext.obsrvbl.com
107.22.217.211
Sensor data upload 443/tcp Outbound
107.22.210.176
107.22.247.3
443/tcp
OS updates us.archive.ubuntu.com Outbound
80/tcp

Hostname resolution Your local DNS server 53/udp Outbound

Remote troubleshooting
54.83.42.41 22/tcp Inbound
(optional)

Configure the firewall to allow these services before installation. The installation process will not be
able to complete properly without them. After installation, the sensor will initiate connections to the
monitoring service and send network data for processing.
For installation of the sensor onto a physical machine, you may use the ISO file from the web portal
by writing the image CD or DVD, and using it to create a bootable USB drive. For deployment as a
virtual machine, you can boot to the ISO file directly.

Sensor Deployment to Physical Machine

To create a bootable USB drive on a Windows based computer, follow these steps:
1. Once you download the ISO, go to https://rufus.akeo.ie/
2. Download the Rufus utility and open it.
3. Insert the target USB drive. Rufus will detect its presence.

35 | P a g e
4. Click the CD-ROM icon, and then select the ISO file you downloaded.

NOTE: Verify you've selected the right ISO and USB drive; this is a destructive operation.
5. Click Start.

6. When prompted, select “Write in DD Image mode” and click OK.

Sensor Deployment to Hypervisor

Follow your environment’s specific instructions and procedures for deploying an ISO format VM.
Verify you have allocated the required resources to the Sensor VM prior to setup.

Stealthwatch Cloud PNM Sensor Setup

Once you the physical or virtual machine running the Stealthwatch Cloud Sensor has booted up, you
will begin the Sensor setup process.

36 | P a g e
1. Choose the language to be used during setup.

2. Select the first option from the presented menu.

37 | P a g e
3. Select the language to be used for the installation process.

4. Select a country. The default is United States.

38 | P a g e
5. The installer will offer to detect your keyboard layout. If you wish to select your keyboard layout
manually, select No.

6. If you choose to manually select, at the next screen(s) choose your keyboard layout. The default
is English (US).

7. Once the keyboard layout is selected, the setup process will scan for hardware.
8. If the installer detects multiple network interfaces, then it will prompt you to choose a “primary”
one.

39 | P a g e
9. Select the interface that you will use for controlling the Stealthwatch Cloud Sensor, rather than
the one for mirroring traffic.

10. The other NICs will automatically be configured to accept the mirrored traffic.
11. By default, the installer will try to use DHCP to configure the interface you selected as the
primary control NIC.
12. If DHCP is not set up on your network, you will be prompted to configure the network manually.
13. If DHCP is set up on your network, but you don't want to use it, press the Enter key to cancel
while DHCP settings are being detected.

14. If you miss the chance to cancel, select Go Back (with the Tab key) at the next screen. Then
select “Configure the Network” to try again.

40 | P a g e
15. When configuring the network without DHCP, you need to enter an address, subnet mask, and
gateway, a DNS server and local domain suffix.

16. Now, you need to create a user account for local management of the system.
17. Enter the full name of the account. This name can have spaces and capital letters (e.g., SWC
Admin).

18. Next, enter the username for the account. This name cannot have spaces or capital letters. (e.g.,
swcadmin).

41 | P a g e
19. After the username is entered, you will be prompted to select a password for the local
management account.

20. Enter the password in the first prompt, and then again in the second to verify it.

21. Once the password is entered, you will be prompted to encrypt the home directory for the local
management user's account. Select Yes.

22. The installer will then attempt to automatically detect your time zone. If successful, accept the
detected location and continue.

23. If you are prompted to configure the clock, select the correct time zone from the list.

42 | P a g e
24. The installer will detect your disks, and offer to automatically partition the disk for the operating
system.
25. Select Guided – use entire disk.

26. When prompted, confirm the selected partitioning setup.

43 | P a g e
27. Select <Yes> and press Enter to confirm that the installer can erase the disk and install the
operating system.

28. Once partitioning has completed, the system installation process will begin.
29. You will be prompted for HTTP proxy information. Unless the network requires an HTTP proxy,
press Enter to Continue.

30. The installer will download the latest updates for the Sensor and Operating System.
31. You will be prompted to select whether to install the updates automatically. The recommended
setting is “Install security updates automatically”.
32. If your organization's policy does not allow for automatic updates, select “No automatic
updates”.

