cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
0
Helpful
1
Replies

Stealthwatch Customer Community - SIEM Integration

philipmein
Beginner
Beginner

What is the best method for getting security events and analytics into an external SIEM (Splunk)?

 

Thank you

Philip

1 Reply 1

Philipp Tannich
Cisco Employee
Cisco Employee

Hey @philipmein,

This depends what kind of data you want to have in your SIEM.

You can decide to just collect your flows with SNA and then forward the raw logs to your SIEM.
Or, you let SNA do all the magic it can do, you fine tune your use cases and then forward the security events to your SIEM.

Anyway, the best thing is to do this by syslog and, as you're using Splunk, make sure to also install the Cisco Secure Analytics (maybe it's also called Stealthwatch) App to get some nice visuals in Splunk, too!

How you can send it to your SIEM you should find in the documentation. Search for the "System Configuration Guide", here is a sample for v7.3.1 https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_1.pdf

Hope this helps, cheers, another Philipp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers