So I am getting data ingested from Bro/Zeek and Suricata via the TA's for said applications. I want to build data models for them and wanted to see if anyone has anything built for Bro/Zeek or Suricata.
So far I built a "data model" for suricata (called suricata)
Then a Root Event (index=suricata source=suricata sourcetype=suricata)
From there I have Child
Src_ip (src_ip=192.168.*)
Then children of that are broken out like this
--Severity
------Severity I (suricata.attack.severity=1)
------Severity II (suricata.attack.severity=2)
------Severity III(suricata.attack.severity=3)
--Category
Dest_ip
Well you get the point.
Is there a better way of doing this, or am I on sort of the right track?
↧