Splunk Enterprise Security
Highlighted

Splunk TA for Suricata and Enterprise Security CIM compliance: Why do I only see events from Suricata tagged with "network"?

Motivator

Hi,

The documentation for TA-Suricata states that it is CIM 4.2 compliant, but I am only seeing events from Suricata tagged with network and I expected to see communicate as well. I tested the Pivot interface with a few data models, but no events show up because they don't match the tags. I.e.

  • Network Sessions requires tag=network tag=session
  • Network Traffic requires tag=network tag=communicate

I looked through various dashboards in Enterprise Security 3.3 but couldn't see any data from Suricata, even though the raw events are there with all your field extractions in place, so it looks to me as if it's missing a tag for it to work.

Could you describe where the Suricata events should show up in ESS? I expected to see them in one of the following:

  • Advanced Threat -> Protocol Intelligence
  • Security Domains -> Traffic Center

Regards,
Mikael

Highlighted

Re: Splunk TA for Suricata and Enterprise Security CIM compliance: Why do I only see events from Suricata tagged with "network"?

Splunk Employee
Splunk Employee

Hi Mikael,

Thanks for this information, I must have missed it. I only recently added network flows to the Suricata TA in version 2. I will make corrections and add these tags to the TA.
You can view Suricata data on the following dashboards in Enterprise Security:

Security Domains > Network > Intrusion Center
Security Domains > Network > Web Center
Advanced Threat > Protocol Intelligence > DNS Activity
Advanced Threat > Protocol Intelligence > SSL Activity

Highlighted

Re: Splunk TA for Suricata and Enterprise Security CIM compliance: Why do I only see events from Suricata tagged with "network"?

Motivator

Thanks for your quick response. I'll have a chance to test an updated TA in about a week. If you make any changes I'd be glad if you could let me know -)

0 Karma
Highlighted

Re: Splunk TA for Suricata and Enterprise Security CIM compliance: Why do I only see events from Suricata tagged with "network"?

Motivator

The following is required for flows to show up in Network Traffic:

default/tags.conf

[eventtype=suricata_eve_flow]
network = enabled
communicate = enabled

The action field is not populated. I guess it could be set to "allowed" by default for all flows?

0 Karma