Threat hunting with suricata, ElasticSecurity

Good morning.
I have built a suricata, and I am delivering events to elasticsearch with filebeat.

There are various detection rules in elasticsecurity, but among them, detection rules for suricata (ET Rule) do not exist.

I think it can be because the environment is diverse.

I plan to monitor threats to aws network through aws vpc traffic mirroring, and use suricata and elasticsearch for this.

The problem is the correlation rules.
Suricata events occur very often, and it is almost impossible for humans to check them individually.

Therefore, I have to trriger the rules according to the correlation, and I plan to use elasticsearch.

The problem is that there are many examples of rules for host events such as windows event log and syslog, but I could not find examples of correlation rules for NIDS such as suricata and zeek.

Can you tell me an example of creating a correlation rule using suricata and elasticsearch?

When an issue occurs, searching through elasticsearch is very fast and easy. However, it seems very difficult to create correlation rules.

In particular, it seems impossible to create an IP-based correlation, how do I solve it?

In general, when using suricata and Elasticsearch, do you only check that certain rules occur?? In this case, the possibility of false positives is high, and there are too many events to be checked.

That is for a specific reason. Suricata rules are its own rules so it is pointless to create detection rules in Elastic Security.

Whenever a Suricata rule is trigger it uses a specific detection rule in Elastic SIEM named "External Alerts"

Can you provide a better description of the type of correlation rule you want to make?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.