Cisco Stealthwatch
The IBM® QRadar® DSM for Cisco Stealthwatch receives events from a Cisco Stealthwatch device.
The following table identifies the specifications for the Cisco Stealthwatch DSM:
| Specification | Value |
|---|---|
| Manufacturer | Cisco |
| DSM name | Cisco Stealthwatch |
| RPM file name | DSM-CiscoStealthwatch-QRadar_version-build_number.noarch.rpm |
| Supported versions | 6.8 |
| Protocol | Syslog |
| Event format | LEEF |
| Recorded event types | Anomaly, Data Hoarding, Exploitation, High Concern Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfiltration, C&C |
| Automatically discovered? | Yes |
| Includes identity? | No |
| Includes Custom properties? | No |
| More information | Cisco Stealthwatch website (http://www.cisco.com) |
To integrate Cisco Stealthwatch with QRadar, complete the following steps:
- If automatic updates are not configured, download the most recent version of the following RPMs
from the IBM Support Website onto your QRadar
Console:
- DSMCommon RPM
- Cisco Stealthwatch DSM RPM
- Configure your Cisco Stealthwatch device to send syslog events to QRadar.
- If QRadar does not
automatically detect the log source, add a Cisco Stealthwatch log source on the QRadar
Console. The following table describes
the parameters that require specific values for Cisco Stealthwatch event collection:
Table 2. Cisco Stealthwatch Syslog log source parameters Parameter Value Log Source type Cisco Stealthwatch Protocol Configuration Syslog Log Source A unique identifier for the log source.