Hi,
- Running ELK 6.8.8 on premises
I've defined a number of visualizations in Kibana, which use the signature IDs from Suricata.
Initially I made a series of manual filters by ID and the visualizations look good, showing the information I need.
The problem is that these signature IDs are updated very often in Suricata, so in as little time as hours or a couple of days, the filters I made become obsolete or do not contain the latest rule IDs available in Suricata.
Not incorporating these new IDs into my visualizations is a big problem for me, so I'm looking for a way that I can automate updating these filters from Suricata to Kibana.
Is there a way to achieve this automation process?
- As a note I comment that, in my opinion, it would be best if the information I need was already included in the index "logstash-alert- *" in the form of an additional field. This way, I would not have to do any filter in Kibana and would only show this new field, since the alerts would be categorized as they were being indexed.. But unfortunately, I don't know how to achieve this either.
Example:
(it already exists)
alert.category: Attempted Denial of Service
alert.signature: ET SCAN Possible SSL Brute Force attack or Site Crawl
alert.signature_id: 2001553
(to add)
alert.type (or alert.group): Brute Force attack
Either having to use my filters with automation or using the index enhancement (if become available) I should be able to move forward, so any help is welcome.
Thank you