How to import suricate.rules into SIEM deteciton rules?

Hello.

I'm using both filebeat suricata module and SIEM suricata agent on kibana.
I realized that the results of detection alert are different between filbeat suricata module and SIEM suricata because they use different detection rules.

So, I'm wondering if I can import filebeat suricata rules file(suricata.rules) into SIEM suricata rules.

This is filebeat suricata rule file(suricata.ruels) that I have.

image1009×381 108 KB

This is SIEM alert dashboard page to import rules.

image2860×1042 309 KB

Thank you.

Hello ,

If I am understanding your question correctly, I will try to provide some insight to help you achieve what you are trying to do.

Whether you are using filebeat or the elastic agent, suricata will send events to the stack based on how it is configured. This could include events and suricata "alerts".

Then from Kibana, if rules exist, the detection engine will run against the respective data set. As you can see under the detection-rules repo, there are no prebuilt rules currently written for the suricata module specifically.

However, we have a promotion rule that applies to any integration running under the elastic agent, so long as the event.kind is equal to alert. That means that if any of the events meet that criteria, they will automatically create SIEM alerts.

Hopefully that clarifies how this should work. If you are writing custom rules, you are able to write them on any of the events, whether they are raw events or alerts, just be sure to target the proper index pattern, such as logs-suricata*.

If you have specific ideas in mind, you can always open an issue in the rules repo for collaboration or to merge them, where they will ship with the stack. If you just want to discuss ideas further, you can always reach out in our public slack rules channel.

Justin

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.