alert-data-fields.rst

Alert Data Fields

:ref:`elasticsearch` receives :ref:`nids` alerts from :ref:`suricata` via :ref:`elastic-agent` or :ref:`logstash` and parses them using:

/opt/so/conf/elasticsearch/ingest/suricata.alert

/opt/so/conf/elasticsearch/ingest/common.nids

/opt/so/conf/elasticsearch/ingest/common

You can find these online at:

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest/suricata.alert

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest/common.nids

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest-dynamic/common

You can find parsed :ref:`nids` alerts in :ref:`alerts`, :ref:`dashboards`, :ref:`hunt`, and :ref:`kibana` via their predefined queries and dashboards or by manually searching for:

event.module:"suricata"

event.dataset:"alert"

Those alerts should have the following fields:

source.ip

source.port

destination.ip

destination.port

network.transport

rule.gid

rule.name

rule.rule

rule.rev

rule.severity

rule.uuid

rule.version