*Current version ELK 6.8.8
I am using ELK + Suricata. I am trying to build a visualization in Kibana to filter the alerts received from index "logstash-alert-*". All alerts are received, but I would like to have a few visualization to show only the data related to "Brute Force attacks", or "Ransomware attacks", or "C&C attacks" for just giving some examples.
I tried adding a filter by field "alert.signature_id". This worked fine for cases when there are just a few rule IDs involved (1-20), but when I have 492 rule IDs related to a type of attack, that's too much to add each rule ID manually to the filter (still I tried and spent some time adding all the 492 rule IDs), plus I got an error saying it was a huge URL and system would not be able to process it.
Then I tried adding a filter by field "alert.signature" to search for keywords like "Botnet", "botnet", "Bot", etc. But the issue here is that not all the alerts related to "Botnet attacks" have some of the words in the field so I can add it, but still are that kind of attack and I need to add it somehow to the filter.
Can this be done in any other way that I am missing?
Can you point a good tutorial, preferable step by step?
Is it possible to hire technical support only services without buying a license?