Cisco StealthwatchCustomer SuccessMetrics Configuration Guide 7.2

Table of ContentsOverview 3

Contacting Support 3

Configuration 4

Configuring the Network Firewall 4

Configuring the Stealthwatch Management Console 4

Configuring the Flow Collector 4

Disabling Customer Success Metrics 5

Customer Success Metrics Data 6

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 2 -

OverviewCustomer Success Metrics (CSM) enables Stealthwatch system data to be sent to thecloud so that Customer Experience can access vital information regarding thedeployment, health, performance, and usage of your system. The data is also availablein a .csv file accessible on your appliance.

Contacting SupportIf you need technical support, please do one of the following:

l Contact your local Cisco Partner

l Contact Cisco Stealthwatch Supporto To open a case by web: http://www.-cisco.com/c/en/us/support/index.html

o To open a case by email: tac@cisco.como For phone support: 1-800-553-2447 (U.S.)o For worldwide support numbers: https://www.-cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 3 -

Overview

ConfigurationCustomer Success Metrics is automatically enabled on your Stealthwatch ManagementConsole and Flow Collector(s). You will need to configure your network firewall to allowcommunication from your appliances to the cloud, using the directions provided in theConfiguring the Network Firewall section. To opt out of CSM, use the directions in theDisabling Customer Success Metrics section.

l Customer Success Metrics requires all enabled appliances to have inter-net access.

l Each appliance generates a separate .csv file.

Configuring the Network FirewallConfiguring the StealthwatchManagement ConsoleConfigure your network firewall to allow communication from the StealthwatchManagement Console to the following IP addresses and port 443:

AWS Elastic IPsl 34.242.41.248

l 34.242.94.137

l 34.251.54.105

Cisco Streamline IPsl 146.112.59.0/24

l 208.69.38.0/24

If public DNS is not allowed, you will need to configure the resolution locally onthe Stealthwatch Management Console.

Configuring the Flow CollectorConfigure your network firewall to allow communication from the Flow Collector(s) to thefollowing IP address and port 443:

AWS Elastic IPs l 34.242.41.248 l 34.251.210.21

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 4 -

Configuration

l 34.242.94.137

l 34.251.54.105

l 34.255.162.33

l 54.194.49.205

Cisco Streamline IPsl 146.112.59.0/24

l 208.69.38.0/24

If public DNS is not allowed, you will need to configure the resolution locally onthe Flow Collector(s).

Disabling Customer SuccessMetricsTo disable CSM on your appliance, complete the following steps:

1. Log in to Stealthwatch Management Console.

2. Click on the Global Settings icon, and then click Central Management.3. From the context menu in the Actions column for the applicable appliance, choose

Edit Appliance Configuration.4. Click the General tab.5. Scroll down to the External Services section and uncheck the Enable Customer

Success Metrics check box.6. Click Apply Settings.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 5 -

Configuration

Customer Success Metrics DataThere are three data types for Customer Success Metrics:

l Cumulative: One entry for a 24-hour periodl Interval: One entry every 5 minutes (total of 288 entries per 24-hour period)l Snapshot: One entry for the point in time you generate the report

The following table lists the data collected by Customer Success Metrics:

System Data Description Data Type

collector.collect.duration_s Duration it took to collect all metricsSnapshot

Freq:Hourly

devices.cache.activeNumber of active MAC addressesfrom ISE in the devices cache

Snapshot

devices.cache.deletedNumber of deleted MAC addressesfrom ISE in the devices cachebecause they have timed out

Cumulative

devices.cache.droppedNumber of dropped MAC addressesfrom ISE because the devices cacheis full

Cumulative

devices.cache.maxMaximum number of MAC addressesfrom ISE 

Interval

devices.cache.newNumber of new MAC addresses fromISE added into the devices cache

Cumulative

events.vertica.day.{event_id}.-count

Total number of each type of secur-ity event over one day (delayed byone day)

Interval

Freq: Daily

flow_statsFlow statistics per minute exportedto Vertica and ZMQ

Interval

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 6 -

Customer Success Metrics Data

System Data Description Data Type

flow_stats.fpsOutbound flows per second in thelast minute

Interval

flows Inbound flows processed Interval

flows.cache.activeNumber of active flows in the FlowCollector's flow cache

Snapshot

flows.cache.droppedNumber of flows dropped becausethe Flow Collector's flow cache isfull

Cumulative

flows.cache.endedNumber of flows ended in the FlowCollector's flow cache

Interval

flows.cache.maxMaximum size of the Flow Col-lector's flow cache

Interval

flows.cache.percentPercent of capacity of the Flow Col-lector's flow cache

Interval

flows.cache.startedNumber of flows added to the FlowCollector's flow cache

Cumulative

flows.dropped Inbound number of flows dropped Interval

flows.fps Inbound number of flows per second Interval

flows.vertica.all.count Total number of flow in the databaseSnapshot

Freq: Daily

flows.vertica.all.last_time.minApproximation of the oldest flow indatabase 

Snapshot

Freq: Daily

flows.vertica.hour.client_ip_address.distinct.catch_all.count

Total number of distinct client IPsbelonging to the catch-all group(one hour of data sampled)

Interval

Freq:Hourly

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 7 -

Customer Success Metrics Data

System Data Description Data Type

flows.vertica.hour.client_ip_address.distinct.count

Total number of distinct client IPs(one hour of data sampled)

Interval

Freq:Hourly

flows.vertica.hour.countTotal number of flows in one hour(one hour of data sampled)

Interval

Freq:Hourly

flows.vertica.hour.distinct.count

Approximate number and ratio ofunique flow (based on the flow id).Ratio in [0,1] (one hour of datasampled).

