Links

Suricata Logs

Connecting Suricata logs to your Panther Console

Overview

Panther supports ingesting Suricata logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Suricata logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
  2. 2.
    Configure Suricata to push logs to the Data Transport source.
    • See Suricata's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in all tables are in bold.

Suricata.Alert

Suricata parser for the Alert event type in the EVE JSON output.
Reference: Suricata.Alert
parser:
native:
name: Suricata.Alert
fields:
- name: files
description: files
type: array
element:
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: tx_id
description: tx_id
type: bigint
- name: http
description: http
type: object
fields:
- name: http_content_type
description: http_content_type
type: string
- name: hostname
description: hostname
type: string
- name: http_method
description: http_method
type: string
- name: http_user_agent
description: http_user_agent
type: string
- name: length
description: length
type: bigint
- name: protocol
description: protocol
type: string
- name: status
description: status
type: bigint
- name: url
description: url
type: string
- name: ssh
description: ssh
type: object
fields:
- name: server
description: server
type: object
fields:
- name: proto_version
required: true
description: proto_version
type: float
- name: software_version
required: true
description: software_version
type: string
- name: app_proto_tc
description: app_proto_tc
type: string
- name: tls
description: tls
type: object
fields:
- name: sni
description: sni
type: string
indicators:
- ip
- name: ja3
required: true
description: ja3
type: object
fields:
- name: hash
required: true
description: hash
type: string
- name: string
required: true
description: string
type: string
- name: version
required: true
description: version
type: string
- name: app_proto
description: app_proto
type: string
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: alert
required: true
description: alert
type: object
fields:
- name: metadata
description: metadata
type: object
fields:
- name: former_category
description: former_category
type: array
element:
type: string
- name: affected_product
description: affected_product
type: array
element:
type: string
- name: attack_target
description: attack_target
type: array
element:
type: string
- name: deployment
description: deployment
type: array
element:
type: string
- name: signature_severity
description: signature_severity
type: array
element:
type: string
- name: tag
description: tag
type: array
element:
type: string
- name: created_at
required: true
description: created_at
type: array
element:
type: float
- name: updated_at
required: true
description: updated_at
type: array
element:
type: float
- name: action
required: true
description: action
type: string
- name: category
required: true
description: category
type: string
- name: gid
required: true
description: gid
type: bigint
- name: rev
required: true
description: rev
type: bigint
- name: severity
required: true
description: severity
type: bigint
- name: signature
required: true
description: signature
type: string
- name: signature_id
required: true
description: signature_id
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: start
required: true
description: start
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true

Suricata.Anomaly

Suricata parser for the Anomaly event type in the EVE JSON output.
Column
Type
Description
anomaly
{ "code":bigint, "event":string, "layer":string, "type":string }
Suricata Anomaly Anomaly
app_proto
string
Suricata Anomaly AppProto
community_id
string
Suricata Anomaly CommunityID
dest_ip
string
Suricata Anomaly DestIP
dest_port
int
Suricata Anomaly DestPort
event_type
string
Suricata Anomaly EventType
flow_id
bigint
Suricata Anomaly FlowID
icmp_code
bigint
Suricata Anomaly IcmpCode
icmp_type
bigint
Suricata Anomaly IcmpType
metadata
{ "flowbits":[string], "flowints":{ "applayer_anomaly_count":bigint, "http_anomaly_count":bigint, "tcp_retransmission_count":bigint, "tls_anomaly_count":bigint } }
Suricata Anomaly Metadata
packet
string
Suricata Anomaly Packet
packet_info
{ "linktype":bigint }
Suricata Anomaly PacketInfo
pcap_cnt
bigint
Suricata Anomaly PcapCnt
pcap_filename
string
Suricata Anomaly PcapFilename
proto
bigint
Suricata Anomaly Proto
src_ip
string
Suricata Anomaly SrcIP
src_port
int
Suricata Anomaly SrcPort
timestamp
timestamp
Suricata Anomaly Timestamp
tx_id
bigint
Suricata Anomaly TxID
vlan
[bigint]
Suricata Anomaly Vlan
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Suricata.DHCP

