https://community.splunk.com/t5/Knowledge-Management/Suricata-Bro-Data-Models/m-p/420019#M3694 <P>So I am getting data ingested from Bro/Zeek and Suricata via the TA's for said applications. I want to build data models for them and wanted to see if anyone has anything built for Bro/Zeek or Suricata. </P> <P>So far I built a "data model" for suricata (called suricata) </P> <P>Then a Root Event (index=suricata source=suricata sourcetype=suricata)<BR /> From there I have Child <BR /> Src_ip (src_ip=192.168.*)<BR /> Then children of that are broken out like this<BR /> --Severity<BR /> ------Severity I (suricata.attack.severity=1)<BR /> ------Severity II (suricata.attack.severity=2)<BR /> ------Severity III(suricata.attack.severity=3)<BR /> --Category</P> <P>Dest_ip</P> <P>Well you get the point.<BR /><BR /> Is there a better way of doing this, or am I on sort of the right track? </P> Wed, 30 Sep 2020 00:12:16 GMT ddecker03 2020-09-30T00:12:16Z https://community.splunk.com/t5/Knowledge-Management/Suricata-Bro-Data-Models/m-p/420019#M3694 <P>So I am getting data ingested from Bro/Zeek and Suricata via the TA's for said applications. I want to build data models for them and wanted to see if anyone has anything built for Bro/Zeek or Suricata. </P> <P>So far I built a "data model" for suricata (called suricata) </P> <P>Then a Root Event (index=suricata source=suricata sourcetype=suricata)<BR /> From there I have Child <BR /> Src_ip (src_ip=192.168.*)<BR /> Then children of that are broken out like this<BR /> --Severity<BR /> ------Severity I (suricata.attack.severity=1)<BR /> ------Severity II (suricata.attack.severity=2)<BR /> ------Severity III(suricata.attack.severity=3)<BR /> --Category</P> <P>Dest_ip</P> <P>Well you get the point.<BR /><BR /> Is there a better way of doing this, or am I on sort of the right track? </P> Wed, 30 Sep 2020 00:12:16 GMT https://community.splunk.com/t5/Knowledge-Management/Suricata-Bro-Data-Models/m-p/420019#M3694 ddecker03 2020-09-30T00:12:16Z