Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk TA for Suricata and Enterprise Security CIM compliance: Why do I only see events from Suricata tagged with "network"?

mikaelbje
Motivator
‎09-09-2015 05:21 AM

Hi,

The documentation for TA-Suricata states that it is CIM 4.2 compliant, but I am only seeing events from Suricata tagged with network and I expected to see communicate as well. I tested the Pivot interface with a few data models, but no events show up because they don't match the tags. I.e.

  • Network Sessions requires tag=network tag=session
  • Network Traffic requires tag=network tag=communicate

I looked through various dashboards in Enterprise Security 3.3 but couldn't see any data from Suricata, even though the raw events are there with all your field extractions in place, so it looks to me as if it's missing a tag for it to work.

Could you describe where the Suricata events should show up in ESS? I expected to see them in one of the following:

  • Advanced Threat -> Protocol Intelligence
  • Security Domains -> Traffic Center

Regards,
Mikael

Reply

atellez_splunk
Splunk Employee
Splunk Employee
‎09-09-2015 08:04 AM

Hi Mikael,

Thanks for this information, I must have missed it. I only recently added network flows to the Suricata TA in version 2. I will make corrections and add these tags to the TA.
You can view Suricata data on the following dashboards in Enterprise Security:

Security Domains > Network > Intrusion Center
Security Domains > Network > Web Center
Advanced Threat > Protocol Intelligence > DNS Activity
Advanced Threat > Protocol Intelligence > SSL Activity

Reply

mikaelbje
Motivator
‎09-09-2015 10:47 AM

Thanks for your quick response. I'll have a chance to test an updated TA in about a week. If you make any changes I'd be glad if you could let me know -)

0 Karma
Reply

mikaelbje
Motivator
‎09-18-2015 01:22 AM

The following is required for flows to show up in Network Traffic:

default/tags.conf

[eventtype=suricata_eve_flow]
network = enabled
communicate = enabled

The action field is not populated. I guess it could be set to "allowed" by default for all flows?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...