Suricata parser for the DHCP event type in the EVE JSON output.
Reference: Suricata.DHCP
parser:
native:
name: Suricata.DHCP
description: Suricata parser for the DHCP event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html
fields:
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: dhcp
required: true
description: dhcp
type: object
fields:
- name: assigned_ip
required: true
description: assigned_ip
type: string
indicators:
- ip
- name: client_mac
required: true
description: client_mac
type: string
- name: dhcp_type
required: true
description: dhcp_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: id
required: true
description: id
type: string
indicators:
- trace_id
- name: type
required: true
description: type
type: string
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true

Suricata.DNS

Suricata parser for the DNS event type in the EVE JSON output.
Column
Type
Description
community_id
string
Suricata DNS CommunityID
dns
{ "aa":boolean, "answers":[{ "rdata":string, "rrname":string, "rrtype":string, "ttl":bigint }], "authorities":[{ "rrname":string, "rrtype":string, "ttl":bigint }], "flags":string, "grouped":{ "A":[string], "AAAA":[string], "CNAME":[string], "MX":[string], "PTR":[string], "TXT":[string] }, "id":bigint, "qr":boolean, "ra":boolean, "rcode":string, "rd":boolean, "rrname":string, "rdata":string, "rrtype":string, "ttl":bigint, "tx_id":bigint, "type":string, "version":bigint }
Suricata DNS DNS
dest_ip
string
Suricata DNS DestIP
dest_port
int
Suricata DNS DestPort
event_type
string
Suricata DNS EventType
flow_id
bigint
Suricata DNS FlowID
pcap_cnt
bigint
Suricata DNS PcapCnt
pcap_filename
string
Suricata DNS PcapFilename
proto
bigint
Suricata DNS Proto
src_ip
string
Suricata DNS SrcIP
src_port
int
Suricata DNS SrcPort
timestamp
timestamp
Suricata DNS Timestamp
vlan
[bigint]
Suricata DNS Vlan
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Suricata.FileInfo

Suricata parser for the FileInfo event type in the EVE JSON output.
schema: Suricata.FileInfo
parser:
native:
name: Suricata.FileInfo
description: Suricata parser for the FileInfo event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/file-extraction/file-extraction.html#file-store-and-eve-fileinfo
fields:
- name: app_proto
required: true
description: app_proto
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: fileinfo
required: true
description: fileinfo
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: flow_id
required: true
description: flow_id
type: bigint
- name: http
required: true
description: http
type: object
fields:
- name: http_user_agent
description: http_user_agent
type: string
- name: http_content_type
description: http_content_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: http_method
required: true
description: http_method
type: string
- name: length
required: true
description: length
type: bigint
- name: protocol
required: true
description: protocol
type: string
- name: status
required: true
description: status
type: bigint
- name: url
required: true
description: url
type: string
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true

Suricata.Flow

Suricata parser for the Flow event type in the EVE JSON output.
Reference: Flow event type.
schema: Suricata.Flow
parser:
native:
name: Suricata.Flow
description: Suricata parser for the Flow event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-flow
fields:
- name: app_proto_tc
description: app_proto_tc
type: string
- name: icmp_code
description: icmp_code
type: bigint
- name: icmp_type
description: icmp_type
type: bigint
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: app_proto
description: app_proto
type: string
- name: tcp
description: tcp
type: object
fields:
- name: psh
description: psh
type: boolean
- name: cwr
description: cwr
type: boolean
- name: ecn
description: ecn
type: boolean
- name: fin
description: fin
type: boolean
- name: rst
description: rst
type: boolean
- name: ack
description: ack
type: boolean
- name: state
description: state
type: string
- name: syn
description: syn
type: boolean
- name: tcp_flags
required: true
description: tcp_flags
type: string
- name: tcp_flags_tc
required: true
description: tcp_flags_tc
type: string
- name: tcp_flags_ts
required: true
description: tcp_flags_ts
type: string
- name: dest_port
description: dest_port
type: bigint
- name: src_port
description: src_port
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: age
required: true
description: age
type: bigint
- name: alerted
required: true
description: alerted
type: boolean
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: end
required: true
description: end
type: string
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: reason
required: true
description: reason
type: string
- name: start
required: true
description: start
type: string
- name: state
required: true
description: state
type: string
- name: flow_id