Bricata NDR

  • Updated on Jan 26, 2025
  • Published on Jul 5, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Bricata NDR logs

✅

✅

bricata_ndr_logs

NDJSON

S3

Overview

BricataBricata NDR, now OpenText NDR, is a Network Threat Detection and Response platform.

Bricata NDR's Network Detection and Response (NDR) product is a cybersecurity solution that combines machine learning, full-spectrum threat detection, and automated response capabilities to identify, analyze, and counter network-based threats in real-time.

Supported data types

Bricata NDR logs

Table name: bricata_ndr_logs

The logs detail network traffic, alerts, and events. These logs help in identifying, investigating, and responding to potential security threats on the network, providing insights into malicious activities, policy violations, and other security-relevant events.

Send data to Hunters

Hunters supports the ingestion of these logs via an intermediary AWS S3 bucket.

To connect Bricata NDR logs:

  1. Export your logs from Bricata NDR to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

The expected format of the logs is ND-JSON format as exported by Bricata NDR.

Example of a log of an alert:

{"alert":{"action":"allowed","category":"Bricata defined","gid":1,"metadata":{"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["2023_04_07"],"deployment":["Perimeter"],"former_category":["MALWARE"],"malware_family":["STRRAT"],"performance_impact":["Low"],"signature_severity":["Major"],"updated_at":["2023_04_07"]},"rev":1,"severity":3,"signature":"MALWARE Hash","signature_id":2044912},"app_proto":"tls","bricata":{"dest_location":{"country":"US","location":{"lat":37.750999,"lon":-97.822000}},"event_format":"eve","event_source":"suricata","event_uuid":"fffffffffff-xxxxxx","flow_uuid":"ffffffff-xxxx","sensor_fqdn":"GGGGGGG","sensor_hostname":"GGGGGG","sensor_ipv4":"10.11.22.33","sensor_uuid":"fffff-xxxx","src_location":{"city_name":"AWS NALA - Ashburn CNF","country":"US","location":{"lat":39.014912,"lon":-77.458461},"state":"PG Cloud Internal AWS"}},"clisrv_id":"1:SSSSSSS","community_id":"1:YHHHHHHH","dest_ip":"2.1.3.4","dest_port":443,"event_type":"alert","flow":{"bytes_toclient":0,"bytes_toserver":43788,"last":"2023-06-05T10:25:09.304845+0000","pkts_toclient":0,"pkts_toserver":574,"start":"2023-06-05T10:24:25.659976+0000"},"flow_id":361549136466440,"in_iface":"eth2","in_ring":"suri44444","packet":"6GVJABAFIXXXXXXXX","packet_info":{"linktype":1},"payload":"Fgxxxxxx","proto":"TCP","src_ip":"137.182.3.165","src_port":60334,"stream":1,"timestamp":"2023-06-05T10:25:09.304845+0000","tls":{"ja3":{"hash":"d2935c58fe676744fecc8614ee5356c7","string":"771,49188-49192,0"},"ja3s":{},"sni":"wd5-impl-services","version":"UNDETERMINED"},"tx_id":0}