Hi,
I'm working on a group project where we use Suricata for network security monitoring and have integrated it with the ELK stack (Elasticsearch, Logstash, Kibana, and Filebeat) and Django to create a real-time security reporting dashboard.
My questions are:
- Is it common or advisable to use multiple Elastic APIs together to visualize Suricata log data in a web app? For example, I’m considering using the REST API for querying, Saved Objects API for visualizations, and the Alerting API for setting up real-time alerts. Would this approach be efficient, or is there a more unified API solution that could simplify the process?
- Are there any commonly used aggregations specific to network log data, particularly Suricata logs, that would be helpful for security analysis? I've gone through the manual, but I want to make sure I'm focusing on the most useful metrics for threat detection.
Thanks in advance for any advice!