search

rocknsm / rock-dashboards

Dashboards and loader for ROCK NSM dashboards
http://rocknsm.io
Apache License 2.0
48 stars 17 forks source link

Populate Elastic SIEM #56

Closed peasead closed 4 years ago

peasead commented 4 years ago

Added a Logstash Suricata alert configuration to populate the Elastic SIEM.

Updated the Suricata dashboards to work with the new Suricata Logstash configuration.

Tested with

[Main]
Product=RockNSM
Version=2.5.0-2004
BugURL=https://github.com/rocknsm/rock/issues/
IsFinal=True
UUID=201711080000.x86_64
Build=20200405-0803
[Compose]
Lorax=19.6.78-1

image

peasead commented 4 years ago

Process to test:

  1. Copy the logstash-601-filter-suricata-alert.conf file to /etc/logstash/conf.d/, restart Logstash
  2. Run the import-saved-objects.sh shell script in the ecs-configuration/Kibana directory on a sensor
  3. Refresh the ecs-* and ecs-Suricata-* indices