Splunk Enterprise Security

Enterprise Security: Should we use the Cisco StealthWatch Add-On in addition to ES?


We use ES and wonder whether we should use the Cisco StealthWatch Add-On as well.

Cisco StealthWatch Add-On

says -

-- If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used.

ES uses the Intrusion_Detection data model. So I wonder whether these two apps overlap in what they do...

0 Karma

Path Finder

Hi danielbb,

I'm looking at implementing this Add-on in my environment with ES. Were you able to implement it successfully, since the Add-on is from Dec 2017? Were there any gotchas or lessons learned?


0 Karma


The way I read it, the Stealthwatch add-on parses syslog and creates fields compatible with the Intrusion Detection datamodel. ES uses the DM to find events. No overlap.

If this reply helps you, an upvote would be appreciated.
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!