Interval

Freq:Hourly

flows.vertica.hour.*

- inside.inside.count

- inside.outside.count

- outside.inside.count

- outside.outside.count

Total number of flows grouped by dir-ection (one hour of data sampled)

Interval

Freq:Hourly

flows.vertica.hour.server_ip_address.distinct.catch_all.count

Total number of distinct server IPsbelonging to the catch-all group(one hour of data sampled)

Interval

Freq:Hourly

flows.vertica.hour.server_ip_address.distinct.count

Total number of distinct server IPs(one hour of data sampled)

Interval

Freq:Hourly

flows.vertica.sample.client_ip_address.distinct.catch_all.ratio

Ratio of client IPs belonging to thecatch-all group. Ratio in [0,1] (onehour of data sampled)

Interval

Freq:Hourly

flows.vertica.sample.distinct.ratio

Approximate number and ratio ofunique flow (based on the flow id).Ratio in [0,1] (one hour of datasampled).

Interval

Freq:Hourly

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 8 -

Customer Success Metrics Data

System Data Description Data Type

flows.vertica.sample.server_ip_address.distinct.catch_all.ratio

Ratio of server IPs belonging to thecatch-all group. Ratio in [0,1] (onehour of data sampled)

Interval

Freq:Hourly

hosts.cache.cached Number of hosts in the host cache Interval

hosts.cache.deletedNumber of hosts deleted in the hostcache

Cumulative

hosts.cache.droppedNumber of hosts dropped becausethe host cache is full

Cumulative

hosts.cache.max Maximum size of the host cache Interval

hosts.cache.newNumber of new hosts added into thehost cache

Cumulative

hosts.cache.percentPercent of capacity of the hostcache

Interval

hosts.cache.probationary.deleted

Number of probationary hosts*deleted in the hosts cache

*Probationary hosts are hosts thathave never been the source ofpackets and bytes. These hosts aredeleted first when clearing up spacein the host cache.

Cumulative

interfacesOutbound number of interface stat-istics exported to Vertica

Interval

interfaces.fpsOutbound number of interface stat-istics per second exported to Vertica

Interval

platformHardware platform (ex: Dell 13G,KVM Virtual Platform)

N/A

product Stealthwatch product (ex: SMC, N/A

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 9 -

Customer Success Metrics Data

System Data Description Data Type

Flow Collector NetFlow)

report.completeName of the report and the run-timein milliseconds (SMC only)

N/A

report.filters

Filters used when the SMC queriesthe FC databases.

Data exported per query:

l maximum number of rows

l include-interface-data flag

l fast-query flag

l exclude-counts flag

l flows direction filters

l order-by column

l default-columns flag

l Time window start date andtime

l Time window end date andtime

l Number of device ids criteria

l Number of interface ids criteria

l Number of IPs criteria

l Number of IP ranges criteria

l Number of hostgroups criteria

l Number of hosts pairs criteria

l Whether results are filtered byMAC addresses

l Whether results are filtered byTCP/UDP ports

l Number of usernames criteria

l Whether results are filtered bynumber of bytes/packets

Snapshot

Freq: PerRequest

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 10 -

Customer Success Metrics Data

System Data Description Data Type

l Whether results are filtered bytotal number of bytes/packets

l Whether results are filtered byURL

l Whether results are filtered byprotocols

l Whether results are filtered byapplications ids

l Whether results are filtered byprocess name

l Whether results are filtered byprocess hash

l Whether results are filtered byTLS version

l Number of ciphers in ciphersuite criteria

security_events.cache.activeNumber of active security events inthe security events cache

Snapshot

security_events.cache.droppedNumber of security events droppedbecause the security events cacheis full

Cumulative

security_events.cache.endedNumber of ended security events inthe security events cache

Cumulative

security_events.cache.insertedNumber of security events insertedinto the database table

Interval

security_events.cache.maxMaximum size of the security eventscache

Interval

security_events.cache.percentPercent of capacity of the securityevents cache

Interval

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 11 -

Customer Success Metrics Data

System Data Description Data Type

security_events.cache.startedNumber of started security events inthe security events cache

Cumulative

serial Serial number of the appliance N/A

sessions.cache.activeNumber of active sessions fromISE in the session cache

Snapshot

sessions.cache.deletedNumber of deleted sessions fromISE in the session cache

Cumulative

sessions.cache.droppedNumber of sessions fromISE dropped because the sessionscache is full

Cumulative

sessions.cache.max Maximum size of the sessions cache Interval

sessions.cache.newNumber of new sessions fromISE added into the session cache

Cumulative

users.cache.activeNumber of active users in the userscache

Snapshot

users.cache.deletedNumber of deleted users in theusers cache because they havetimed out

