Monday, March 7, 2016

Splunk - SIEM - CIM (Common Information Model) Mapping

Splunk Enterprise Security module comes up with a bunch of Data models, tags and field names that needs to be mapped with the log sources for Splunk Enterprise Security to do its job, like alerting, correlation, dashboards and so on.
I am currently working in a large engagement where I had to use this CIM fields for normalisation and mapping. Though the “Overview of the Splunk Common Information Model” doco in Splunk web is a very good source. I could not find a single page for reference. I have made one for myself and this could assist the other SIEM designers and Engineers as well.



CIM - Data Model - Tags (Quick Reference)

dataModeldm_objectTags
AlertsAlertsalert
CIM Fields - app,    body,    dest,    dest_bunit,    dest_category,    dest_priority,    id,    severity,    severity_id,    src,    src_bunit,    src_category,    src_priority,    subject,    type
Application StateAll_Application_State, &   ports, &   process, &   services(listening, &   port) OR (process, &   report) OR (service, &   report) 
CIM Fields - dest,    dest_bunit,    dest_category,    dest_priority,    dest_requires_av,    dest_should_timesync,    dest_should_update,    process,    process_id,    tag,    user,    user_bunit,    user_category,    user_priority,    dest_port,    transport,    transport_dest_port,    cpu_load_mhz,    cpu_load_percent,    cpu_time,    mem_used,    service,    service_id,    start_mode,    status
Authenticationauthentication, &   default_authentication, &   insecure_authentication, &   privileged_authenticationdefault_authentication, &   insecure_authentication, &   privileged_authentication
CIM Fields - action,    app,    dest,    dest_bunit,    dest_category,    dest_nt_domain,    dest_priority,    duration,    response_time,    src,    src_bunit,    src_category,    src_nt_domain,    src_priority,    src_user,    src_user_bunit,    src_user_category,    src_user_priority,    tag,    user,    user_bunit,    user_category,    user_priority
CertificatesAll_Certificates, &   sslcertificate, &   ssl, &   tls
CIM Fields - dest,    dest_bunit,    dest_category,    dest_port,    dest_priority,    duration,    response_time,    src,    src_bunit,    src_category,    src_priority,    tag,    transport,    ssl_end_time,    ssl_engine,    ssl_hash,    ssl_is_valid,    ssl_issuer,    ssl_issuer_common_name,    ssl_issuer_email,    ssl_issuer_locality,    ssl_issuer_organization,    ssl_issuer_state,    ssl_issuer_street,    ssl_issuer_unit,    ssl_name,    ssl_policies,    ssl_publickey,    ssl_publickey_algorithm,    ssl_serial,    ssl_session_id,    ssl_signature_algorithm,    ssl_start_time,    ssl_subject,    ssl_subject_common_name,    ssl_subject_email,    ssl_subject_locality,    ssl_subject_state,    ssl_subject_street,    ssl_subject_unit,    ssl_validity_window,    ssl_version
Change AnalysisAll_change, &   Auditing_changes, &   endpoint_changes, &   network_changes, &   account_managementchange, &   audit, &   endpoint, &   network, &   account
CIM Fields - action,    change_type,    command,    dest,   dest_bunit,   dest_category,   dest_priority,   dvc,   object,   object_attrs,    object_category,    object_id,    object_path,    result,    result_id,    src,    src_bunit,    src_category,    ,    src_priority,    status,    tag,    user,    vendor_product,    dest_nt_domain,    src_nt_domain,    src_user,    src_user_bunit,    src_user_category,    src_user_priority,    file_access_time,    file_acl,    file_create_time,    file_hash,    file_modify_time,    file_name,    file_path,    file_size
DatabasesAll_Databases, &   database_instance, &   instance_stats, &   session_info, &   lock_info, &   database_querry, &   tablespace, &   query_statsdatabase, &   instance, &   stats, &   session, &   lock, &   query, &   tablespace, &   stats
CIM Fields - dest,    dest_bunit,    dest_category,    dest_priority,    duration,    object,    response_time,    src,    src_bunit,    src_category,    src_priority,    tag,    user,    user_bunit,    user_category,    user_priority,    vendor_product,    instance_name,    instance_version,    process_limit,    session_limit,    availability,    avg_executions,    dump_area_used,    instance_reads,    instance_writes,    number_of_users,    processes,    sessions,    sga_buffer_cache_size,    sga_buffer_hit_limit,    sga_data_dict_hit_ratio,    sga_fixed_area_size,    sga_free_memory,    sga_library_cache_size,    sga_redo_log_buffer,    sga_shared_pool,    sga_sql_area_size,    start_time,    tablespace_used,    buffer_cache_hit_ratio,    commits,    cpu_used,    cursor,    elapsed_time,    logical_reads,    machine,    memory_sorts,    physical_reads,    seconds_in_wait,    session_id,    session_status,    table_scans,    wait_state,    wait_time,    last_call_minute,    lock_mode,    lock_session_id,    logon_time,    obj_name,    os_pid,    serial_num,    query,    query_id,    query_time,    records_affected,    free_bytes,    tablespace_name,    tablespace_reads,    tablespace_status,    tablespace_writes,    indexes_hit,    query_plan_hit,    stored_procedures_called,    tables_hit
