Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco

StealthWatch System 6.5 – User-Defined Threat Criteria

Matt Robertson

Situational awareness can play a major role in uniquely identifying threats or suspicious activity inside your environment. The Lancope StealthWatch System version 6.5 introduces a new feature referred to as User Defined Threat Criteria (UDTC) which is the ability for the security operator to create custom events for their environment to generate indicators of compromise.

Being able to generate an alarm on the occurrence of a flow condition is nothing new to the StealthWatch System – previously there was the ability to create a Host Lock Violation which would alarm on a the occurrence of a flow condition based on the source IP address or host group, the destination IP address or host group and a service or application. Without depreciating the old Host Locking functionality the new UDTC feature allows security events to be generated on a more complete set of flow conditions including username, devices, directionality and connection details such as total bytes and total packets. 

Define threat criteria

This new functionality really allows the security operator to strategically apply their situational awareness into their organization and define very granular alarms for both known bad conditions and policy violations. Essentially allowing the security operator to create Indicators of Compromise that are specific to their operating environment.

For example, suppose that you have determined that it is normal (and permissible) for flows to exist between your inside network and the Russian Federation during normal business hours and less than 5 megabytes in size – perhaps it is common for employees to browse Russian news sites. However, you do have a concern about illegal or suspicious activity involving the Russian Federation outside of normal business hours and in excess of 5 megabytes, so you create the below security event. 

Security Event Example

The next day you notice that there are active policy violation alarms appearing on the Operational Network Security Intelligence Dashboard and you click through to find the list of policy violation alarms. Selecting a host in the User Desktop Host Group ( you see that this particular host has an Active Alarm for Suspicious Communication with Russia. 

Host snapshot example

Alternatively you can view the new custom event in the traditional StealthWatch Management Console (SMC) Java client in the Alarm Table; it is even possible to filter on the custom event – “Suspicious Communication with Russia”

Java client filter example

We can see the same active alarm involving the host and the user Marlene that we observed in the web UI. We can also right click the event and view the individual flows that triggered the event and note that they were short HTTP flows. 

Custom security event

Flows that triggered event


The new User Defined Threat Criteria functionality in the StealthWatch System version 6.5 allows the security operator to leverage their inside knowledge and situational awareness to create custom security events specific to their environment; ultimately fostering a more flexible, collaborative approach to network security.


More from this contributor:

The WannaCry ransomware attack jumped into the headlines shortly after appearing in the wild on May 12, 2017. Within a day of appearing, WannaCry had...
By now most attendees should have significantly recovered from Cisco Live 2014 which was held in San Francisco May 18 th to 24 th . It was certainly...