Community ID

From https://github.com/corelight/community-id-spec:

When processing flow data from a variety of monitoring applications (such as Zeek and Suricata), it’s often desirable to pivot quickly from one dataset to another. While the required flow tuple information is usually present in the datasets, the details of such “joins” can be tedious, particular in corner cases. This spec describes “Community ID” flow hashing, standardizing the production of a string identifier representing a given network flow, to reduce the pivot to a simple string comparison.

Security Onion enables the built-in Community ID support in both Zeek and Suricata.

We also sponsored the development of Community ID support in osquery.

For logs that don’t naturally include Community ID, we use the Elasticsearch Community ID processor:

More Information

See also

For more information about Community ID, please see: