Splunk Enterprise Security

Enterprise Security: Should we use the Cisco StealthWatch Add-On in addition to ES?

Motivator

We use ES and wonder whether we should use the Cisco StealthWatch Add-On as well.

Cisco StealthWatch Add-On

says -

-- If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used.

ES uses the Intrusion_Detection data model. So I wonder whether these two apps overlap in what they do...

0 Karma

Path Finder

Hi danielbb,

I'm looking at implementing this Add-on in my environment with ES. Were you able to implement it successfully, since the Add-on is from Dec 2017? Were there any gotchas or lessons learned?

Thanks,
H

0 Karma

SplunkTrust
SplunkTrust

The way I read it, the Stealthwatch add-on parses syslog and creates fields compatible with the Intrusion Detection datamodel. ES uses the DM to find events. No overlap.

---
If this reply helps you, an upvote would be appreciated.