Splunk Enterprise Security
Highlighted

What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Engager

Hi Everyone,

We have Suricata NIDS onboard and plans to integrate with Splunk and in particular with Splunk Enterprise Security.
What are the best practices of implementing Suricata Alerts into Splunk Enterprise Security App structure, should we configure fastlog or json for better(default) recognition?
How does it fits, is there specific Correlations and Visualizations for this type?

Highlighted

Re: What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Splunk Employee
Splunk Employee

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

View solution in original post

Highlighted

Re: What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Path Finder

Hi aaraneta - we use suricata and have done the following:

install the TA: https://splunkbase.splunk.com/app/2760/

Configure suricata.yaml to log eve.json:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONFormat

Configure a UF on the sensor to read the eve.json file:
inputs.conf:
index = suricata
sourcetype = suricata
disabled = false

The app is CIM compatible so it should show up in your datamodels. If not, you might need to restrict the DM constraints to the index or sourcetypes you're using.

Highlighted

Re: What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Engager

So if I understand correctly ES contains some scope of Correlations and views for IDS Datamodel not specifically for Suricata?
Is there any kind of intelligence based on signatures in ES to re-assign or interpret severities (Priority value) Suricata alerts differently from how it is marked in Suricata (e.g. we consider some Alerts should have lower Priority) or it's just inheriting from input values ?

0 Karma
Highlighted

Re: What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Splunk Employee
Splunk Employee

I downvoted this post because this ta is not cim compliant

0 Karma