Emailall_email, &   delivery, &   content, &   filteringemail, &   delivery, &   content, &   filter
CIM Field - action,    delay,    dest,    dest_bunit,    dest_category,    dest_priority,    duration,    file_hash,    file_name,    file_size,    internal_message_id,    message_id,    message_info,    orig_dest,    orig_recipient,    orig_src,    process,    process_id,    protocol,    recipient,    recipient_count,    recipient_status,    response_time,    retries,    return_addr,    size,    src,    src_bunit,    src_category,    src_priority,    src_user,    src_user_bunit,    src_user_category,    src_user_priority,    status_code,    subject,    tag,    url,    user,    user_bunit,    user_category,    user_priority,    vendor_product,    xdelay,    xref,    filter_action,    filter_score,    signature,    signature_extra,    signature_id 
Interprocess MessagingAll_Interprocess_Messagingmessaging
CIM Field - dest,    dest_bunit,    dest_category,    dest_priority,    duration,    endpoint,    endpoint_version,    message,    message_consumed_time,    message_correlation_id,    message_delivered_time,    message_delivery_mode,    message_expiration_time,    message_id,    message_priority,    message_properties,    message_received_time,    message_redelivered,    message_reply_dest,    message_type,    parameters,    payload,    payload_type,    request_payload,    request_payload_type,    request_sent_time,    response_code,    response_payload_type,    response_received_time,    response_time,    return_message,    rpc_protocol,    status,    tag
Intrusion DetectionIDS_Attacksids, &   attack
CIM Field - action,    category,    dest,    dest_bunit,    dest_category,    dest_priority,    dvc,    dvc_bunit,    dvc_category,    dvc_priority,    ids_type,    severity,    signature,    src,    src_bunit,    src_category,    src_priority,    tag,    user,    user_bunit,    user_category,    user_priority,    vendor_product
InventoryAll_Inventory, CPU, Memory, Network, Storage, OS, User, Default_Accounts, Virtual_OS, Snapshot, ToolsInventory, CPU, Memory, Network, Storage, OS, User, Default_Accounts, Virtual_OS, Snapshot, Tools
CIM Fields - description,  dest,  dest_bunit,  dest_category,  dest_priority,  enabled,  family,  hypervisor_id,  serial,  status,  tag,  vendor_product,  version,  cpu_cores,  cpu_count,  cpu_mhz,  mem,  dest_ip,  dns,  inline_nat,  interface,  ip,  lb_method,  mac,  name,  node,  node_port,  src_ip,  vip_port,  os,  array,  blocksize,  cluster,  fd_max,  latency,  mount,  parent,  read_blocks,  read_latency,  read_ops,  storage,  write_blocks,  write_latency,  write_ops,  interactive,  password,  shell,  user,  user_bunit,  user_category,  user_id,  user_priority,  hypervisor,  size,  snapshot,  time
Java Virtual MachineJVM, & Threading, &  Runtime, &  OS, &  Compilation, &  Classloading, &  MemoryJVM, & Threading, &  Runtime, &  OS, &  Compilation, &  Classloading, &  Memory
CIM Fields - jvm_description,  tag,  cm_enabled,  cm_supported,  cpu_time_enabled,  cpu_time_supported,  current_cpu_time,  current_user_time,  daemon_thread_count,  omu_supported,  peak_thread_count,  synch_supported,  thread_count,  threads_started,  process_name,  start_time,  uptime,  vendor_product,  version,  committed_memory,  cpu_time,  free_physical_memory,  free_swap,  max_file_descriptors,  open_file_descriptors,  os,  os_architecture,  os_version,  physical_memory,  swap_space,  system_load,  total_processors,  compilation_time,  current_loaded,  total_loaded,  total_unloaded,  heap_committed,  heap_initial,  heap_max,  heap_used,  non_heap_committed,  non_heap_initial,  non_heap_max,  non_heap_used,  objects_pending
MalwareMalware_Attacks, Malware_Operationsmalware, attack, operations
CIM Fields - action,  category,  date,  dest,  dest_bunit,  dest_category,  dest_nt_domain,  dest_priority,  dest_requires_av,  file_hash,  file_name,  file_path,  signature,  src,  src_bunit,  src_category,  src_priority,  tag,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  dest,  dest_bunit,  dest_category,  dest_nt_domain,  dest_priority,  dest_requires_av,  product_version,  signature_version,  tag,  vendor_product
