Cisco Secure Network Analytics
Customer Success Metrics Configuration Guide 7.5.3
Overview
Customer Success Metrics enables Cisco Secure Network Analytics (formerly Stealth watch) data to be sent to the cloud so that we can access vital information regarding the deployment, health, performance, and usage of your system.
- Enabled: Customer Success Metrics is automatically enabled on your Secure Network Analytics appliances.
- Internet Access: Internet access is required for Customer Success Metrics.
- Cisco Security Service Exchange: Cisco Security Service Exchange is enabled automatically in v7.5.x and is required for Customer Success Metrics.
- Data Files: Secure Network Analytics generates a JSON file with the metrics data.
The data is deleted from the appliance immediately after it is sent to the cloud.
This guide includes the following information:
- Configuring the Firewall: Configure your network firewall to allow communication from your appliances to the cloud. Refer to Configuring the Network Firewall.
- Disabling Customer Success Metrics: To opt out of Customer Success Metrics, refer to Disabling Customer Success Metrics.
- Customer Success Metrics: For details about the metrics, refer to Customer Success Metrics Data.
For information on data retention and how to request deletion of usage metrics collected by Cisco, refer to Cisco Secure Network Analytics Privacy Data Sheet.
For assistance, please contact Cisco Support.
Configuring the Network Firewall
To allow communication from your appliances to the cloud, configure your network firewall on your Cisco Secure Network Analytics Manager (formerly Stealth watch Management Console).
Make sure your appliances have Internet access.
Configuring the Manager
Configure your network firewall to allow communication from your Managers to the following IP addresses and port 443:
- api-sse.cisco.com
- est.sco.cisco.com
- mx*.sse.itd.cisco.com
- dex.sse.itd.cisco.com
- eventing-ingest.sse.itd.cisco.com
If public DNS is not allowed, make sure you configure the resolution locally on your Managers.
Disabling Customer Success Metrics
Use the following instructions to disable Customer Success Metrics on an appliance.
- Log in to your Manager.
- Select Configure > Global> Central Management.
- Click the
(Ellipsis) icon for the appliance. Choose Edit Appliance Configuration. - Click the General tab.
- Scroll to the External Services section.
- Uncheck the Enable Customer Success Metrics check box.
- Click Apply Settings.
- Follow the on-screen prompts to save your changes.
- On the Central Management Inventory tab, confirm the Appliance Status returns to Connected.
- To disable Customer Success Metrics on another appliance, repeat steps 3 through 9.
Customer Success Metrics Data
When Customer Success Metrics is enabled, the metrics are collected in the system and uploaded every 24 hours to the cloud. The data is deleted from the appliance immediately after it is sent to the cloud.
We do not collect identification data such as host groups, IP addresses, user names, or passwords.
For information on data retention and how to request deletion of usage metrics collected by Cisco, refer to Cisco Secure Network Analytics Privacy Data Sheet.
Collection Types
Each metric is collected as one of the following collection types:
- App Start: One entry every 1 minute (collects all the data since the application started).
- Cumulative: One entry for a 24-hour period
- Interval: One entry every 5 minutes (total of 288 entries per 24-hour period)
- Snapshot: One entry for the point in time the report is generated
Some of the collection types are collected at different frequencies than the defaults we’ve described here, or they may be configured (depending on the application). Refer to Metrics Details for more information.
Metrics Details
We’ve listed the collected data by appliance type. Use Ctrl + F to search the tables by keyword.
