We use ES and wonder whether we should use the Cisco StealthWatch Add-On as well.
Cisco StealthWatch Add-On
-- If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used.
ES uses the Intrusion_Detection data model. So I wonder whether these two apps overlap in what they do...
I'm looking at implementing this Add-on in my environment with ES. Were you able to implement it successfully, since the Add-on is from Dec 2017? Were there any gotchas or lessons learned?
The way I read it, the Stealthwatch add-on parses syslog and creates fields compatible with the Intrusion Detection datamodel. ES uses the DM to find events. No overlap.