By definition from the CISCO SECURE NETWORK ANALYTICS DESKTOP CLIENT USER GUIDE 7.4 – Stealthwatch uses indexes to help detect host anomalies on the network. The Stealthwatch Flow Collector adds Concern Index (CI) points to hosts for various unacceptable host behaviors. When the accumulated index points surpass the acceptable threshold, the Flow Collector raises an alarm.
So how the points are calculated for the category event High Concern Index.
First Category Events is a container of some number of individual Security Events.
According to the category alarm of Concern Index below, the observed points is the sum of points each security event contributes to that category, which is 246.19K points, this value is calculated from the addition of the points concern index observed for each Security Event in the High Concern Index category.
In the case shown here, at 5:50 PM the 198.19.30.36 host had exceeded the 25k value that was configured as the threshold for that category alarm (High Concern Index). Since the accumulated points 246.19K is greater than the threshold 25k how the alarm is triggered?
Under the security event for each category, you can configure an event with multiple action:
- Category Event that is “Off” will not do anyting.
- Category Event that is “On” will trigger an alarm related to the catageory but the security events contribute points to its category, and that’s it.
- Category Event set to “On + Alarm” will both contribute to the category event as well as create an alarm for the individual security event.
In this example, the Category Event “High Concern Index” is configured with On + Alarm, the result is:
Alarm Category Concern Index triggered for that category.
Alarms (Security Events) triggered by the Security Events defined in the Category Event High Concern Index.
Demystify and Simplify 