Flow Collector
| Metric Identification | Description | Collection Type |
| devices_cache.active | Number of active MAC addresses from ISE in the devices cache. | Snapshot |
| devices_ cache.deleted | Number of deleted MAC addresses from ISE in the devices cache because they have timed out. | Cumulative |
| devices_ cache.dropped | Number of dropped MAC addresses from ISE because the devices cache is full. | Cumulative |
| devices_cache.new | Number of new MAC addresses from ISE added into the devices cache. | Cumulative |
| flow_stats.fps | Outbound flows per second in the last minute. | Interval |
| flow_stats.flows | Inbound flows processed. | Interval |
| flow_cache.active | Number of active flows in the Flow Collector flow cache. | Snapshot |
| flow_cache.dropped | Number of flows dropped because the Flow Collector flow cache is full. | Cumulative |
| flow_cache.ended | Number of flows ended in the Flow Collector flow cache. | Interval |
| flow_cache.max | Maximum size of the Flow Collector flow cache. | Interval |
| flow_ cache.percentage | Percent of capacity of the Flow Collector flow cache | Interval |
| flow_cache.started | Number of flows added to the Flow Collector flow cache. | Cumulative |
| hosts_cache.cached | Number of hosts in the host cache. | Interval |
| hosts_cache.deleted | Number of hosts deleted in the host cache. | Cumulative |
| hosts_cache.dropped | Number of hosts dropped because the host cache is full. | Cumulative |
| hosts_cache.max | Maximum size of the host cache. | Interval |
| hosts_cache.new | Number of new hosts added into the host cache. | Cumulative |
| hosts_ cache.percentage | Percent of capacity of the host cache. | Interval |
| hosts_ cache.probationary_ deleted | Number of probationary hosts* deleted in the hosts cache. *Probationary hosts are hosts that have never been the source of packets and bytes. These hosts are deleted first when clearing up space in the host cache. |
Cumulative |
| interfaces.fps | Outbound number of interface statistics per second exported to Vertica. | Interval |
| security_events_ cache.active | Number of active security events in the security events cache. | Snapshot |
| security_events_ cache.dropped | Number of security events dropped because the security events cache is full. | Cumulative |
| security_events_ cache.ended | Number of ended security events in the security events cache. | Cumulative |
| security_events_ cache.inserted | Number of security events inserted into the database table. | Interval |
| security_events_ cache.max | Maximum size of the security events cache. | Interval |
| security_events_ cache.percentage | Percent of capacity of the security events cache. | Interval |
| security_events_ cache.started | Number of started security events in the security events cache. | Cumulative |
| session_cache.active | Number of active sessions from ISE in the session cache. | Snapshot |
| session_ cache.deleted | Number of deleted sessions from ISE in the session cache. | Cumulative |
| session_ cache.dropped | Number of sessions from ISE dropped because the sessions cache is full. | Cumulative |
| session_cache.new | Number of new sessions from ISE added into the session cache. | Cumulative |
| users_cache.active | Number of active users in the users cache. | Snapshot |
| users_cache.deleted | Number of deleted users in the users cache because they have timed out. | Cumulative |
| users_cache.dropped | Number of users dropped because the users cache is full. | Cumulative |
| users_cache.new | Number of new users in the users cache. | Cumulative |
| reset hour | Flow Collector reset hour. | N/A |
| vertica_stats.query_ duration_sec_min | Maximum query response time. | Cumulative |
| vertica_stats.query_ duration_sec_min | Minimum query response time. | Cumulative |
| vertica_stats.query_ duration_sec_avg | Average query response time. | Cumulative |
| exporters.fc_count | Number of exporters per Flow Collector. | Interval |
FlowCollector StatsD
| Metric Identification | Description | Collection Type |
| ndr- agent.unprocessable_ finding | Number of NDR findings deemed unprocessable. | Cumulative cleared daily |
| ndr-agent.ownership_ registration_failed | Technical detail: Number of certain kind of errors that happened during NDR finding processing. | Cumulative cleared daily |
| ndr-agent.upload_ success | Number of NDR findings successfully processed by the agent. | Cumulative cleared daily |
| ndr-agent.upload_ failure | Number of NDR findings unsuccessfully uploaded by the agent. | Cumulative cleared daily |
| ndr-agent.processing_ failure | Number of failures observed during NDR processing. | Cumulative cleared daily |
| ndr-agent.processing_ success | Number of successfully processed NDR findings. | Cumulative cleared daily |
| ndr-agent.old_file_ delete | Number of files deleted due to being too old. | Cumulative cleared daily |
| ndr-agent.old_ registration_delete | Number of ownership registrations revoked due to being too old. | Cumulative cleared daily |
| netflow | Total NetFlow records from all Netflow exporters. Includes NVM records. | Cumulative cleared daily |
