Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Bricata NDR logs | ✅ | ✅ | bricata_ndr_logs | NDJSON | S3 |
Overview
Bricata NDR, now OpenText NDR, is a Network Threat Detection and Response platform.
Bricata NDR's Network Detection and Response (NDR) product is a cybersecurity solution that combines machine learning, full-spectrum threat detection, and automated response capabilities to identify, analyze, and counter network-based threats in real-time.
Supported data types
Bricata NDR logs
Table name: bricata_ndr_logs
The logs detail network traffic, alerts, and events. These logs help in identifying, investigating, and responding to potential security threats on the network, providing insights into malicious activities, policy violations, and other security-relevant events.
Send data to Hunters
Hunters supports the ingestion of these logs via an intermediary AWS S3 bucket.
To connect Bricata NDR logs:
Export your logs from Bricata NDR to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The expected format of the logs is ND-JSON format as exported by Bricata NDR.
Example of a log of an alert:
{"alert":{"action":"allowed","category":"Bricata defined","gid":1,"metadata":{"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["2023_04_07"],"deployment":["Perimeter"],"former_category":["MALWARE"],"malware_family":["STRRAT"],"performance_impact":["Low"],"signature_severity":["Major"],"updated_at":["2023_04_07"]},"rev":1,"severity":3,"signature":"MALWARE Hash","signature_id":2044912},"app_proto":"tls","bricata":{"dest_location":{"country":"US","location":{"lat":37.750999,"lon":-97.822000}},"event_format":"eve","event_source":"suricata","event_uuid":"fffffffffff-xxxxxx","flow_uuid":"ffffffff-xxxx","sensor_fqdn":"GGGGGGG","sensor_hostname":"GGGGGG","sensor_ipv4":"10.11.22.33","sensor_uuid":"fffff-xxxx","src_location":{"city_name":"AWS NALA - Ashburn CNF","country":"US","location":{"lat":39.014912,"lon":-77.458461},"state":"PG Cloud Internal AWS"}},"clisrv_id":"1:SSSSSSS","community_id":"1:YHHHHHHH","dest_ip":"2.1.3.4","dest_port":443,"event_type":"alert","flow":{"bytes_toclient":0,"bytes_toserver":43788,"last":"2023-06-05T10:25:09.304845+0000","pkts_toclient":0,"pkts_toserver":574,"start":"2023-06-05T10:24:25.659976+0000"},"flow_id":361549136466440,"in_iface":"eth2","in_ring":"suri44444","packet":"6GVJABAFIXXXXXXXX","packet_info":{"linktype":1},"payload":"Fgxxxxxx","proto":"TCP","src_ip":"137.182.3.165","src_port":60334,"stream":1,"timestamp":"2023-06-05T10:25:09.304845+0000","tls":{"ja3":{"hash":"d2935c58fe676744fecc8614ee5356c7","string":"771,49188-49192,0"},"ja3s":{},"sni":"wd5-impl-services","version":"UNDETERMINED"},"tx_id":0}