The suricata results shown on the [filebeat dashboard] are different from the results shown in the [security -> alerts] on kibana

I am using suricata module for the IDS and I am also activating suricata Integrations on SIEM.

The filebeat suricata dashboard was created in kibana, and the suricata alert dashboard can also be checked in kibana(Security -> alerts).

Both come from the same data source, but when comparing the data, the results are different.

[filebeat suricata data]

[SIEM: Security -> alerts]

Both are filtered by 'Potentially bad traffic' and same date but [filebeat suricata] results are 27 and SIEM results are 25.

Is there anyone who knows why the results are different even though data source is same?

Thank you.

These two views are looking at different data sources.

  • The first is looking at the raw events from Suricata.

  • The second is looking at alerts in .alerts-security.alerts-default. These would events would have been put here by a detection rule. There is generic rule called External Alerts that takes alert events from external systems like suricata and "promotes" them to be Elastic SIEM alerts.

So the difference might just be related to timing. I think the @timestamp on the data in the .alerts index is when the rule triggered. The time from the original suricata alert should also be in there, but under a different field.