Good morning.
I have built a suricata, and I am delivering events to elasticsearch with filebeat.
There are various detection rules in elasticsecurity, but among them, detection rules for suricata (ET Rule) do not exist.
I think it can be because the environment is diverse.
I plan to monitor threats to aws network through aws vpc traffic mirroring, and use suricata and elasticsearch for this.
The problem is the correlation rules.
Suricata events occur very often, and it is almost impossible for humans to check them individually.
Therefore, I have to trriger the rules according to the correlation, and I plan to use elasticsearch.
The problem is that there are many examples of rules for host events such as windows event log and syslog, but I could not find examples of correlation rules for NIDS such as suricata and zeek.
Can you tell me an example of creating a correlation rule using suricata and elasticsearch?
When an issue occurs, searching through elasticsearch is very fast and easy. However, it seems very difficult to create correlation rules.
In particular, it seems impossible to create an IP-based correlation, how do I solve it?
In general, when using suricata and Elasticsearch, do you only check that certain rules occur?? In this case, the possibility of false positives is high, and there are too many events to be checked.
