Alert Data FieldsΒΆ
Elasticsearch receives NIDS alerts from Suricata via Elastic Agent or Logstash and parses them using:
/opt/so/conf/elasticsearch/ingest/suricata.alert/opt/so/conf/elasticsearch/ingest/common.NIDS/opt/so/conf/elasticsearch/ingest/common
You can find these online at:
- https://github.com/Security-Onion-Solutions/securityonion/blob/3/main/salt/elasticsearch/files/ingest/suricata.alert
- https://github.com/Security-Onion-Solutions/securityonion/blob/3/main/salt/elasticsearch/files/ingest/common.nids
- https://github.com/Security-Onion-Solutions/securityonion/blob/3/main/salt/elasticsearch/files/ingest-dynamic/common
You can find parsed NIDS alerts in Alerts, Dashboards, Hunt, and Kibana via their predefined queries and dashboards or by manually searching for:
event.module:"Suricata"event.dataset:"alert"
Those alerts should have the following fields:
source.ipsource.portdestination.ipdestination.portnetwork.transportrule.gidrule.namerule.rulerule.revrule.severityrule.uuidrule.version