Skip to main content



Cisco Defense Orchestrator

Cisco Security Analytics and Logging

Cisco Security Analytics and Logging (SAL) allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and all your syslog events and Netflow Secure Event Logging (NSEL) events from your ASA, and view them in one place in Cisco Defense Orchestrator (CDO). The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO, where you can filter and review them to gain a clear understanding of what security rules are triggering in your network.  

With additional licensing, after you capture these events, you can cross-launch from CDO to a Stealthwatch Cloud portal provisioned for you. Stealthwatch Cloud is a software as a service (SaaS) solution that tracks the state of your network by performing a behavioral analysis on events and network flow data. By gathering information about your network traffic from sources including firewall events and network flow data, it creates observations about the traffic and automatically identifies roles for network entities based on their traffic patterns. Using this information combined with other sources of threat intelligence, such as Talos, Stealthwatch Cloud generates alerts, which constitute a warning that there is behavior that may be malicious in nature. Along with the alerts, Stealthwatch Cloud provides network and host visibility, and contextual information it has gathered to provide you with a better basis to research the alert and locate sources of malicious behavior.

Terminology Note: In this documentation, when Cisco Security Analytics and Logging is used with the Stealthwatch Cloud portal (a software as a service product) you will see this integration referred to as Cisco Security Analytics and Logging (SaaS) or SAL (SaaS).

Related Articles