| fs_netflow | Netflow records received from Flow Sensors only. | Cumulative cleared daily |
| netflow_bytes | Total NetFlow bytes received from any NetFlow exporter. Includes NVM records. | Cumulative cleared daily |
| fs_netflow_bytes | NetFlow bytes received from Flow Sensors only. | Cumulative cleared daily |
| sflow | sFlow records received from any sFlow exporter. | Cumulative cleared daily |
| sflow_bytes | sFlow bytes received from any sFlow exporter. | Cumulative cleared daily |
| nvm_endpoint | Unique NVM endpoints seen today (before daily reset). | Cumulative cleared daily |
| nvm_bytes | NVM bytes received (including flow, endpoint, and endpoint_interface records). | Cumulative cleared daily |
| nvm_netflow | NVM bytes received (including flow, endpoint, and endpoint_interface records). | Cumulative cleared daily |
| all_sal_event | All Security Analytics and Logging (OnPrem) events received (including Adaptive Security Appliance and non-Adaptive Security Appliance), counted by number of events received. | Cumulative cleared daily |
| all_sal_bytes | All Security Analytics and Logging (OnPrem) | Cumulative |
| events received (including Adaptive Security Appliance and non-Adaptive Security Appliance, counted by number of bytes received. | cleared daily | |
| ftd_sal_event | Security Analytics and Logging (OnPrem) (non-Adaptive Security Appliance) events received from Firepower Threat Defense/NGIPS devices only. | Cumulative cleared daily |
| ftd_sal_bytes | Security Analytics and Logging (OnPrem) (non-Adaptive Security Appliance) bytes received from Firepower Threat Defense/NGIPS devices only. | Cumulative cleared daily |
| ftd_lina_bytes | Data Plane bytes received from Firepower Threat Defense devices only. | Cumulative cleared daily |
| ftd_lina_event | Data Plane events received from Firepower Threat Defense devices only. | Cumulative cleared daily |
| asa_asa_event | Adaptive Security Appliance events received from Adaptive Security Appliance devices only. | Cumulative cleared daily |
| asa_asa_bytes | ASA bytes received from Adaptive Security Appliance devices only. | Cumulative cleared daily |
Manager
| Metric Identification | Description | Collection Type |
| exporter_cleaner_ cleaning_enabled | Indicates whether the Inactive Interfaces and Exporters Cleaner is enabled. | Snapshot |
| exporter_cleaner_ inactive_threshold | Number of hours an exporter can be inactive before it is removed. | Snapshot |
| exporter_cleaner_ using_legacy_cleaner | Indicates whether the Cleaner should use the legacy cleaning functionality. | Snapshot |
| exporter_cleaner_ hours_after_reset | Number of hours after reset that a domain should be cleaned. | Snapshot |
| exporter_cleaner_ interface_without_ status_presumed_ stale | Indicates whether the Cleaner removes interfaces that were unknown to a Flow Collector at the last reset hour, treating them as inactive. | Snapshot |
| ndrcoordinator.files_ uploaded | Indicates whether Secure Network Analytics deployment works as Data Store. | Snapshot |
| report_complete | Name of the report and the run-time in milliseconds (Manager only). | N/A |
| report_params | Filters used when the Manager queries the Flow Collector databases. Data exported per query: maximum number of rows include-interface-data flag fast-query flag exclude-counts flag flows direction filters order-by column default-columns flag Time window start date and time Time window end date and time Number of device ids criteria Number of interface ids criteria Number of IPs criteria Number of IP ranges criteria Number of hostgroups criteria Number of hosts pairs criteria Whether results are filtered by MAC addresses Whether results are filtered by TCP/UDP ports Number of user names criteria Whether results are filtered by number of bytes/packets Whether results are filtered by total number of bytes/packets Whether results are filtered by URL Whether results are filtered by protocols Whether results are filtered by applications ids Whether results are filtered by process name Whether results are filtered by process hash Whether results are filtered by TLS version Number of ciphers in cipher suite criteria |
Snapshot Frequency: Per Request |
| domain.integration_ ad_count | Number of AD connections. | Cumulative |
| domain.rpe_count | Number of role policies configured. | Cumulative |
| domain.hg_changes_ count | Changes to the Host Group configuration. | Cumulative |
| integration_snmp | SNMP agent usage. | N/A |
| integration_cognitive | Global threat alerts (formerly Cognitive Intelligence) integration enabled. | N/A |
| domain.services | Number of services defined. | Snapshot |
| applications_default_ count | Number of applications defined. | Snapshot |
| smc_users_count | Number of users in the Web App. | Snapshot |
| login_api_count | Number of API log ins. | Cumulative |
| login_ui_count | Number of Web App log ins. | Cumulative |
| report_concurrency | Number of reports running concurrently. | Cumulative |
| apicall_ui_count | Number of Manager API calls using the Web App. | Cumulative |
