I just love Stealthwatch and Cisco “network a as sensor” concept. If you think traditional SIM/SIEM systems and visibility what is moving in your network L2/L3 level, I claim that the visibility is zero.
You can send switch or router or server syslog data to your SIM/SIEM server and still not get visibility to your network traffic in L2/L3 level. If your router is smart enough it maybe can told some information about connections, but what if there is asymmetric/dynamic routing and different data flows goes to different paths?
SIM/SIEM can see network connection traffic only from Firewalls, because FW can told that.
But what if your network device where your client is connected can told every flow what you send or receive? What if all network switches, routers, firewall and clients can told that where traffic going? If you are lucky and you have also identity based network with pxGrid, then you get real 360 visibility in your traffic.
Think about situation, when you are implementing new DNS server and you want to know what clients are still using old ones or tried to use some public servers. What if you have SCADA network and you want to do segmentation without segmentation? In Stealthwatch you can create rules that SCADA1 can talk to the SCADA2, but not SCADA3 server when those servers are in same network segment or even same switch. If SCADA1 sends any data to SCADA3 Stealthwatch will create alarm and that alarm can be forward to the Graylog server.
How STW (Stealthwatch) and Graylog can be integrate together, so that you can see STW generated alarms in your Graylog server? I assume that you already have Stealthwatch and Graylog up and running. I will use STW version 7.1.1 and Graylog 3.2.3.
Graylog configuration
First we configure Graylog to receive message from STW.
Now we need to add extractor, which is parse incoming messages.
You can download latest extractor in my github https://github.com/hrleinonen/graylog-stealthwatch paste that json file in your Graylog import extractors.
Extractor brings these new fields in your graylog:
ALARMSEV = Alarm severity
ALARMSTATUS = Alarm current status
CAT = Alarm category
DOMAIN = STW Domain
DST = Destination
DSTPORT = Destination port
FLOWCOLLECTORIP = Flowcollector IP
FLOWCOLLECTORNAME = Flowcollector name
HOSTNAME = SMC hostname
PROTO = IP protocol
SOURCEHG = Source host group
SRC = Source
TARGETHG = Target host group
Stealthwatch configuration
Create new syslog format.
LEEF:2.0|Lancope|Stealthwatch|7.1|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}
Syslog message format and fields what Stealthwatch is sending to the Graylog.
Next we create server where to send alarms.
Next we choose what to send.
And where to send alarms.
Graylog Stealthwatch Dashboard
I have created also simple example dashboard, which is telling basic information about alarms. You can download json file in my github. You must edit dashboard so that you replace DOMAIN:PUT-MY-OWN-DOMAIN-HERE at you own domain, like DOMAIN:acme.local
