Overview

This article explains how to ingest your Corelight Suricata alerts to Hunters. Corelight Suricata alerts are a different data type than regular open source Suricata alerts (described here), since they're passed through the Zeek processing engine and are outputted in Zeek format, as explained here.

For Hunters to integrate with your Corelight Suricata logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Log Format

The expected log format is JSON, which is configurable as part of the Corelight Suricata solution.

Below is an example of a currently supported log line:

{"_path":"suricata_corelight","_system_name":"sys-01","_write_ts":"2021-10-01T00:00:00.853803Z","ts":"2021-10-01T00:00:00.
CODE