Splunk Enterprise Security

What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Engager

Hi Everyone,

We have Suricata NIDS onboard and plans to integrate with Splunk and in particular with Splunk Enterprise Security.
What are the best practices of implementing Suricata Alerts into Splunk Enterprise Security App structure, should we configure fastlog or json for better(default) recognition?
How does it fits, is there specific Correlations and Visualizations for this type?

1 Solution

Splunk Employee
Splunk Employee

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

View solution in original post

Path Finder

Hi aaraneta - we use suricata and have done the following:

install the TA: https://splunkbase.splunk.com/app/2760/

Configure suricata.yaml to log eve.json:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONFormat

Configure a UF on the sensor to read the eve.json file:
inputs.conf:
index = suricata
sourcetype = suricata
disabled = false

The app is CIM compatible so it should show up in your datamodels. If not, you might need to restrict the DM constraints to the index or sourcetypes you're using.

Splunk Employee
Splunk Employee

I downvoted this post because this ta is not cim compliant

0 Karma

Path Finder

Is it still the case that the inputs & props included in the "Splunk TA for Suricata" are not CIM-compliant?

https://splunkbase.splunk.com/app/2760/#/details

If not CIM compliant, has anyone indexed these events in an ES CIM-compliant format without reinventing the wheel?

 

Thanks in advance!

0 Karma

Engager

So if I understand correctly ES contains some scope of Correlations and views for IDS Datamodel not specifically for Suricata?
Is there any kind of intelligence based on signatures in ES to re-assign or interpret severities (Priority value) Suricata alerts differently from how it is marked in Suricata (e.g. we consider some Alerts should have lower Priority) or it's just inheriting from input values ?

0 Karma

Splunk Employee
Splunk Employee

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

View solution in original post