Best APIs to Visualize Suricata Logs and Setup Alerts in ELK-Django Stack - Useful Aggregations

Hi,

I'm working on a group project where we use Suricata for network security monitoring and have integrated it with the ELK stack (Elasticsearch, Logstash, Kibana, and Filebeat) and Django to create a real-time security reporting dashboard.

My questions are:

  1. Is it common or advisable to use multiple Elastic APIs together to visualize Suricata log data in a web app? For example, I’m considering using the REST API for querying, Saved Objects API for visualizations, and the Alerting API for setting up real-time alerts. Would this approach be efficient, or is there a more unified API solution that could simplify the process?
  2. Are there any commonly used aggregations specific to network log data, particularly Suricata logs, that would be helpful for security analysis? I've gone through the manual, but I want to make sure I'm focusing on the most useful metrics for threat detection.

Thanks in advance for any advice!

Hello,

Your approach in your first question looks viable to me. Kibana itself as an example uses multiple different Elasticsearch API's for querying, visualizations and alerting etc.
However only if your custom dashboard will create too much traffic, you may put extra pressure to Elasticsearch.