| apicall_api_count | Number of Manager API calls using the API. | Cumulative |
| ctr.enabled | Cisco SecureX threat response(formerly Cisco Threat Response) integration enabled. | N/A |
| ctr.alarm_sender_ enabled | Secure Network Analytics alarms to SecureX threat response enabled. | N/A |
| ctr.alarm_sender_ minimal_severity | Minimal severity of alarms sent to SecureX threat response. | N/A |
| ctr.enrichment_ enabled | Enrichment request from SecureX threat response enabled. | N/A |
| ctr.enrichment_limit | Number of top Security Events to be returned to SecureX threat response. | Cumulative |
| ctr.enrichment_period | Time period for Security Events to be returned to SecureX threat response. | Cumulative |
| ctr.number_of_ enrichment_requests | Number of enrichment requests received from SecureX threat response. | Cumulative |
| ctr.number_of_refer_ requests | Number of requests for Manager pivot link received from SecureX threat response. | Cumulative |
| ctr.xdr_number_of_ alarms | Daily count of alarms sent to XDR. | Cumulative |
| ctr.xdr_number_of_ alerts | Daily count of alerts sent to XDR. | Cumulative |
| ctr.xdr_sender_ enabled | True/False if sending is enabled. | Snapshot |
| failover_role | Manager primary or secondary failover role in the cluster. | N/A |
| domain.cse_count | Number of custom security events for a domain ID. | Snapshot |
Manager StatsD
| Metric Identification | Description | Collection Type |
| ndrcoordinator.analytics_ enabled | Marks whether Analytics is enabled. 1 if yes, 0 if no. | Snapshot |
| ndrcoordinator.agents_ contacted | Number of NDR agents contacted during the last contact. | Snapshot |
| ndrcoordinator.processing_ errors | Number of errors during NDR finding processing. | Cumulative |
| ndrcoordinator.files_ uploaded | Number of NDR findings uploaded for processing. | Cumulative |
| ndrevents.processing_errors | Number of files failed to process because the system did not deliver the finding or could not parse the request. | Cumulative |
| ndrevents.files_uploaded | Number of files that were sent to NDR events for processing. | Cumulative |
| sna_swing_client_alive | Internal counter of API calls used by SNA Manager Desktop client. | Snapshot |
| swrm_is_in_use | Response Management: Value is 1 if Response Management is used. Value is 0 if it is not used. | Snapshot |
| swrm_rules | Response Management: Number of custom rules. | Snapshot |
| swrm_action_email | Response Management: Number of custom actions of Email type. | Snapshot |
| swrm_action_syslog_ message | Response Management: Number of custom actions of Syslog Message type. | Snapshot |
| swrm_action_snmp_trap | Response Management: Number of custom actions of SNMP Trap type. | Snapshot |
| swrm_action_ise_anc | Response Management: Number of custom actions of ISE ANC Policy type. | Snapshot |
| swrm_action_webhook | Response Management: Number of custom actions of Webhook type. | Snapshot |
| swrm_action_ctr | Response Management: Number of custom actions of threat response Incident type. | Snapshot |
| va_ct | Visibility Assessment: Calculated run- time in milliseconds. | Snapshot |
| va_ce | Visibility Assessment: Number of errors (when calculation crashes). | Snapshot |
| va_hcs | Visibility Assessment: Host count API response size in bytes (detect excessive response size). | Snapshot |
| va_ss | Visibility Assessment: Scanners API response size in bytes (detect excessive response size). | Snapshot |
| va_ses | Visibility Assessment: Security Events API response size in bytes (detect excessive response size). | Snapshot |
| sal_input_size | Number of entries in the pipeline input queue. | Snapshot Frequency: 1 minute |
| sal_completed_size | Number of entries in the completed batch queue. | Snapshot Frequency: 1 minute |
| sal_flush_time | Amount of time in milliseconds since the last pipeline flush. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Snapshot Frequency: 1 minute |
| sal_batches_succeeded | Number of batches successfully written to the file. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_batches_processed | Number of batches that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_batches_failed | Number of batches that have failed to complete writing to the file. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_files_moved | Number of files moved to the ready directory. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_files_failed | Number of files that have failed to be moved. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_files_discarded | Number of files discarded due to error. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_rows_written | Number of rows written to the referenced file. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_rows_processed | Number of rows that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_rows_failed | Number of rows that failed to be written. Available with Security Analytics and | Interval Frequency: |
