Correlation of Alerts and connections #8928
Replies: 1 comment
-
|
You should be able to correlate Suricata NIDS alerts to the corresponding Zeek metadata (and other network logs if available) using Community ID: If you go to SOC Alerts and drill into an alert, you should then be able to use the Correlate action to find related logs: You can also do the same in Dashboards and Hunt: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Basically i am trying to find commonality between Alerts generated and connections for the specific time period and do join operation or to consolidate in one table ..Will it be possible ?
To attain i am trying to find common unique ID in both the tables but i could land up no where ..
For a same communication id
ET so-ids-2022.09.27/_search
{
"query": {
"match": {
"network.community_id": "1:rScwTEI5t4OMGhrXnOSd3r6EOaA="
}
},
"_source": true
}
GET so-zeek-2022.09.27/_search
{
"query": {
"match": {
"network.community_id": "1:rScwTEI5t4OMGhrXnOSd3r6EOaA="
}
},
"_source":true
for a given and same community ID ..ID and UID are different ...
one the other hand
GET so-ids-2022.09.27/_search
GET so-zeek-2022.09.27/_search
When we search connections and alerts i see
"_id": "ng6nhIMBluuL_wyp8shL" (Zeek ) GET so-zeek-2022.09.27/_search
"_id": "4w42gIMBluuL_wypSo3K" ( id ) GET so-ids-2022.09.27/_search
"_score": 1,
In a way i am not able to correlate connections and alerts for the same time period ?Any clues much appreciated .
Thank you for your time.
Beta Was this translation helpful? Give feedback.
All reactions