USM Anywhere™

Cisco StealthWatch

When you configure Cisco StealthWatch integration to send log data to USM Anywhere, you can use the Cisco StealthWatch plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Intrusion detection
Connection type Syslog
Vendor link

Integrating Cisco StealthWatch

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

Cisco StealthWatch must be configured to forward log data over syslog to USM Anywhere in CEF format.

To configure Cisco StealthWatch to forward log data to USM Anywhere

  1. Select the Domain or any Host Group.
  2. Open the Configuration menu and select Response Management.
  3. From the Actions section in the Response Management menu, select Add and then ArcSight Common Event from the Action Types list.
  4. Provide a name, for example, USM Anywhere Sensor, and add its IP address and its port (514, in most cases).

    Note: Selecting Test sends a test message to the sensor for validation.

  5. Select OK to finish.
  6. From the Rule option in the Response Management menu, select Add.
  7. From the Rule Types list, select Host Alarm.
  8. From the Add Host Alarm Rule option, set a rule name and add the alarm conditions you want forwarded to the rule.

    Note: Pay close attention to set the following "are true" section correctly.

  9. To add a condition (Type, Severity, Source Host, Target Host or Processing Time) select the ellipses (…) button, and then select the desired type(s).

    Note: For a host alarm, best practice is to combine as many types as possible in an Any statement.

    In the current example, an event will be forwarded to ArcSight if Addr_Scan/tcp, Addr_Scan/udp, Bot Infected Host – Successful C&C Activity, or Data Hoarding is detected.

  10. From the Actions dialog, select the USM Anywhere Sensor syslog action for both Active and Inactive conditions.

    If the defined conditions occur, the event will be forwarded to USM Anywhere.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_2=

  • customfield_3=

  • customheader_2=

  • customheader_3=

  • customheader_4=

  • customheader_5=

  • destination_address=

  • destination_port=

  • event_description=

  • event_name=

  • event_severity=

  • external_id=

  • plugin_device=

  • plugin_device_type=

  • rep_device_address=

  • rep_device_rule_id=

  • rep_device_type=

  • rep_device_vendor=

  • rep_device_version=

  • source_address=

  • time_start=

  • transport_protocol=


For troubleshooting, refer to the vendor documentation: