Cisco StealthWatch Add-On

If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used. This add-on considers the following key-value log format setting on Stealthwatch SMC: ======================= Lancope|Stealthwatch|Notification: alarm_desc="{alarm_type_description}" details="{details}" dest={target_ip} src={source_ip} start={start_active_time} end={end_active_time} category={alarm_category_name} Alarm_ID={alarm_id} Source_HG={source_host_group_names} Target_HG={target_host_group_names} Source_HostSnapshot={source_url} Target_HostSnapshot={target_url} dest_port={port} transport={protocol} FC_Name={device_name} FC_IP={device_ip} Domain={domain_id} signature={alarm_type_name} vendor_severity={alarm_severity_name} severity_id={alarm_severity_id} alarm_type={alarm_type_id} ======================= Set the sourcetype to cisco:stealthwatch:alert