Analitika tan-Netwerk Sikura ta' Cisco v7.5.3

Introduzzjoni

• Use this guide to configure Cisco Secure Network Analytics (formerly Stealthwatch), v7.5.3 or later, to capture Zeek telemetry.
• To configure Zeek telemetry with Secure Network Analytics, make sure you have Data Store and Analytics enabled.

Fuqview

Zeek is primarily used as a passive network traffic analyzer which allows security teams to analyze network traffic, detect suspicious activity, and investigate potential threats by generating detailed logs of network events, including application-level details, through its protocol parsing capabilities. Zeek provides the following:

• Threat Hunting and Incident Response: By analyzing Zeek logs, security teams can identify anomalous behavior, investigate potential security incidents, and hunt for malicious activity across the network.
• Modalità Passiva: Because Zeek operates in a passive mode, observing network traffic without interfering with the flow, it is less disruptive to network operations.
• Detailed Logs: Zeek generates detailed logs that capture comprehensive information about network connections, including timestamps, source/destination IP addresses, ports, protocols, and even file content, facilitating thorough analysis.
• Ħażna: Zeek logs are stored as follows.
  • Most logs are stored in the Flow Colector, but the conn.log is in Data Store.
  • The Flow Collector deletes all data older than 30 days. For more details, refer to “Resource Requirements” in the Virtual Edition Appliance Installation Guide.

Rekwiżiti
Make sure Analytics is enabled. Choose Configure > Detection > Analytics from the main menu, then click Analytics On .

The requirements are as follows.

• Secure Network Analytics v7.5.3.
• Data Store with Analytics enabled.
• Zeek telemetry is the default for new installations during First Time Setup. If you’re upgrading from a previous release, you’ll need to configure Zeek telemetry in Advanced Settings.
• You don’t need to purchase a separate license for Zeek telemetry. For more information about licensing, refer to the Smart Software Licensing Guide 7.5.3.

Performance Estimate

• We support 100,000 events (Syslog messages) per second on a hardware platform. For details about resource requirements, refer to the hardware installation guide. For more information about combined telemetry resource requirements, refer to the Virtual Edition Appliance Installation Guide.
• There are several factors, such as event rate and number of log types being ingested, that can impact your specific performance. While we do our best to represent the data as fairly and accurately as possible, your environment may experience different limits.

Zeek Logs
We are collecting all Zeek logs via Syslog but currently focusing only on the following:

• conn.log
• dns.log
• smb_files.logor smb_mappings.log
• dce_rpc_log
• In some instances, the smb_files.logand dce_rpc.logmight be sent to the smb_mappings.log.

Zeek logs should be configured to be exported by Syslog as JSON in a specific format.

• Trasport: Zeek logs use the JSON format over Syslog over UDP (default port 9514).
• Format: Zeek log generator must add the zeek_filename=”xxx.log”tag before the JSONL string for the Flow Collector.

Configuring the Flow Collector to Ingest Zeek Telemetry

These are the two options for configuring Zeek telemetry in Secure Network Analytics:

• Setup għall-ewwel darba: Zeek telemetry is the default for new installations, but you can Confirm Zeek Telemetry During First Time Setup (Data Store Only).
• Settings Avvanzati: When you’re upgrading from a previous release, you’ll need to Configure Zeek Telemetry in Advanced Settings.

For more information about configuring Secure Network Analytics, refer to the System Configuration Guide.

