Drilling into Suricata data

Andrew_G · July 11, 2019, 3:54am

Hi Sam, thanks for trying the Elastic SIEM beta with Suricata!

The first step towards working with Suricata data in Elastic SIEM is to ingest it via the Suricata Filebeat module, as documented here: Filebeat Reference 7.2 » Modules » Suricata module

If you’re already running an older version of Filebeat, please upgrade it on the host running Suricata to the latest version, currently 7.2.

The Hosts view shown in the screenshot below is filtered with a KQL query, host.name: suricata* , to only show hostnames starting with suricata in the All Hosts widget:

Per the arrow in the screenshot above, drag the host to the timeline to view events collected from that host.

The screenshot below shows a Suricata alert in the timeline:

Anything draggable in the screenshot above, (alert signature, network community_id, source / destination IP, etc) can be dropped into the timeline query builder to narrow results with an AND, or widen the search with an OR.

Topic		Replies	Views
The suricata results shown on the [filebeat dashboard] are different from the results shown in the [security -> alerts] on kibana SIEM	2	187	October 29, 2024
SURICATA LOGS NOT SHOWING UP IN NETWORK EVENTS IN ELASTIC SIEM Endpoint Security	14	2689	February 11, 2022
Elastic siem overview dashboard config SIEM	2	387	November 19, 2020
How do I adding Suricata events to Elasticsearch SIEM	8	1196	May 7, 2024
How to import suricate.rules into SIEM deteciton rules? SIEM	2	130	October 29, 2024

Drilling into Suricata data

Related topics