Suricata Logs
Connecting Suricata logs to your Panther Console
Panther supports ingesting Suricata logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
To connect these logs into Panther:
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Click Create New.
- 3.Search for the log type you want to onboard, then click its tile.
- 4.Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- 5.Configure Suricata to push logs to the Data Transport source.
- See Suricata's documentation for instructions on pushing logs to your selected Data Transport source.
Required fields in all tables are in bold.
Suricata parser for the Alert event type in the EVE JSON output.
For more information, see the Suricata documentation on
parser:
native:
name: Suricata.Alert
fields:
- name: files
description: files
type: array
element:
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: tx_id
description: tx_id
type: bigint
- name: http
description: http
type: object
fields:
- name: http_content_type
description: http_content_type
type: string
- name: hostname
description: hostname
type: string
- name: http_method
description: http_method
type: string
- name: http_user_agent
description: http_user_agent
type: string
- name: length
description: length
type: bigint
- name: protocol
description: protocol
type: string
- name: status
description: status
type: bigint
- name: url
description: url
type: string
- name: ssh
description: ssh
type: object
fields:
- name: server
description: server
type: object
fields:
- name: proto_version
required: true
description: proto_version
type: float
- name: software_version
required: true
description: software_version
type: string
- name: app_proto_tc
description: app_proto_tc
type: string
- name: tls
description: tls
type: object
fields:
- name: sni
description: sni
type: string
indicators:
- ip
- name: ja3
required: true
description: ja3
type: object
fields:
- name: hash
required: true
description: hash
type: string
- name: string
required: true
description: string
type: string
- name: version
required: true
description: version
type: string
- name: app_proto
description: app_proto
type: string
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: alert
required: true
description: alert
type: object
fields:
- name: metadata
description: metadata
type: object
fields:
- name: former_category
description: former_category
type: array
element:
type: string
- name: affected_product
description: affected_product
type: array
element:
type: string
- name: attack_target
description: attack_target
type: array
element:
type: string
- name: deployment
description: deployment
type: array
element:
type: string
- name: signature_severity
description: signature_severity
type: array
element:
type: string
- name: tag
description: tag
type: array
element:
type: string
- name: created_at
required: true
description: created_at
type: array
element:
type: float
- name: updated_at
required: true
description: updated_at
type: array
element:
type: float
- name: action
required: true
description: action
type: string
- name: category
required: true
description: category
type: string
- name: gid
required: true
description: gid
type: bigint
- name: rev
required: true
description: rev
type: bigint
- name: severity
required: true
description: severity
type: bigint
- name: signature
required: true
description: signature
type: string
- name: signature_id
required: true
description: signature_id
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: start
required: true
description: start
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata parser for the Anomaly event type in the EVE JSON output.
Column | Type | Description |
anomaly | { "code":bigint, "event":string, "layer":string, "type":string } | Suricata Anomaly Anomaly |
app_proto | string | Suricata Anomaly AppProto |
community_id | string | Suricata Anomaly CommunityID |
dest_ip | string | Suricata Anomaly DestIP |
dest_port | int | Suricata Anomaly DestPort |
event_type | string | Suricata Anomaly EventType |
flow_id | bigint | Suricata Anomaly FlowID |
icmp_code | bigint | Suricata Anomaly IcmpCode |
icmp_type | bigint | Suricata Anomaly IcmpType |
metadata | { "flowbits":[string], "flowints":{ "applayer_anomaly_count":bigint, "http_anomaly_count":bigint, "tcp_retransmission_count":bigint, "tls_anomaly_count":bigint } } | Suricata Anomaly Metadata |
packet | string | Suricata Anomaly Packet |
packet_info | { "linktype":bigint } | Suricata Anomaly PacketInfo |
pcap_cnt | bigint | Suricata Anomaly PcapCnt |
pcap_filename | string | Suricata Anomaly PcapFilename |
proto | bigint | Suricata Anomaly Proto |
src_ip | string | Suricata Anomaly SrcIP |
src_port | int | Suricata Anomaly SrcPort |
timestamp | timestamp | Suricata Anomaly Timestamp |
tx_id | bigint | Suricata Anomaly TxID |
vlan | [bigint] | Suricata Anomaly Vlan |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Suricata parser for the DHCP event type in the EVE JSON output.
parser:
native:
name: Suricata.DHCP
description: Suricata parser for the DHCP event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html
fields:
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: dhcp
required: true
description: dhcp
type: object
fields:
- name: assigned_ip
required: true
description: assigned_ip
type: string
indicators:
- ip
- name: client_mac
required: true
description: client_mac
type: string
- name: dhcp_type
required: true
description: dhcp_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: id
required: true
description: id
type: string
indicators:
- trace_id
- name: type
required: true
description: type
type: string
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata parser for the DNS event type in the EVE JSON output.
