Drilling into Suricata data

We're a Suricata shop and I was hoping to use the SIEM to crossreference things like (external) IP reputation with Suricata events using the SIEM.

Starting out slowly, before jumping into anything like external reputation sources, I'm honestly not sure how I even get into Suricata alarm data in the SIEM? I can see alarms in the Suricata Dashboards and the "Filebeat Suricata" counter on the SIEM Overview page is incrementing, but when I go into the Network view it appears that I can only drag objects from the "Top Talkers" and "Top DNS Domains" tables into Timeline.

Am I missing how I can drag Suricata alarm data into the Timeline?

Hi Sam, thanks for trying the Elastic SIEM beta with Suricata!

The first step towards working with Suricata data in Elastic SIEM is to ingest it via the Suricata Filebeat module, as documented here: Filebeat Reference 7.2 » Modules » Suricata module

If you’re already running an older version of Filebeat, please upgrade it on the host running Suricata to the latest version, currently 7.2.

The Hosts view shown in the screenshot below is filtered with a KQL query, host.name: suricata* , to only show hostnames starting with suricata in the All Hosts widget:

filtered-hosts-page.png3322×1896 369 KB

Per the arrow in the screenshot above, drag the host to the timeline to view events collected from that host.

The screenshot below shows a Suricata alert in the timeline:

suricata-alert-in-timeline.png2004×330 83.2 KB

Anything draggable in the screenshot above, (alert signature, network community_id, source / destination IP, etc) can be dropped into the timeline query builder to narrow results with an AND, or widen the search with an OR.

Hi Andrew - thank you for your reply. First, apologies if I wasn't clear on my environment. Running 7.2.0 Filebeat with Suricata module enabled. No problems getting Suricata data into elastic - I can see everything in the Suricata dashboards.

Switching over to the SIEM, I can follow what you are doing on the Host view, but I'm not sure that helps me - mainly because Suricata events are Network events. Following your example, I can see the host in my environment, and I can drag it into the Timeline, but that gives me all of the Suricata alarms from that "probe" (to use our parlance) - what I need to dig into is the device/IP that generated the event. As an aside, I do not seem to be able to use Suricata filters (e.g. NOT suricata.eve.event_type:"stats") on the Host view, but they do work in the Network view.

It might help if I explain our workflow: A Suricata alarm is generated and we first evaluate the source.ip and destination.ip. We check Packetbeat data for other DNS/HTTP/HTTPS/etc activity from the source.ip to see if anything else suspicious happened. We check the destination.ip for traffic with other internal IPs, compare it against IP reputation lists, threat intel feeds, etc.

What I really need is a Suricata dashboard instead of say "Top Talkers" as the focal point of the Network view. In that view I would be able to see source.ip, destination.ip, source.port, destination.port, and a bunch of the suricata.eve.* fields - very similar to what is in the Suricata Event and Alert dashboards, but with the ability to drag the contents of those fields into the timeline.

Is, or will, there be a way to modify/add the dashboards in the different views? Top Talkers and Top DNS Domains don't really help me much at all. Having Suricata and even Zeek dashboards in the SIEM would be much more helpful for investigating security events.

Hi Sam, thanks for providing feedback about the SIEM app, and thanks for taking the time to explain your use case.

Currently, the host and network views are not meant to replace use-case specific dashboards, such as IDS or network flow dashboards. We agree that being able to drag objects from any dashboard into the timeline would be valuable and is something that we plan to explore in the future.

However, there are a few things you can try now to better interact with your Suricata data.

The Host and Network views are generally aligned with their respective event types, but there is no strict delineation. For example you can view your Suricata events in the events table at the bottom of the hosts view by filtering the host view on event.module:"suricata" Then, if you choose to, you can drag the source.ip or destination.ip values from the events table into the timeline.

Likewise you can start by viewing all Suricata events in the Timeline by adding the same filter to the KQL Bar in the timeline: event.module:"suricata". Then you can continue your investigation by dragging items from the Suricata events themselves into the query builder as filters to expand or narrow your search. To include non-Suricata events in your results, you'll need to change the AND/OR Search selector (the the left of the KQL bar in Timeline) to OR search.

Note that in both cases, you can further filter your Suricata events, for example to just the alert eve event_type, by adding AND event.kind:"alert" to your KQL queries.

For one example, dragging both the source.ip and destination.ip values from a Suricata event displayed in Timeline into the query builder as logical AND filters, and changing the search selector to OR Search you'll be able to see all network activity reported by Packetbeat (or any other ECS source) between those two IPs.

Short of making every dashboard draggable to Timeline, we think there may be value in making the various tables in the host and network views customizable.

If you agree this could help, and you have some specific suggestions, we'd love to have you create an issue in our Kibana GitHub repository. If so, please check out https://github.com/elastic/kibana/issues/new/choose, select "Feature request" then enter your idea. For extra credit, feel free to add an enhancement label .

Also, our contributing guidelines are here: https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md

Thanks again.

Very helpful Mike - much appreciated.

Cheers.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.