Splunk Enterprise Security

What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

enugeelumpfz
Engager

Hi Everyone,

We have Suricata NIDS onboard and plans to integrate with Splunk and in particular with Splunk Enterprise Security.
What are the best practices of implementing Suricata Alerts into Splunk Enterprise Security App structure, should we configure fastlog or json for better(default) recognition?
How does it fits, is there specific Correlations and Visualizations for this type?

1 Solution

atellez_splunk
Splunk Employee
Splunk Employee

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

View solution in original post

niemesrw
Path Finder

Hi aaraneta - we use suricata and have done the following:

install the TA: https://splunkbase.splunk.com/app/2760/

Configure suricata.yaml to log eve.json:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONFormat

Configure a UF on the sensor to read the eve.json file:
inputs.conf:
index = suricata
sourcetype = suricata
disabled = false

The app is CIM compatible so it should show up in your datamodels. If not, you might need to restrict the DM constraints to the index or sourcetypes you're using.

fwijnholds_splu
Splunk Employee
Splunk Employee

I downvoted this post because this ta is not cim compliant

0 Karma

ChadLangUAB
Path Finder

Is it still the case that the inputs & props included in the "Splunk TA for Suricata" are not CIM-compliant?

https://splunkbase.splunk.com/app/2760/#/details

If not CIM compliant, has anyone indexed these events in an ES CIM-compliant format without reinventing the wheel?

 

Thanks in advance!

0 Karma

enugeelumpfz
Engager

So if I understand correctly ES contains some scope of Correlations and views for IDS Datamodel not specifically for Suricata?
Is there any kind of intelligence based on signatures in ES to re-assign or interpret severities (Priority value) Suricata alerts differently from how it is marked in Suricata (e.g. we consider some Alerts should have lower Priority) or it's just inheriting from input values ?

0 Karma

atellez_splunk
Splunk Employee
Splunk Employee

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!