Skip to content

Commit

Permalink
[Suricata] Update fields and paths (#8550)
Browse files Browse the repository at this point in the history 
This updates the suricata module:

- Added fields from eve.json
- Copy fields of interest into ECS equivalent
- Updated dashboards
  • Loading branch information
@adriansr
adriansr authored Oct 16, 2018
1 parent 0211eda commit 4d60173
Show file tree
Hide file tree
Showing 8 changed files with 1,060 additions and 74 deletions.
85 changes: 85 additions & 0 deletions filebeat/_meta/fields.common.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,3 +100,88 @@
description: >
Content length of the HTTP response body.
- name: source_ecs
type: group
fields:
- name: ip
type: ip
description: >
IP address of the source.
- name: port
type: long
description: >
Port of the source.
- name: geo
type: group
description:
Geolocation for source.
fields:
- name: continent_name
type: keyword
description: >
Name of the continent.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
Longitude and latitude.
- name: region_name
type: keyword
description: >
Region name.
- name: city_name
type: keyword
description: >
City name.
- name: region_iso_code
type: keyword
description: >
Region ISO code.
- name: destination
type: group
fields:
- name: geo
type: group
description:
Geolocation for destination.
fields:
- name: continent_name
type: keyword
description: >
Name of the continent.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
Longitude and latitude.
- name: region_name
type: keyword
description: >
Region name.
- name: city_name
type: keyword
description: >
City name.
- name: region_iso_code
type: keyword
description: >
Region ISO code.
154 changes: 154 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4718,6 +4718,160 @@ type: long
Content length of the HTTP response body.
--
*`source_ecs.ip`*::
+
--
type: ip
IP address of the source.
--
*`source_ecs.port`*::
+
--
type: long
Port of the source.
--
[float]
== geo fields
Geolocation for source.
*`source_ecs.geo.continent_name`*::
+
--
type: keyword
Name of the continent.
--
*`source_ecs.geo.country_iso_code`*::
+
--
type: keyword
Country ISO code.
--
*`source_ecs.geo.location`*::
+
--
type: geo_point
Longitude and latitude.
--
*`source_ecs.geo.region_name`*::
+
--
type: keyword
Region name.
--
*`source_ecs.geo.city_name`*::
+
--
type: keyword
City name.
--
*`source_ecs.geo.region_iso_code`*::
+
--
type: keyword
Region ISO code.
--
[float]
== geo fields
Geolocation for destination.
*`destination.geo.continent_name`*::
+
--
type: keyword
Name of the continent.
--
*`destination.geo.country_iso_code`*::
+
--
type: keyword
Country ISO code.
--
*`destination.geo.location`*::
+
--
type: geo_point
Longitude and latitude.
--
*`destination.geo.region_name`*::
+
--
type: keyword
Region name.
--
*`destination.geo.city_name`*::
+
--
type: keyword
City name.
--
*`destination.geo.region_iso_code`*::
+
--
type: keyword
Region ISO code.
--
[[exported-fields-logstash]]
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go
View file

Large diffs are not rendered by default.

26 changes: 13 additions & 13 deletions ...k/filebeat/module/suricata/_meta/kibana/6/dashboard/Filebeat-Suricata-Alert-Overview.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,12 +226,12 @@
"columns": [
"host.name",
"suricata.eve.flow_id",
"suricata.eve.src_ip",
"suricata.eve.src_port",
"suricata.eve.dest_ip",
"suricata.eve.dest_port",
"ecs.source.geo.country_iso_code",
"ecs.destination.geo.country_iso_code"
"source_ecs.ip",
"source_ecs.port",
"destination.ip",
"destination.port",
"source_ecs.geo.country_iso_code",
"destination.geo.country_iso_code"
],
"description": "",
"hits": 0,
Expand All @@ -246,7 +246,7 @@
"alias": null,
"disabled": false,
"index": "filebeat-*",
"key": "ecs.event.type",
"key": "event.type",
"negate": false,
"params": {
"query": "alert",
Expand All @@ -257,7 +257,7 @@
},
"query": {
"match": {
"ecs.event.type": {
"event.type": {
"query": "alert",
"type": "phrase"
}
Expand Down Expand Up @@ -342,7 +342,7 @@
"id": "2",
"params": {
"autoPrecision": true,
"field": "suricata.eve.src_geo.location",
"field": "source_ecs.geo.location",
"isFilteredByCollar": true,
"precision": 2,
"useGeocentroid": true
Expand Down Expand Up @@ -428,7 +428,7 @@
"id": "2",
"params": {
"autoPrecision": true,
"field": "suricata.eve.dest_geo.location",
"field": "destination.geo.location",
"isFilteredByCollar": true,
"precision": 2,
"useGeocentroid": true
Expand Down Expand Up @@ -523,7 +523,7 @@
"id": "2",
"params": {
"customLabel": "Source Country",
"field": "suricata.eve.dest_geo.country_iso_code",
"field": "destination.geo.country_iso_code",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
Expand Down Expand Up @@ -595,7 +595,7 @@
"id": "2",
"params": {
"customLabel": "Source Country",
"field": "suricata.eve.src_geo.country_iso_code",
"field": "source_ecs.geo.country_iso_code",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
Expand Down Expand Up @@ -771,4 +771,4 @@
}
],
"version": "6.3.0"
}
}
Loading

0 comments on commit 4d60173

Please sign in to comment.