[Deprecated] Cisco Secure Cloud Analytics connector for Microsoft Sentinel

Important

Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.

The Cisco Secure Cloud Analytics data connector provides the capability to ingest Cisco Secure Cloud Analytics events into Microsoft Sentinel. Refer to Cisco Secure Cloud Analytics documentation for more information.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) Syslog (StealthwatchEvent)
Data collection rules support Workspace transform DCR
Supported by Microsoft Corporation

Query samples

Top 10 Sources

StealthwatchEvent

| summarize count() by tostring(DvcHostname)

| top 10 by count_

Vendor installation instructions

Note

This data connector depends on a parser based on a Kusto Function to work as expected StealthwatchEvent which is deployed with the Microsoft Sentinel Solution.

Note

This data connector has been developed using Cisco Secure Cloud Analytics version 7.3.2

  1. Install and onboard the agent for Linux or Windows

Install the agent on the Server where the Cisco Secure Cloud Analytics logs are forwarded.

Logs from Cisco Secure Cloud Analytics Server deployed on Linux or Windows servers are collected by Linux or Windows agents.

  1. Configure Cisco Secure Cloud Analytics event forwarding

Follow the configuration steps below to get Cisco Secure Cloud Analytics logs into Microsoft Sentinel.

  1. Log in to the Stealthwatch Management Console (SMC) as an administrator.

  2. In the menu bar, click Configuration > Response Management.

  3. From the Actions section in the Response Management menu, click Add > Syslog Message.

  4. In the Add Syslog Message Action window, configure parameters.

  5. Enter the following custom format: |Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}

  6. Select the custom format from the list and click OK

  7. Click Response Management > Rules.

  8. Click Add and select Host Alarm.

  9. Provide a rule name in the Name field.

  10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.

Next steps

For more information, go to the related solution in the Azure Marketplace.