Network Resolutiondnsnetwork, resolution, dns
CIM Fields - additional_answer_count,  answer,  answer_count,  authority_answer_count,  dest,  dest_category,  dest_port,  dest_priority,  duration,  message_type,  query,  query_count,  query_type,  reply_code,  reply_code_id,  response_time,  src,  src_bunit,  src_category,  src_port,  src_priority,  tag,  transaction_id,  transport,  ttl,  vendor_product
Network SessionsAll_sessions, session_start, session_end, DHCP, VPNnetwork, & session, & start, & end, & dhcp, & vpn
Fields - action,  dest_bunit,  dest_category,  dest_ip,  dest_mac,  dest_nt_host,  dest_priority,  duration,  response_time,  signature,  src_bunit,  src_category,  src_dns,  src_ip,  src_mac,  src_nt_host,  src_priority,  tag,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  lease_duration,  lease_scope
Network TrafficAll_trafficnetwork, communicate
CIM Fields - action,  app,  bytes,  bytes_in,  bytes_out,  channel,  dest,  dest_bunit,  dest_category,  dest_interface,  dest_ip,  dest_mac,  dest_port,  dest_priority,  dest_translated_ip,  dest_translated_port,  direction,  duration,  dvc,  dvc_bunit,  dvc_category,  dvc_ip,  dvc_mac,  dvc_priority,  flow_id,  icmp_code,  icmp_type,  packets,  packets_in,  packets_out,  protocol,  protocol_version,  response_time,  rule,  session_id,  src,  src_category,  src_interface,  src_ip,  src_mac,  src_port,  src_priority,  src_translated_ip,  src_translated_port,  ssid,  tag,  tcp_flag,  transport,  tos,  ttl,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  vlan,  wifi
PerformanceALL_performance,  cpu,  facilities,  memory,  storage,  network,  os,  uptime,  time,  performance,  cpu,  facilities,  memory,  storage,  network,  os,  uptime,  time, synchronize
CIM Fields - dest,  dest_bunit,  dest_category,  dest_priority,  dest_should_timesync,  dest_should_update,  hypervisor_id,  resource_type,  tag,  cpu_load_mhz,  cpu_load_percent,  cpu_time,  cpu_user_percent,  fan_speed,  power,  temperature,  mem,  mem_committed,  mem_free,  mem_used,  swap,  swap_free,  swap_used,  array,  blocksize,  cluster,  fd_max,  fd_used,  latency,  mount,  parent,  read_blocks,  read_latency,  read_ops,  storage,  storage_free,  storage_free_percent,  storage_used,  storage_used_percent,  write_blocks,  write_latency,  write_ops,  thruput,  thruput_max,  signature,  action,  uptime
Splunk Audit Logs View_Activity, Datamodel_Acceleration, Search_Activity, Scheduler_Activity, Web_Service_Errors 
CIM Fields - app,  user,  view,  access_count,  access_time,  app,  buckets,  buckets_size,  complete,  cron,  datamodel,  digest,  earliest,  is_inprogress,  last_error,  last_sid,  latest,  mod_time,  retention,  size,  summary_id,  host,  info,  search,  search_type,  source,  sourcetype,  user,  user_bunit,  user_category,  user_priority,  app,  host,  savedsearch_name,  sid,  source,  sourcetype,  splunk_server,  status,  user,  host,  source,  sourcetype,  event_id
Ticket Management ALL_TICKET_MANAGEMENT, ticketing, change, incident, problemticketing, change, incident, problem
CIM Fields - affect_dest,  comments,  description,  dest,  dest_bunit,  dest_category,  dest_priority,  priority,  severity,  src_user,  src_user_bunit,  src_user_category,  status,  tag,  ticket_id,  time_submitted,  user,  user_bunit,  user_category,  user_priority,  change,  incident,  problem
Updates updates, update_errorsupdate, & status, & update, & error
CIM Fields - dest,  dest_bunit,  dest_category,  dest_priority,  dest_should_update,  dvc,  file_hash,  file_name,  severity,  signature,  signature_id,  status,  tag,  vendor_product
Vulnerabilities Vulnerabilitiesreport, Vulnerabilities
CIM Fields - bugtraq,  category,  cert,  cve,  cvss,  dest,  dest_bunit,  dest_category,  dest_priority,  dvc,  dvc_bunit,  dvc_category,  dvc_priority,  msft,  mskb,  severity,  signature,  tag,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  xref
Web Web, ProxyWeb, Proxy
CIM Fields - action,  app,  bytes,  bytes_in,  bytes_out,  cached,  category,  cookie,  dest,  dest_bunit,  dest_category,  dest_priority,  duration,  http_content_type,  http_method,  http_referrer,  http_user_agent,  http_user_agent_length,  response_time,  site,  src,  src_bunit,  src_category,  src_priority,  status,  tag,  uri_path,  uri_query,  url,  url_length,  user,  user_bunit,  user_category,  user_priority,  vendor_product