Confirm Zeek Telemetry During First Time Setup (Data Store Only)
To enable ingest of Zeek telemetry on a new Flow Collector with Data Store, complete the following steps:

1. Segwi l-istruzzjonijiet fil-gwida tal-installazzjoni tal-apparat applikabbli għall-Flow Collector tiegħek. Imbagħad, uża l-Gwida tal-Konfigurazzjoni tas-Sistema għal aktar struzzjonijiet dettaljati dwar il-konfigurazzjoni tal-apparat ta' tipi multipli ta' telemetrija.
2. Aċċessa l-console tal-magna virtwali. Ħalli l-apparat virtwali jlesti l-ibbutjar.
3. Idħol permezz tal-console.
   • Idħol: sysadmin
   • Password default: lan1cope
     You’ll typically change the default password when you configure the system for the first time.
4. Review l-informazzjoni dwar it-tentattivi ta' login li ma rnexxewx. Agħżel OK biex tkompli.
5. Review Introduzzjoni għall-Ewwel Setup. Agħżel OK biex tkompli.
6. Select Zeek Logs from the list of telemetry types. Select OK to continue. All telemetry types are selected by default in a new deployment. If you’re upgrading to v752 from a previous release, refer to Configure Zeek Telemetry in Advanced Settings.
7. Confirm the port for Zeek Logs is 9514, then select OK. We recommend you use port 9514. Do not use ports 2055, 514, or 8514.
   Make sure your telemetry ports are unique. If you configure duplicate telemetry ports, the ports will be reset to their internal defaults to avoid loss of flow data. For example, if NetFlow and Zeek are exported to the same telemetry port, each device exporting Zeek data will create an exporter on the Flow Collector and exhaust the exporter resources in the Flow Collector engine, resulting in loss of flow data.
8. Ikklikkja Applika biex issalva l-bidliet tiegħek.
9. Segwi l-istruzzjonijiet fuq l-iskrin biex tlesti l-ambjent virtwali u terġa' tibda l-apparat.

Configure Zeek Telemetry in Advanced Settings

Kun żgur li tinstalla l-aħħar Flow Collector NetFlow rollup patch qabel ma tibda din il-proċedura.

To begin ingesting Zeek telemetry on a Flow Collector that has already been configured, complete the following steps:

1. Idħol fil-Maniġer tiegħek.
2. Mill-menù prinċipali, agħżel Ikkonfigura > Globali > Ġestjoni Ċentrali.
3. On the Inventory page, click the… (Ellipsis) icon for your Flow Collector, then select View Statistika tal-Appliance. Tinfetaħ l-interfaċċja tal-Flow Collector Admin.
4. Agħżel Appoġġ > Settings Avvanzati.
   Jekk qasam ma jintweriex, ikklikkja l-qasam Żid Għażla Ġdida. Għal aktar informazzjoni dwar l-editjar tas-settings avvanzati fuq il-Flow Collector, irreferi għas-suġġett tal-Għajnuna tas-Settings Avvanzati.
5. In the enable_zeek field, set the value to 1 to capture Zeek telemetry. Make sure you’ve configured Zeek to forward logs in JSON format.
6. Confirm the value is set to 9514 in the zeek_port field.

Make sure your telemetry ports are unique. If you configure duplicate telemetry ports, the ports will be reset to their internal defaults to avoid loss of flow data. For example, if NetFlow and Zeek are exported to the same telemetry port, each device exporting Zeek data will create an exporter on the Flow Collector and exhaust the exporter resources in the Flow Collector engine, resulting in loss of flow data.

Verifying Zeek Telemetry

To verify Zeek telemetry is being captured, review the Zeek Log Collection Trend report:

1. Idħol fil-Maniġer tiegħek.
2. Mill-menù prinċipali, agħżel Rapport > Bennej tar-Rapporti.
3. Click Create New Report, then select Zeek Log Collection Trend.
4. Ikklikkja Run.
5. Verify the report is showing Zeek telemetry.

Zeek Log Collection Trend Report
Is-segwenti samples of the Zeek Log Collection Trend Report show Zeek telemetry successfully being captured.

Rapport Sample 1
This report sample provides an hour view.

Rapport Sample 2

• This report sample provides a 12-hour view.
• For more information about reports, click the (Help) icon to access the Report Builder Help topic.

Evaluating Zeek Events

There are two additional reports available to help you evaluate Zeek events:

• Zeek Database Ingest Trend Report
• Zeek Logs Report
• Make sure you have Data Store and Analytics is enabled.
• To enable Analytics, choose Configure > Detection > Analytics from the main menu, then click Analytics On .

