We have Suricata NIDS onboard and plans to integrate with Splunk and in particular with Splunk Enterprise Security.
What are the best practices of implementing Suricata Alerts into Splunk Enterprise Security App structure, should we configure fastlog or json for better(default) recognition?
How does it fits, is there specific Correlations and Visualizations for this type?
The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.
Hi aaraneta - we use suricata and have done the following:
install the TA: https://splunkbase.splunk.com/app/2760/
Configure suricata.yaml to log eve.json:
Configure a UF on the sensor to read the eve.json file:
index = suricata
sourcetype = suricata
disabled = false
The app is CIM compatible so it should show up in your datamodels. If not, you might need to restrict the DM constraints to the index or sourcetypes you're using.
So if I understand correctly ES contains some scope of Correlations and views for IDS Datamodel not specifically for Suricata?
Is there any kind of intelligence based on signatures in ES to re-assign or interpret severities (Priority value) Suricata alerts differently from how it is marked in Suricata (e.g. we consider some Alerts should have lower Priority) or it's just inheriting from input values ?
I downvoted this post because this ta is not cim compliant