Stealthwatch Customer Community - SIEM Integration

philipmein · ‎05-31-2022

What is the best method for getting security events and analytics into an external SIEM (Splunk)?

Thank you

Philip

Philipp Tannich · ‎08-09-2022

This depends what kind of data you want to have in your SIEM.

You can decide to just collect your flows with SNA and then forward the raw logs to your SIEM.
Or, you let SNA do all the magic it can do, you fine tune your use cases and then forward the security events to your SIEM.

Anyway, the best thing is to do this by syslog and, as you're using Splunk, make sure to also install the Cisco Secure Analytics (maybe it's also called Stealthwatch) App to get some nice visuals in Splunk, too!

How you can send it to your SIEM you should find in the documentation. Search for the "System Configuration Guide", here is a sample for v7.3.1 https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_1.pdf

Hope this helps, cheers, another Philipp

aqulle · ‎01-15-2024

Hi @Philipp Tannich

is there any updated link?

Philipp Tannich · ‎01-15-2024

Hi @aqulle, there is one for 7.4.2: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_4_2_System_Configuration_Guide_DV_1_2.pdf

BUT, if you want, you can also get the data out also with API calls like you can see here: https://developer.cisco.com/docs/stealthwatch/enterprise/

Hope this helps!
Best, Philipp