Splunk Enterprise Security

Splunk TA for Suricata and Enterprise Security CIM compliance: Why do I only see events from Suricata tagged with "network"?

mikaelbje
Motivator

Hi,

The documentation for TA-Suricata states that it is CIM 4.2 compliant, but I am only seeing events from Suricata tagged with network and I expected to see communicate as well. I tested the Pivot interface with a few data models, but no events show up because they don't match the tags. I.e.

  • Network Sessions requires tag=network tag=session
  • Network Traffic requires tag=network tag=communicate

I looked through various dashboards in Enterprise Security 3.3 but couldn't see any data from Suricata, even though the raw events are there with all your field extractions in place, so it looks to me as if it's missing a tag for it to work.

Could you describe where the Suricata events should show up in ESS? I expected to see them in one of the following:

  • Advanced Threat -> Protocol Intelligence
  • Security Domains -> Traffic Center

Regards,
Mikael

atellez_splunk
Splunk Employee
Splunk Employee

Hi Mikael,

Thanks for this information, I must have missed it. I only recently added network flows to the Suricata TA in version 2. I will make corrections and add these tags to the TA.
You can view Suricata data on the following dashboards in Enterprise Security:

Security Domains > Network > Intrusion Center
Security Domains > Network > Web Center
Advanced Threat > Protocol Intelligence > DNS Activity
Advanced Threat > Protocol Intelligence > SSL Activity

mikaelbje
Motivator

Thanks for your quick response. I'll have a chance to test an updated TA in about a week. If you make any changes I'd be glad if you could let me know -)

0 Karma

mikaelbje
Motivator

The following is required for flows to show up in Network Traffic:

default/tags.conf

[eventtype=suricata_eve_flow]
network = enabled
communicate = enabled

The action field is not populated. I guess it could be set to "allowed" by default for all flows?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...