Cisco Stealthwatch

The IBM® QRadar® DSM for Cisco Stealthwatch receives events from a Cisco Stealthwatch device.

The following table identifies the specifications for the Cisco Stealthwatch DSM:
Table 1. Cisco Stealthwatch DSM specifications
Specification Value
Manufacturer Cisco
DSM name Cisco Stealthwatch
RPM file name DSM-CiscoStealthwatch-QRadar_version-build_number.noarch.rpm
Supported versions 6.8
Protocol Syslog
Event format LEEF
Recorded event types Anomaly, Data Hoarding, Exploitation, High Concern Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfiltration, C&C
Automatically discovered? Yes
Includes identity? No
Includes Custom properties? No
More information Cisco Stealthwatch website (
To integrate Cisco Stealthwatch with QRadar, complete the following steps:
  1. If automatic updates are not configured, download the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console:
    • DSMCommon RPM
    • Cisco Stealthwatch DSM RPM
  2. Configure your Cisco Stealthwatch device to send syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add a Cisco Stealthwatch log source on the QRadar Console. The following table describes the parameters that require specific values for Cisco Stealthwatch event collection:
    Table 2. Cisco Stealthwatch Syslog log source parameters
    Parameter Value
    Log Source type Cisco Stealthwatch
    Protocol Configuration Syslog
    Log Source A unique identifier for the log source.