[FEATURE] integration with suricata

opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.

Apache License 2.0

64 stars 71 forks source link

[FEATURE] integration with suricata #13

Open sandervandegeijn opened 2 years ago

sandervandegeijn commented 2 years ago

Is your feature request related to a problem? Suricata is one of the largest open source IDS systems and is often used in combination with the ELK stack. It would be nice to be able to feed this data into opensearch and then analyse it with dashboards and / or intelligent detection rules to detect attacks and anomalies.

What solution would you like? Implement rules / anomaly detection based on the suricata data / alerts. Data is usually fed through logstash.

Example dashboards: https://github.com/StamusNetworks/KTS7

What alternatives have you considered? None - this is one of the most used solutions and we have been using it for years. Large companies and organisations are depending on Suricata.

Do you have any additional context? Add any other context or screenshots about the feature request here.

getsaurabh02 commented 2 years ago

Hi @ict-one-nl thank you for sharing the idea.

Are we recommending here to feed the OpenSearch Security Analytics plugin with the new threat detection rules, which can be imported/sourced from the Suricata via some integration points. In that case the threat detection (rule-matching) itself is performed on the OpenSearch platform and then analyzed. Or, are we are suggesting to feed the findings data from Suricata, once the rules have already been executed, and leverage the OpenSearch dashboard to provide deeper analysis on the findings.

sandervandegeijn commented 2 years ago

Usually both are fed into the cluster, but Suricata is doing it's own detection as you correctly described. In terms of threat detection both could be beneficial for threat detection, the alerts could be useful in the SIEM threat analytics.

Suricata is quite intelligent in itself but it's only basing it's decisions on the network data. With the data that is present in the SIEM it could also correlate with other sources like IDP/EDR/etc logs that are fed to the SIEM.

From an architectural standpoint, are you basing the threat detection logic around something like ECS to standardize the models in the SIEM and should the data from sources be mapped to such a schema before ingesting it?

veda-vyas commented 1 year ago

Good Day!

I was looking at feeding the findings (alerts) from Suricata into OpenSearch, and leverage Security Analytics to perform deeper analysis.

Because these alerts requires correlation, working them at SIEM level using Detectors & Rules makes sense.

The challenge that I observed, when using Security Analytics plugin with these alerts is,

Selecting a log type while creating detectors. Network Events is the closest, but does not correspond well with the alert fields of Suricata

It would be of great help if there's any suggested way of integration.