The objective is to add Suricata as a Source in PALANTIR, the proposed use cases for Suricata are:
Netflow labeling (Use case 1)
Description
The objective is to use the output given by suricata to label Netflowv9 traffic so can be used to constantly train the algorithms for Threat classification.
Questions
Need to create a model for the chosen Suricata output (probably Eve)?
How to correlate Netflow and Suricata received information, are they received near in time, will the timestamps match?
Routing based on Suricata (Use case 2)
Description
The objective is to use any present field in Suricata output to decide to what component of the PALANTIR system is going to be sent by writting it into the corresponding topic.
Questions
What field do we need to select for the routing?
To what component is going what specific message from Suricata?
NOTES
Antonio Lopez Martinez has provided some examples of data format for Suricata (Eve.json and fast.log):
Eve.json:
DESCRIPTION
The objective is to add Suricata as a Source in PALANTIR, the proposed use cases for Suricata are:
Netflow labeling (Use case 1)
Description
The objective is to use the output given by suricata to label Netflowv9 traffic so can be used to constantly train the algorithms for Threat classification.
Questions
Routing based on Suricata (Use case 2)
Description
The objective is to use any present field in Suricata output to decide to what component of the PALANTIR system is going to be sent by writting it into the corresponding topic.
Questions
NOTES
Antonio Lopez Martinez has provided some examples of data format for Suricata (Eve.json and fast.log): Eve.json:
fast.log:
DOCUMENTATION