Suricata Implementation

[ZoccoCss]

Describe the bug I'm trying to use Copilot to process the Suricata logs from an OPNsense firewall. The logs are being sent through the Wazuh agent and I use a stream and a Pipeline to separate the logs and be picked up by Copilot's SURICATA ALERT SEVERITY 1.

The alerts appear in the Alert section of Copilot, however, when I try to create a source for Incident Management for the Suricata index, I get a message that "A configuration for "wazuh" already exists. Please select a different Index name to proceed. ".

I've already created a source as described in your Case Management video and it uses the Wazuh as a source.

To Reproduce

1. Click on Incident Management Tab
2. Click on Sources
3. Click o Create Source Configuration
4. Select the Suricata Index
5. Click Next

Expected behavior I expected the creation of a new source to process the cases generated from Suricata Alerts

Screenshots

Side Question

I noticed that when selecting the source in the Source Configuration of the Incident Management, you have to select a specific index and you're not given the option of using a wildcard.

Therefore, do we need to constantly update the sources as Wazuh creates new indices?

[taylorwalton]

Hey @ZoccoCss it sounds like you are looking to configure alerting for your suricata logs. I understand that you are ingesting suricata logs via the wazuh agent but have dedicated pipeline and index for your suricata events. Dedicating a seperate pipeline and index for suricata logs is a great approach and is what I would have also recommened.

You are correct when configuring a Source Configuration of the Incident Management to select a suricata-_0 index. CoPilot, is then going to collect the Source automatically by reading the syslog_type field. This is further explained in our recent video at the 13:09 timestamp: https://youtu.be/3p6qiH9UF8U?si=fJ57kFRbGKFW7tDr&t=789.

Since you are ingesting suricata events via the wazuh agent, it is likely that the syslog_type field is set to wazuh. What you need to do is to change the syslog_type to suricata. This can most easily be done by adding the below pipeline rule to your Suricata pipeline:

rule "SYSLOG TYPE SURICATA"
when
 $message.rule_group1 == "suricata"
then
 set_field("syslog_type", "suricata");
end

Then Rotate active write index for your Suricata index:

And select the new index name within CoPilot. Likely suricata-_1 which will then contain the syslog_type of suricata.

Hope that helps!

[ZoccoCss]

Thank you,

That solved the source issue. I also needed to change the alert_severity for the Alerts to work.

rule "SURICATA"
when
  $message.rule_group1 == "suricata"
then
  // adapt the fields
  set_field("syslog_type", "suricata");
  set_field("alert_severity", $message.data_alert_severity);  
end

Now I'm facing the following two other issues.

1 - the alerts grouping seem to group alerts that are different. In the following screenshot you can see the two alerts grouped together.

2 - the alerts don't appear in the Incident Management Alerts. I believe it's because these alerts don't have a agent_labels_customer since OPNsense is freeBSD and this OS doesn't have a Wazuh group created in the provisioning.

So, I'm left with one of three choices.

1- Hardcode a agent_labels_customer code in the Suricata pipeline 2- Use the Linux Wazuh group for the freeBSD OPNsense agent 3- Create a new Wazuh group for freeBSD similar to the Linux group.

Please let me know which one is the most appropriate or if it's a different one.

[taylorwalton]

Hey @ZoccoCss , I recommend hardcoding the agent_labels_customer code within the Suricata Pipeline...make sure that this customer code reflects to the one that exists for that Customer within CoPilot.

[ZoccoCss]

Thank you.

Hardcoding agent_labels_customer did the trick since I only have one customer with the OPNsense router. If there were more I guess I would just need to make rules to separate them.