Consider adding community flow ID so you can easily pivot to other tools.

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search

https://evebox.org/

MIT License

417 stars 67 forks source link

Consider adding community flow ID so you can easily pivot to other tools. #235

Closed Obsecurus closed 1 year ago

Obsecurus commented 1 year ago

The Suricata community flowID is a respected industry method for pivoting across tools. It would be really nice if evebox capture this in the ElasticSearch index and UI.

https://github.com/corelight/community-id-spec

https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/eve-json-output.html#community-flow-id

jasonish commented 1 year ago

Do you have any more detail on how you would like to see community ID added? Simply I could add it to the event view, below the existing "Flow ID" which makes sense.

Its still on the administrator of Suricata to enable it though.

jasonish commented 1 year ago

Added to view and handling pivot by community_id.