Sunday, March 6, 2016

Rest API calls in Splunk (Frequently used)


I used to work in a access segregated environment where being a power user, i need some means to find things that are typically available to admin's only or multiple clicks in GUI. Splunk's REST API calls comes in handy.

Below are some of my collection of frequently used REST API calls in Splunk with their use case.


Objective

Splunk REST Search

Indexer  Status
| rest /services/server/introspection/indexer | table title splunk_server status updated
List of Lookup Files
| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id
List of Commands
| rest /services/data/commands | table title type filename updated
List of Inputs
| rest /services/data/inputs/all | convert ctime(starttime) AS "Start Time"  | convert ctime(endtime) AS "End Time" | table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"
List of Field Extractions
| rest /services/data/props/extractions | table title type value attribute
| rest /services/data/transforms/extractions | table title eai:appName REGEX FORMAT updated
List of Field Aliases
| rest /services/data/props/fieldaliases | table title type value attribute eai:acl.app stanza updated
List of Saved event Types
| rest /services/saved/eventtypes | table eai:acl.app title tags search
List of Saved Searches
| rest /services/saved/searches | table eai:acl.app title search updated
List of jobs
| rest /services/search/jobs | table  author label title
List of Dashboards
| rest /servicesNS/-/-/data/ui/views | search eai:acl.app="$app_name$" | table id label title
List of Fired Alerts
| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count
List of Saved Searches
| rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state  is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Enabled is_scheduled=Yes | table savedsearch_name, search

| rest /services/saved/searches | table title search eai:acl.app

List of Searches ran by the user (‘s)
| rest /services/search/jobs |rename custom.search as customSearch|search NOT author="splunk-system-user" | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)| addtotals fieldname=duration *duration_secs| table author,SearchString , earliestTime,latestTime,request.earliest_time, request.latest_time, eventCount,duration

| rest /services/search/jobs |rename custom.search as customSearch|search NOT author="splunk-system-user" | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)| addtotals fieldname=duration *duration_secs  | eval search_time=tostring(duration, "duration")| table author,SearchString , earliestTime,latestTime,request.earliest_time, request.latest_time, eventCount, search_time | sort -search_time

| rest /services/search/jobs |rename custom.search as customSearch|search NOT author="splunk-system-user" | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)| addtotals fieldname=duration *duration_secs  | eval search_time=tostring(duration, "duration") | stats sum(eventCount) AS Count dc(author) | fieldformat Count=tostring(Count, "commas")
Splunk Server Lookup
 | rest splunk_server=* /services/server/info | mvexpand server_roles | search server_roles!=search_peer | rename server_roles AS role splunk_server AS host | table host guid role version

