Integrate Cisco Secure Network Analytics with Google SecOps

Integration version: 7.0

This document explains how to integrate Cisco Secure Network Analytics (formerly Stealthwatch) with Google Security Operations (Google SecOps).

Use cases

The Cisco Secure Network Analyticsintegration can address the following use cases:

• Retrieve security events: Use Google SecOps capabilities to search and retrieve host security events from the Cisco Secure Network Analytics server during incident investigation.

• Search for network flow data: Use Google SecOps capabilities to search for network flows by IP address within a specified timeframe to understand host communication patterns.

Integration parameters

The Cisco Secure Network Analyticsintegration requires the following parameters:

For instructions about how to configure an integration in Google SecOps, see Configure integrations .

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .

Ping

Use the Pingaction to test connectivity to Cisco Secure Network Analytics.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Pingaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Pingaction can return the following output messages:

Output message	Message description
Successfully connected to the Stealthwatch with the provided connection parameters!	The action succeeded.
Error executing action "Ping". Reason: ERROR_REASON	The action failed. Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
is_success	True or False

Search Events

Use the Search Eventsaction to retrieve a host's security events from Cisco Secure Network Analytics for a given timeframe.

This action runs on the following Google SecOps entities:

• IP Address

Action inputs

The Search Eventsaction requires the following parameters:

Parameter	Description
Time Frame	Required. The number of hours, measured backward from the current time, to include in the search window for security events.

Action outputs

The Search Eventsaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Search Flows

Use the Search Flowsaction to retrieve network flow data from Cisco Secure Network Analytics for a given IP address and timeframe.

This action runs on the following Google SecOps entities:

• IP Address

Action inputs

The Search Flowsaction requires the following parameters:

Action outputs

The Search Flowsaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Need more help? Get answers from Community members and Google SecOps professionals.