StealthWatch ProxyWatch with WSA

In this blog post, I'm going to go over ProxyWatch with StealthWatch. Many enterprises utilize proxies to protect their networks. When a proxy is used to intercept web traffic, StealthWatch will have multiple flows from the network devices serving the same traffic.  They provide protection at the cost of visibility to other security solutions. ProxyWatch is a licensed feature that allows StealthWatch to see the translated address and associate it with the other side of the proxy conversation which provides more accurate troubleshooting and forensics. It's a bit like NAT stitching for proxies. 

ProxyWatch allows admins to see who in the organization went to a specific web site and evaluate the URL data against the SLIC Threat Feed for yet another layer of protection. It translates proxy logs and NetFlow  into actionable information. The additional visibility and context allows StealthWatch admins to detect threats quicker and respond appropriately regardless of whether the traffic was passed through the proxy or not. This allows proxy information which is not flow-capable to be correlated

StealthWatch supports the following proxies for ProxyWatch:

  • Cisco WSA
  • McAfee
  • BlueCoat
  • Squid

To configure ProxyWatch, navigate to the IP address of your FlowCollector in your browser and sign in. On the console of your FlowCollector, navigate to Configuration>Proxy Ingest

To add a new Proxy, enter in the proxy information:

  • Proxy Type
  • IP Address of the Proxy
  • Proxy Service Port - This is the port that hosts use to go through the proxy. In the case of my lab, my hosts are using port 80

Click Add after you are done and then click Apply

In my lab, I have a WSA so I'm going to go through the configuration on that side. I'll navigate to the URL of the my WSA and log in

After logging into the WSA, navigate to System Administration>Log Subscription and click on Add Log Subscriptions

In the New Log Subscription window, choose the log type as W3C Logs and add the selected log fields:

  • timestamp
  • x-elapsed-time
  • c-ip
  • c-port
  • cs-bytes
  • s-ip
  • s-port
  • sc-bytes
  • cs-username
  • s-computerName
  • cs-url

Scroll down to bottom of this page and choose the radio button for Syslog Push. Add the IP address of the FlowCollector and the maximum message size of 1024. Then click Submit.

After submitting this new log, commit your changes in the WSA.

 

Using ProxyWatch in StealthWatch

Sign into your SMC Web app and navigate to Flows>Flow Search. Choose the option for Advanced. 

Under Search Subject, choose Includes IP Address/List and fill in the IP address of the WSA.

Then click the Review Query button.

On the next page, click Run.

The results will show up on the next page:

Click on the ellipsis next to the proxy and from the drop-down, choose the View Proxy Logs option:

 

What will pull up is the original source IP, proxy IP, destination IP/port, URL, and the username of the user on that host:

As you can see, this kind of detail can definitely help reduce time when reacting to an incident.