| sal_total_batches_ succeeded | Total number of batches successfully written to the file. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_batches_ processed | Total number of batches that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_batches_failed | Total number of files that have failed to complete writing to the file. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_files_moved | Total number of files moved to the ready directory. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_files_failed | Total number of files that have failed to be moved. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_files_discarded | Total number of files discarded due to error. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_rows_written | Total number of rows written to the referenced file. Available with Security Analytics and | App Start Frequency: 1 minute |
| Logging (OnPrem) Single-node only. | ||
| sal_total_rows_processed | Total number of rows that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_total_rows_failed | Total number of rows that failed to be written. Available with Security Analytics and Logging (OnPrem) Single-node only. |
App Start Frequency: 1 minute |
| sal_transformer_<transformer id> | Number of transformation errors in this transformer. Available with Security Analytics and Logging (OnPrem) Single-node only. |
Interval Frequency: 1 minute |
| sal_bytes_per_event | Average number of bytes per event received. | Interval Frequency: 1 minute |
| sal_bytes_received | Number of bytes received from the UDP server. | Interval Frequency: 1 minute |
| sal_events_received | Number of events received from the UDP server. | Interval Frequency: 1 minute |
| sal_total_events_received | Total number of events received by the router. | App Start |
| sal_events_dropped | Number of unparsable events dropped. | Interval Frequency: 1 minute |
| sal_total_events_dropped | Total number of unparsable events dropped. | App Start Frequency: 1 minute |
| sal_events_ignored | Number of ignored/unsupported events. | Interval Frequency: 1 minute |
| sal_total_events_ignored | Total number of ignored/unsupported events. | App Start Frequency: 1 minute |
| sal_receive_queue_size | Number of events in the receive queue. | Snapshot Frequency: 1 minute |
| sal_events_per second | Ingest rate (events per second). | Interval Frequency: 1 minute |
| sal_bytes_per_second | Ingest rate (bytes per second). | Interval Frequency: 1 minute |
| sna_trustsec_report_runs | Number of daily TrustSec report requests. | Cumulative |
UDP Director
| Metric Identification | Description | Collection Type |
| sources_count | Number of sources. | Snapshot |
| rules_count | Number of rules. | Snapshot |
| packets_unmatched | Maximum unmatched packets. | Snapshot |
| packets_dropped | Dropped packets eth0. | Snapshot |
All Appliances
| Metric Identification | Description | Collection Type |
| plat form | Hardware platform (ex: Dell 13G, KVM Virtual Platform). | N/A |
| serial | Serial number of the appliance. | N/A |
| version | Secure Network Analytics version number (ex: 7.1.0). | N/A |
| version_build | Build number (ex: 2018.07.16.2249-0). | N/A |
| version_patch | Patch number. | N/A |
| csm_version | Customer Success Metrics code version (ex: 1.0.24-SNAPSHOT). | N/A |
| power_supply.status | Manager and Flow Collector power supply statistics. | Snapshot |
| productInstanceName | Smart Licensing product identifier. | N/A |
Contacting Support
If you need technical support, please do one of the following:
- Contact your local Cisco Partner
- Contact Cisco Support
- To open a case by web: http://www.cisco.com/c/en/us/support/index.html
- For phone support: 1-800-553-2447 (U.S.)
- For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Change History
| Document Version | Published Date | Description |
| 1_0 | August 18, 2025 | Initial Version. |
Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2025 Cisco Systems, Inc. and/or its affiliates.
All rights reserved.
Documents / Resources
 |
Cisco Secure Network Analytics [pdf] User Guide v7.5.3, Secure Network Analytics, Secure Network Analytics, Network Analytics, Analytics |
 |
CISCO Secure Network Analytics [pdf] User Guide UCS C-Series M5, Manager 2210, Data Node 6200, Flow Collector 4210, Flow Collector 5210, Engine Flow Collector 5210 Database, Flow Sensor 1210, Flow Sensor 3210, Flow Sensor 4210, Flow Sensor 4240, UDP Director 2210, Secure Network Analytics, Network Analytics, Analytics |
 |
CISCO Secure Network Analytics [pdf] User Guide UCS C-Series M6, Manager 2210, Data Node 6200, Flow Collector 4210, Flow Collector 5210, Engine Flow Collector 5210 Database, Flow Sensor 1210, Flow Sensor 3210, Flow Sensor 4210, Flow Sensor 4240, UDP Director 2210, Secure Network Analytics, Network Analytics, Analytics |
 |
cisco Secure Network Analytics [pdf] User Guide Secure Network Analytics, Network Analytics, Analytics |
 |
cisco Secure Network Analytics [pdf] User Guide 7.5.3, DV 1.0, Secure Network Analytics, Network Analytics, Analytics |
 |
cisco Secure Network Analytics [pdf] User Guide v7.5.3, Secure Network Analytics, Network Analytics, Analytics |
 |
CISCO Secure Network Analytics [pdf] User Guide v7.5.3, Secure Network Analytics, Network Analytics, Analytics |