Hi - if you are referring to Cisco Stealthwatch, there is a supported Google SecOps parser, recently updated. See: https://cloud.google.com/chronicle/docs/ingestion/parser-list/cisco-stealthwatch-changelog. Suggest you configure a regular Syslog feed into SecOps, use the CEF format, and ensure you are setting the ingestion label to CISCO_STEALTHWATCH and see how you do. If you're talking about the SOAR side of SecOps, there's also support for that: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/stealthwatch