Elastic ECS? #1941
-
|
Just curious how compliant Suricata events (and Zeek for that matter) are with ECS? I've updated some tooling to work against Suricata events when added to Elastic using the Filebeat Suricata module which does the ECS conversion, but the same queries are not working against SO. Taking a look via Kibana, I see ECS style source and destination, but not "suricata.eve" to get access to some stuff that doesn't break out to ECS. Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi Jason, We are continually working towards ECS, and definitely appreciate the feedback. I'll take a look at this and see what we can do to be further aligned. I'm assuming you are referring to the fields described here? https://www.elastic.co/guide/en/beats/filebeat/master/exported-fields-suricata.html |
Beta Was this translation helpful? Give feedback.
-
|
Yes, those are the fields. I use Suricata events added to Elasticsearch with the Filebeat Suricata plugin as my reference as I add support for ECS to EveBox. Was hoping it would work against SO as well (as is). |
Beta Was this translation helpful? Give feedback.
Hi Jason,
We are continually working towards ECS, and definitely appreciate the feedback. I'll take a look at this and see what we can do to be further aligned. I'm assuming you are referring to the fields described here?
https://www.elastic.co/guide/en/beats/filebeat/master/exported-fields-suricata.html