Currently Logged in USers
| rest /services/authentication/current-context | search NOT username="splunk-system-user" | table username roles updated

One or more of your indexers is reporting an abnormal state.
rest splunk_server=local /services/search/distributed/peers/
| where status!="Up"
| fields peerName, status
| rename peerName as Instance, status as Status

| rest /services/server/introspection/indexer | search NOT splunk_server="*SearchHead*" | fields splunk_server, title, average_KBps, status, reason
| eval average_KBps = round(average_KBps, 0)
| eval status= if(status=="normal", status, status." - ".reason)
| fields - reason
| rename splunk_server as Instance, average_KBps as "Average KB/s (last 30s)", status as Status

|rest splunk_server=local /services/search/distributed/peers/ | table peerName host title  numberOfCores os_build os_name os_version physicalMemoryMB status version updated

Critical System Physical Memory Usage
One or more instances has exceeded 90% memory usage
| rest splunk_server_group=* /services/server/status/resource-usage/hostwide
| eval percentage=round(mem_used/mem,3)*100
| where percentage > 90
| fields splunk_server, percentage, mem_used, mem
| rename splunk_server AS Instance, mem AS "Physical memory installed (MB)", percentage AS "Memory used (%)", mem_used AS "Memory used (MB)"

Near Critical Disk Usage
You have used 80% of your disk capacity
| rest splunk_server_group=* /services/server/status/partitions-space
| eval free = if(isnotnull(available), available, free)
| eval usage = capacity - free
| eval pct_usage = floor(usage / capacity * 100)
| where pct_usage > 80
| stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point
| eval usage = round(usage / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"

Saturated Event-Processing Queues
One or more of your indexer queues is reporting a fill percentage, averaged over the last 15 minutes, of 90% or more.
| rest splunk_server_group=*    /services/server/introspection/queues
| search title=tcpin_queue OR title=parsingQueue OR title=aggQueue OR title=typingQueue OR title=indexQueue
| eval 15min_fill_perc = round(value_cntr3_size_bytes_lookback / max_size_bytes * 100,2)
| fields title 15min_fill_perc splunk_server
| where '15min_fill_perc' > 90
| rename splunk_server as Instance, title AS "Queue name", 15min_fill_perc AS "Average queue fill percentage (last 15min)"

Total License Usage Near Daily Quota - You have used 90% of your total daily license quota
| rest splunk_server_group=* /services/licenser/pools
| join type=outer stack_id splunk_server [rest splunk_server_group=* /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields splunk_server stack_id is_active]
| search is_active=1
| fields splunk_server, stack_id, used_bytes
| join type=outer stack_id splunk_server [rest splunk_server_group=* /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields splunk_server stack_id stack_quota]
| stats sum(used_bytes) as used_bytes max(stack_quota) as stack_quota by splunk_server
| eval usedGB=round(used_bytes/1024/1024/1024,3)
| eval totalGB=round(stack_quota/1024/1024/1024,3)
| eval percentage=round(usedGB / totalGB, 3)*100
| fields splunk_server, percentage, usedGB, totalGB
| where percentage > 90
| rename splunk_server AS Instance, percentage AS "License quota used (%)", usedGB AS "License quota used (GB)", totalGB as "Total license quota (GB)"

Memory Usage
| rest  /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) | fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

User Search quoto usage
| rest  /services/search/jobs | eval diskUsageMB=diskUsage/1024/1024 | rename eai:acl.owner as UserName | stats sum(diskUsageMB) as totalDiskUsage_mb by UserName

