Skip to content

Corelight Suricata Alerts

Overview

This article explains how to ingest your Corelight Suricata alerts to Hunters. Corelight Suricata alerts are a different data type than regular open source Suricata alerts (described here), since they're passed through the Zeek processing engine and are outputted in Zeek format, as explained here.


Hunters' Ingestion

For Hunters to integrate with your Corelight Suricata logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Logs Format

The expected log format is JSON, which is configurable as part of the Corelight Suricata solution.

Here is an example of a currently supported log line:

{"_path":"suricata_corelight","_system_name":"sys-01","_write_ts":"2021-10-01T00:00:00.853803Z","ts":"2021-10-01T00:00:00.851519Z","uid":"C1XbRDwee226Prvv3","id.orig_h":"192.168.1.1","id.orig_p":50001,"id.resp_h":"192.168.1.2","id.resp_p":443,"suri_id":"Sffb3g9Js33","flow_id":123425,"tx_id":0,"pcap_cnt":0,"alert.action":"allowed","alert.gid":1,"alert.signature_id":2003068,"alert.rev":7,"alert.signature":"ET SCAN Potential SSH Scan OUTBOUND","alert.category":"Attempted Information Leak","alert.severity":2,"alert.metadata":["updated_at:2010_07_30","created_at:2010_07_30"],"community_id":"1:15125"}