Skip to main content



Cisco Defense Orchestrator

Monitoring Stealthwatch Cloud Alerts Generated from Firewall Events

Viewing Security Alerts from Cisco Defense Orchestrator

Required License: Logging Analytics and Detection or Total Network Analytics and Monitoring

While you can review your firewall events on the Events logging page, you cannot review Stealthwatch Cloud (SWC) alerts from the CDO portal UI. You can cross-launch from CDO to the SWC portal using the Security Analytics menu option, and view alerts generated from firewall event data (and from network flow data if you enabled Total Network Analytics and Monitoring). The Security Analytics menu option displays a badge with the number of SWC alerts in an open workflow status, if 1 or more are open.

If you use a Security Analytics and Logging license to generate SWC alerts, and you provisioned a new SWC portal, log into CDO, then cross-launch to SWC using Cisco Secure Sign-On. You can also directly access your SWC portal through URL.

See for more information on Cisco Secure Sign-On.

Inviting Users to Join Your SWC Portal

The initial user to request the SWC portal provision has administrator privileges in the SWC portal. That user can invite other users by email to join the portal. If these users do not have Cisco Secure Sign-On credentials, they can create them using the link in the invite email. Users can then use Cisco Secure Sign-On credentials to log in during the cross-launch from CDO to SWC.

To invite other users to your SWC portal by email:

  1. Log into your SWC portal as an administrator.
  2. Select Settings > Account Management > User Management.
  3. Enter an Email address.
  4. Click Invite.

Cross-Launching from CDO to SWC

To view security alerts from CDO:

  1. Log into the CDO portal.
  2. Select Monitoring > Security Analytics from the navigation bar.
  3. In the SWC interface, select Monitor > Alerts.