Splunk Enterprise Security

Enterprise Security: Should we use the Cisco StealthWatch Add-On in addition to ES?

danielbb
Motivator

We use ES and wonder whether we should use the Cisco StealthWatch Add-On as well.

Cisco StealthWatch Add-On

says -

-- If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used.

ES uses the Intrusion_Detection data model. So I wonder whether these two apps overlap in what they do...

0 Karma

hfernandez_
Path Finder

Hi danielbb,

I'm looking at implementing this Add-on in my environment with ES. Were you able to implement it successfully, since the Add-on is from Dec 2017? Were there any gotchas or lessons learned?

Thanks,
H

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The way I read it, the Stealthwatch add-on parses syslog and creates fields compatible with the Intrusion Detection datamodel. ES uses the DM to find events. No overlap.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...