33. The installation process will continue to setup the Sensor appliance.
34. You will be prompted to install the GRUB boot loader onto the target drive.
35. Move the cursor to <Yes> and press Enter.

44 | P a g e
36. After the installer finishes copying the files, the installation process will finish.

37. Eject the boot CD from the drive.

38. After the boot CD has been removed, reboot the system.
39. After the system reboots, you may log in with the same user account created during the
installation.

40. You may log out (with the exit command) and leave the system unattended after verifying that it
is working; it will run automatically after installation.

45 | P a g e
Appendix D: Other Network Connection and Monitoring Features
The network sensor can also monitor the traffic on your network and generate telemetry to transmit
to the Stealthwatch Cloud service for analysis. This appendix covers where to place the sensor, and
how to configure your switch or router to send traffic to the sensor.

A sensor needs to have at least two network interfaces: one “Control” interface, and at least one
“Mirror” interface. The Control interface connects to the Internet. See the sensor setup guide to
know how to configure the control interface. The Mirror interface connects to a special port on a
switch (or router) that replicates the data from other ports.
You may wish to place multiple sensors in your network to get a view of all traffic.
The following diagram shows possible deployment locations.

Multiple-sensor deployments are usually needed only for larger networks.

46 | P a g e
Mirror Interface Setup
When setting up a mirror interface, keep in mind that it will be sending copies of all of the source
traffic (both inbound and outbound) to the destination:

• Take note of how much traffic is expected at peak, and ensure that it is less than the
capacity of the sensor's mirror interface link (For example: 1 Gbps or 10 Gbps).

• Many switches will drop packets from the source interfaces, if a mirror port destination is
configured with too much traffic, which will cause problems on the LAN.

• You may use multiple mirror interfaces on a sensor; the sensor is not limited to a single
control interface and a single mirror interface.

Most managed switches can be configured to replicate traffic. Different switch vendors call this
capability by different names:

• Cisco: Switch Port Analyzer (SPAN)

• Juniper, Netgear, ZyXEL: Port mirror

• Others: Monitor port, Analyzer port, Tap port

You may also use a passive tap device to replicate traffic. Common tap vendors include NetOptics
and Gigamon.

Switch Configuration
The user guide for your particular switch model should have the correct configuration steps for
setting up a mirror port.
For Cisco switches with IOS software, a typical configuration looks like:
monitor session 1 source interface Vlan10
monitor session 1 destination interface Gig1/0/3

For information on configuration documentation for Cisco and other switch vendors, please refer to
the “Additional Resources” section.

Virtual Environment Monitoring

If your sensor is running as a virtual machine, you need to make sure that both the virtual host and
virtual network are configured properly.
For VMware:
• Promiscuous mode setup: https://kb.vmware.com/s/article/1004099

• Information on promiscuous mode: https://kb.vmware.com/s/article/1002934

You may need to set the VLAN ID to 4095.

For VirtualBox:

• In the Settings for your host, go to the Network tab, and select the Adapter to be used
for the Mirror interface.

• In the Advanced Options section, set Promiscuous mode to Allow.

47 | P a g e
Appendix E: Installing Stealthwatch Cloud PNM Sensor on Non-Packaged
Linux Operating Systems
In addition to the provided ISO, the virtual appliance can be deployed on the following operating
systems:
• Ubuntu Linux version 14.04 (32- and 64-bit)
• Ubuntu Linux versions 16.04 and later (32- and 64-bit)
• Red Hat Enterprise Linux (RHEL) version 6 and compatible, including CentOS version 6* and
Amazon Linux for EC2 (32- and 64-bit)
• Red Hat Enterprise Linux (RHEL) version 7 and compatible, including CentOS version 7 (64-
bit)
• Raspberry Pi 2 Model B with Raspbian (32-bit armhf)
• Docker, tested with CoreOS (64-bit)

Installation on RHEL 7
Log into the RHEL 7 system as an administrator.

1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-

service/master/ona- service_RHEL_7_x86_64.rpm and press Enter to download the
Stealthwatch Cloud package.
2. Enter sudo yum install -y net-tools tcpdump and press Enter to install dependencies.
3. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo
4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-
pkg.rpm
5. Enter sudo rpm -i netsa-pkg.rpm
6. Enter sudo rpm -i ona-service_RHEL_7_x86_64.rpm and press Enter to install the Stealthwatch
Cloud service.