Cumulative

users.cache.droppedNumber of users dropped becausethe users cache is full

Cumulative

users.cache.max Maximum size of the users cache Interval

users.cache.newNumber of new users in the userscache

Cumulative

versionStealthwatch version number (ex:7.1.0)

N/A

version.build Build number (ex: 2018.07.16.2249- N/A

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 12 -

Customer Success Metrics Data

System Data Description Data Type

0)

version.patch Patch number N/A

vertica.health.node.{node_name}.disk.*

- used_bytes

- free_bytes

- used_ratio

Disk current statusSnapshot

Freq:Hourly

vertica.health.node.{node_name}.event.{event_severity}

Count events (one hour of data)Interval

Freq: Daily

vertica.health.node.{node_name}.state

Node current stateSnapshot

Freq:Hourly

reset.hour Flow Collector reset hour N/A

csm.versionCustomer Success Metrics code ver-sion (ex: 1.0.24-SNAPSHOT)

N/A

power.{sensorId}.statusSMC and Flow Collector power sup-ply statistics

Snapshot

integration.ad.{domainId}.count Number AD connections Cumulative

rpe.{domainId}.count Number of role policies configured Cumulative

rp.{domainId}.countNumber of relationship policies con-figured

Cumulative

sw.app.{appId}Stealthwatch Apps installed on thesystem

N/A

hostgroups.changes.{domainId}.count

Changes to the Host Group con-figuration

Cumulative

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 13 -

Customer Success Metrics Data

System Data Description Data Type

integration.snmp SNMP agent usage N/A

integration.cognitiveCognitive Intelligence integrationenabled

N/A

services.{domainId}.count Number of services defined Snapshot

applications.default.count Number of applications defined Snapshot

smc.users.count Number of users in the Web App Snapshot

login.api.count Number of API log ins Cumulative

login.ui.count Number of Web App log ins Cumulative

report.concurencyNumber of reports running con-currently

Cumulative

vertica.stats.query.{user-}.duration_sec

Query response time by user Cumulative

vertica.stats.query.duration_sec.max

Maximum query response time Cumulative

vertica.stats.query.duration_sec.min

Minimum query response time Cumulative

vertica.stats.query.duration_sec.avg

Average query response time Cumulative

exporters.fc.countNumber of exporters per Flow Col-lector

Interval

apicall.ui.countNumber of SMC API calls using theWeb App

Cumulative

apicall.api.countNumber of SMC API calls using theAPI

Cumulative

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 14 -

Customer Success Metrics Data

System Data Description Data Type

licensing.smart.smartAccount Smart licensing account for the SMC N/A

licensing.smart.virtualAccountSmart licensing virtual account forthe SMC

N/A

licensing.smart.registrationStatusSmart licensing registration statusfor the SMC

N/A

licensing.smart.productInstanceName

Smart licensing product identifier N/A

ctr.ctr_enabled CTR integration enabled N/A

ctr.ats_integration_enabled ATS integration enabled N/A

ctr.alarm_sender_enabled Stealthwatch alarms to CTR enabled N/A

ctr.alarm_sender_minimal_sever-ity

Minimal severity of alarms sent toCTR

N/A

ctr.enrichment_enabledEnrichment request fromCTR enabled

N/A

ctr.enrichment_limitNumber of top Security Events to bereturned to CTR

Cumulative

ctr.enrichment_periodTime period for Security Events tobe returned to CTR

Cumulative

ctr.number_of_alarms Number of alarms sent to CTR Cumulative

ctr.number_of_enrichment_requests

Number of enrichment requestsreceived from CTR

Cumulative

ctr.number_of_refer_requestsNumber of requests for SMC pivotlink received from CTR

Cumulative

ctr.swe_visibility_app_metricsNumber of data requests to VisibilityAssessment SecureX tile

Cumulative

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 15 -

Customer Success Metrics Data

System Data Description Data Type

ctr.swe_visibility_app_network_metrics

Number of data requests to NetworkVisibility SecureX tile

Cumulative

ctr.swe_alarming_hosts_by_cat-egory

Number of data requests to AlarmingHosts By Category SecureX tile

Cumulative

ctr.swe_top_inside_groups_by_traffic

Number of data requests to TopInside Hosts SecureX tile

Cumulative

ctr.swe_top_outside_groups_by_traffic

Number of data requests to Top Out-side Hosts SecureX tile

Cumulative

ctr.swe_top_alarming_hostsNumber of data requests to TopAlarming Hosts SecureX tile

Cumulative

ctr.swe_top_alarms_by_type_overall

Number of data requests to TopAlarms By Count SecureX tile

Cumulative

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 16 -

Customer Success Metrics Data

Copyright InformationCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or itsaffiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned arethe property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are notintended to be actual addresses and phone numbers. Any examples, command displayoutput, network topology diagrams, and other figures included in the document areshown for illustrative purposes only. Any use of actual IP addresses or phone numbersin illustrative content is unintentional and coincidental.

© 2020 Cisco Systems, Inc. and/or its affiliates.

All rights reserved.