Other REST API Calls
| rest /services/authentication/users
| rest splunk_server=local /services/alerts/reviewstatuses/
| rest splunk_server=local count=0 /services/alerts/correlationsearches
| rest splunk_server=local count=0 /services/saved/searches | table author title search updated dispatch.earliest_time dispatch.latest_time
| rest /services/saved/searches | table title search
| rest /services/server/info
| rest /services/server/status/resource-usage/splunk-processes | table process fd_used mem_used read_mb written_mb normalized_pct_cpu page_faults pct_cpu pct_memory pid ppid search_props.app search_props.type search_props.user splunk_server
| rest /services/server/status/resource-usage/hostwide | table splunk_server forks  mem mem_used cpu_count cpu_idle_pct cpu_idle_pct cpu_user_pct normalized_load_avg_1min
| rest /services/server/status/partitions-space | table splunk_server fs_type title capacity available free mount_point updated
| rest /services/server/status/dispatch-artifacts | search splunk_server="SearchHead*" | transpose
| rest /services/server/settings | table splunk_server host httpport kvStorePort mgmtHostPort minFreeSpace sessionTimeout updated
| rest /services/server/logger | table splunk_server title level updated
| rest /services/data/ui/views  | table eai:appName label title eai:data
| rest /services/search/distributed/peers | table title splunk_server numberOfCores replicationStatus searchable_indexes server_roles cpu_arch status is_https physicalMemoryMB updated
| rest /services/search/jobs  | dedup label | table author label keywords normalizedSearch
| rest /services/properties/| dedup title  | table title
| rest /services/datamodel/model | table eai:acl.app title  displayName
| rest /services/data/inputs/tcp/ssl | table host sslVersions cipherSuite rootCA serverCert sslVersions
| rest /services/apps/local | table title label description eai:acl.perms.write



Saturday, March 5, 2016

Suricata Analysis in Splunk

This Post assumes the existence of full suricata working setup and the configuration file "suricata.yaml" file is set to seperate http, xls, ssl, dns and alerts files.

if not already, use the reference links.

Configuring and setting up Suricata
https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-config-test.htm

Suricata configuration file:-
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
https://github.com/inliniac/suricata/blob/master/suricata.yaml.in

Objective of this post is to use splunk to analyse the suricata output. Walk through of the Splunk SPL and XML

Starting in 2.0, Suricata can output alerts, http events, dns events, tls events and file info through json.
outputs:
  - alert-json-log:
      enabled: yes
      filename: alert-json.log
  - dns-json-log:
      enabled: yes
      filename: dns-json.log
  - drop-json-log:
      enabled: yes
      filename: drop-json.log
  - http-json-log:
      enabled: yes
      filename: http-json.log
  - ssh-json-log:
      enabled: yes
      filename: ssh-json.log
  - tls-json-log:
      enabled: yes
      filename: tls-json.log


In my setup, Splunk is monitoring a folder where suricata drops its output files with signature names as prefix and date as suffix.
Inputs.con in  Splunk.

Below are set of informative dashboard panels that could help understanding the Suricata alert and corresponding files.

In this use-cases, source is the variable that can be controlled by a input form. Full code will be updated in my Github page.

Timeline of Events

index="network" sourcetype="pcap_json" source="*$source$*" alert.signature!="\*suricata\*"  | timechart count by $split$ limit=10 useother=0 usenull=0

High Level detail of Suricatta Alerts

index="network" sourcetype="pcap_json" source="*$source$*" alert.signature!="\*suricata\*"   | stats values(alert.category) values(src_ip) values(dest_ip) count by alert.signature

Suricata IDS Alerts

 index="network" sourcetype="pcap_json" source="*$source$*" event_type=alert alert.signature!="\*suricata\*"  | iplocation src_ip | table timestamp pcap_cnt alert.signature alert.category src_ip City dest_ip dest_port

HTTP Traffic 


 index="network" sourcetype="pcap_json" source="*$source$*" event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip Country dest_ip dest_port http.http_content_type proto http.hostname http.url http.http_user_agent http.http_refer

DNS Traffic


index="network" sourcetype="pcap_json" source="*$source$*"  event_type=dns| iplocation dns.rdata  | table  timestamp src_ip dest_ip dest_port dns.rdata Country dns.rrname dns.rrtype dns.type

TLS Traffic 


index="network" sourcetype="pcap_json" source="*$source$*" event_type=tls| table timestamp pcap_cnt event_type src_ip dest_ip dest_port tls.issuerdn tls.subject

Files Downloaded


index="network" sourcetype="pcap_json" source="*$source$*" event_type=fileinfo | iplocation src_ip | table timestamp pcap_cnt event_type src_ip Country dest_ip dest_port  fileinfo.filename fileinfo.filesize http.hostname http.url http.http_refer http.http_user_agent | sort timestamp