Installation on RHEL 6

Note: RHEL 6 does not include Python 2.7. Additional repositories must be added to install Python.
Log into the RHEL 6 system as an administrator.

1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-

service/master/ona- service_RHEL_6_x86_64.rpm and press Enter to download the
Stealthwatch Cloud package.
2. Enter curl -L -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm and
press Enter to download the EPEL repository package.
3. There are two options:
a. Enter curl -L -O https://rhel6.iuscommunity.org/ius-release.rpm and press Enter to
download the IUS repository package for RHEL.
b. Enter curl -L -O https://centos6.iuscommunity.org/ius-release.rpm and press Enter to
download the IUS repository package for CentOS.
4. There are two options:

48 | P a g e
 a. To install the IUS repository package for RHEL, enter: sudo rpm -i epel-release-latest-
6.noarch.rpm
b. To install the IUS repository package for CentOS, enter: sudo rpm -i ius-release.rpm
5. To install Python 2.7, enter: sudo yum install python27 tcpdump and press Enter.
6. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo
7. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-
pkg.rpm
8. Enter sudo rpm -i netsa-pkg.rpm
9. Enter sudo rpm -i ona-service_RHEL_6_x86_64.rpm and press Enter to install the Stealthwatch
Cloud service.

Installation on Ubuntu with NetFlow collection

Log into the Ubuntu system as an administrator.

1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-

service/master/ona-service_UbuntuXenial_amd64.deb and press Enter to download the
Stealthwatch Cloud package.
2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.
3. Enter sudo apt-get update && sudo apt-get install -y libglib2.0-0 liblzo2-2 libltdl7
4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-
pkg.deb
5. Enter sudo dpkg -i netsa-pkg.deb
6. Enter sudo apt-get -f install to verify if the dependencies installed properly.
7. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the
Stealthwatch Cloud service.
8. Reload the machine – sudo reboot
9. Confirm if the services are running. See Appendix E for Stealthwatch Cloud services.

Installation on Ubuntu without NetFlow collection

Log into the Ubuntu system as an administrator.

1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-

service/master/ona- service_UbuntuXenial_amd64.deb and press Enter to download the
Stealthwatch Cloud package.
2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.
3. Enter sudo apt-get –f install to verify if the dependencies installed properly.
4. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the
Stealthwatch Cloud service.

49 | P a g e
Connecting to your session if you do not have a dCloud Account:
You need to use AnyConnect Secure Mobility client to access the lab system. You will also need to
obtain login credentials for the session from your instructor.

NOTE: If you have the AnyConnect VPN client installed on your system, skip to step 9.
1. Open a web browser on your computer.
2. Enter the URL: https://dcloud-rtp-anyconnect.cisco.com

3. At the login prompt, enter the User Name and Password provided by your lab instructor.
4. Click Login.
5. You should get confirmation that you have logged in. Click Continue.

6. The AnyConnect Secure Mobility Client will attempt to install itself.

7. If it is unsuccessful, download the installer by clicking on the link (note you may uninstall this
when you are done with the lab).
8. Run the AnyConnect client installer and complete the installation.
9. Launch the AnyConnect client software.

10. Enter dcloud-rtp-anyconnect.cisco.com in the field, and click Connect.

50 | P a g e
11. Enter the instructor provided Username and Password into the login window.
12. Click Accept on the following window to confirm your connection.

When connected to your AnyConnect VPN session, the AnyConnect VPN icon is displayed in the
system tray (Windows) or task bar (Mac).

To view connection details or to disconnect, click the AnyConnect VPN icon and then choose
Disconnect.

13. Use the local RDP client on your computer [Show Me How] to connect to your dCloud
workstation. Use the following credentials:
• Workstation 1: 198.18.133.36
• Username: wkst1\Administrator
• Password: C1sco12345
14. When you have successfully logged in, you will be at your Workstation’s Windows desktop.

51 | P a g e
Online Stealthwatch Resources

Stealthwatch Cloud Design and Deploy Guide on Cisco.com:

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/guide-c07-
740823.html

Private Network Monitoring Sensor Advanced Configuration Guide:

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/configuration/SWC_PN
M_Advanced_Configuration_Guide_DV_1_14.pdf
https://ebooks.cisco.com/story/swc-sensor-install

Stealthwatch Cloud Free 60-day Trial:

https://www.cisco.com/c/en/us/products/security/stealthwatch/stealthwatch-cloud-free-offer.html

52 | P a g e