Hello everybody
I'm posting this here because the contributing guidelines on GitHub state that issues should be posted here before opening one on GitHub.
The Suricata Filebeat Module is missing a mapping for the field "tenant_id". Can you please add a mapping to the module?
When using the multi tenancy feature from Suricata (see https://suricata.readthedocs.io/en/suricata-5.0.2/configuration/multi-tenant.html) the tenant ID is indicated in the field suricata.eve.alert.tenant_id.
example alert (sanitized):
{
"timestamp":"2020-03-31T15:32:43.000579+0200",
"flow_id":255379933845494,
"in_iface":"eno2",
"event_type":"alert",
"vlan":[1900],
"src_ip":"4.3.2.1",
"src_port":54321,
"dest_ip":"192.168.1.2",
"dest_port":80,
"proto":"TCP",
"metadata":{
"flowints":{
"http.anomaly.count":1
}
},
"tx_id":0,
"alert":{
"action":"allowed",
"gid":1,
"signature_id":2221014,
"rev":1,
"signature":"SURICATA HTTP missing Host header",
"category":"Generic Protocol Command Decode",
"severity":3,
"tenant_id":1
},
"http":{
"url":"\/someURL",
"http_user_agent":"agent",
"http_method":"POST",
"protocol":"HTTP\/1.1",
"length":0
},
"app_proto":"http",
"flow":{
"pkts_toserver":5,
"pkts_toclient":3,
"bytes_toserver":691,
"bytes_toclient":321,
"start":"2020-03-31T15:31:41.415734+0200"
},
"packet_info":{
"linktype":12
}
}