Zeek Database Ingest Trend Report
To evaluate the Zeek conn.log events being written to your Data Store, do the following:

1. Idħol fil-Maniġer tiegħek.
2. Mill-menù prinċipali, agħżel Rapport > Bennej tar-Rapporti.
3. Click Create New Report, then select Zeek Database Ingest Trend.
4. Ikklikkja Run.
5. Review the report:
   • Is the Data Store receiving Zeek conn.log events?
   • Were there any interruptions?

Rapport Sample

• Dan sample provides a 12-hour view.
• View Records Written as Event Bytes Per Period or Event Count Per Period.

Zeek Logs Report

• Make sure your Flow Collector is configured to receive data from Zeek. For instructions, refer to the System Configuration Guide.
• Biex terġa 'view the Zeek telemetry logging events for a specific Zeek log type for a Flow Collector, do the following:
• You can run up to four Zeek log queries concurrently with additional queries waiting in a queue.

1. Idħol fil-Maniġer tiegħek.
2. Mill-menù prinċipali, agħżel Rapport > Bennej tar-Rapporti.
3. Click Create New Report, then select Zeek Logs.
4. Specify parameters in the required fields in the General area. Parameter More Information
   • Medda ta' Ħin If you choose Custom, select a short time range for maximum performance. If you enter a long time range, the report may take a long time to query the data.
   • Kollettur tal-Fluss Select a Secure Network Analytics Flow Collector in your network.
   • Max Rekords Select the maximum number of records. The limit is 10,000 records.
   • Zeek Log Type Select a Zeek Log Type.
   • Selecting a log other than conn.log in the Zeek Log Type field may cause the report to run long, but it must run to completion.
5. Use the Filter area to specify additional parameters, if needed.
6. Ikklikkja Run.

Rapport Sample

• Optional parameters were selected when creating this report sample.
• To receive data on this report, you need Secure Network Analytics with a Data Store deployment. For information and instructions, refer to the Appliance Installation Guide (Hardware or Virtual Edition) and the System Configuration Guide.

Ikkuntattja l-Appoġġ
Jekk għandek bżonn appoġġ tekniku, jekk jogħġbok agħmel waħda minn dawn li ġejjin:

• Ikkuntattja lill-Imsieħeb Cisco lokali tiegħek
• Ikkuntattja l-Appoġġ ta' Cisco
• Biex tiftaħ każ minn web: http://www.cisco.com/c/en/us/support/index.html
• Għal appoġġ bit-telefon: 1-800-553-2447 (US)
• Għal numri ta' appoġġ madwar id-dinja: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Bidla l-Istorja

Verżjoni tad-Dokument	Data tal-Pubblikazzjoni	Deskrizzjoni
1_0	6 ta’ Awwissu, 2025	Verżjoni inizjali.

Informazzjoni dwar id-Drittijiet tal-Awtur
Cisco u l-logo ta' Cisco huma trademarks jew trademarks reġistrati ta' Cisco u/jew l-affiljati tagħha fl-Istati Uniti u f'pajjiżi oħra. Biex view lista ta 'trademarks Cisco, mur din URL: https://www.cisco.com/go/trademarks. Trademarks ta’ partijiet terzi msemmija huma l-proprjetà tas-sidien rispettivi tagħhom. L-użu tal-kelma sieħeb ma jimplikax relazzjoni ta' sħubija bejn Cisco u kwalunkwe kumpanija oħra. (1721R)

Dokumenti / Riżorsi

Analitika tan-Netwerk Sikura ta' Cisco v7.5.3 [pdfGwida għall-Utent v7.5.3, v7.5.3 Analitika tan-Netwerk Sikura, v7.5.3, Analitika tan-Netwerk Sikura, Analitika tan-Netwerk, Analitika

Referenzi

• Manwal għall-Utent