schema: Suricata.DNS
description: Suricata parser for the DNS event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#dns
fields:
- name: community_id
description: Suricata DNS CommunityID
type: string
- name: dns
required: true
description: Suricata DNS DNS
type: object
fields:
- name: aa
description: Suricata DNSDetails Aa
type: boolean
- name: answers
description: Suricata DNSDetails Answers
type: array
element:
type: object
fields:
- name: rdata
required: true
description: Suricata DNSDetailsAnswers Rdata
type: string
indicators:
- hostname
- name: rrname
required: true
description: Suricata DNSDetailsAnswers Rrname
type: string
indicators:
- domain
- name: rrtype
required: true
description: Suricata DNSDetailsAnswers Rrtype
type: string
- name: ttl
required: true
description: Suricata DNSDetailsAnswers TTL
type: bigint
- name: authorities
description: Suricata DNSDetails Authorities
type: array
element:
type: object
fields:
- name: rrname
required: true
description: Suricata DNSDetailsAuthorities Rrname
type: string
- name: rrtype
required: true
description: Suricata DNSDetailsAuthorities Rrtype
type: string
- name: soa
required: true
type: object
fields:
- name: expire
required: true
type: bigint
- name: minimum
required: true
type: bigint
- name: mname
required: true
type: string
- name: refresh
required: true
type: bigint
- name: retry
required: true
type: bigint
- name: rname
required: true
type: string
- name: serial
required: true
type: bigint
- name: ttl
required: true
description: Suricata DNSDetailsAuthorities TTL
type: bigint
- name: flags
description: Suricata DNSDetails Flags
type: string
- name: grouped
description: Suricata DNSDetails Grouped
type: object
fields:
- name: A
description: Suricata DNSDetailsGrouped A
type: array
element:
type: string
indicators:
- ip
- name: AAAA
description: Suricata DNSDetailsGrouped Aaaa
type: array
element:
type: string
indicators:
- ip
- name: CNAME
description: Suricata DNSDetailsGrouped Cname
type: array
element:
type: string
indicators:
- domain
- name: MX
description: Suricata DNSDetailsGrouped Mx
type: array
element:
type: string
indicators:
- domain
- name: PTR
description: Suricata DNSDetailsGrouped Ptr
type: array
element:
type: string
- name: TXT
description: Suricata DNSDetailsGrouped Txt
type: array
element:
type: string
- name: id
required: true
description: Suricata DNSDetails ID
type: bigint
- name: qr
description: Suricata DNSDetails Qr
type: boolean
- name: ra
description: Suricata DNSDetails Ra
type: boolean
- name: rcode
description: Suricata DNSDetails Rcode
type: string
- name: rd
description: Suricata DNSDetails Rd
type: boolean
- name: rrname
description: Suricata DNSDetails Rrname
type: string
indicators:
- domain
- name: rdata
description: Suricata DNSDetails RData
type: string
indicators:
- ip
- name: rrtype
description: Suricata DNSDetails Rrtype
type: string
- name: ttl
description: Suricata DNSDetails TTL
type: bigint
- name: tx_id
description: Suricata DNSDetails TxID
type: bigint
- name: type
description: Suricata DNSDetails Type
type: string
- name: version
description: Suricata DNSDetails Version
type: bigint
- name: dest_ip
required: true
description: Suricata DNS DestIP
type: string
indicators:
- ip
- name: dest_port
description: Suricata DNS DestPort
type: int
- name: event_type
required: true
description: Suricata DNS EventType
type: string
- name: flow_id
required: true
description: Suricata DNS FlowID
type: bigint
indicators:
- trace_id
- name: pcap_cnt
description: Suricata DNS PcapCnt
type: bigint
- name: pcap_filename
description: Suricata DNS PcapFilename
type: string
- name: proto
required: true
description: Suricata DNS Proto
type: string
- name: in_iface
type: string
- name: src_ip
required: true
description: Suricata DNS SrcIP
type: string
indicators:
- ip
- name: src_port
description: Suricata DNS SrcPort
type: int
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormats:
- '%Y-%m-%dT%H:%M:%S.%f%z'
isEventTime: true
- name: vlan
description: Suricata DNS Vlan
type: array
element:
type: bigint
Suricata parser for the FileInfo event type in the EVE JSON output.
schema: Suricata.FileInfo
parser:
native:
name: Suricata.FileInfo
description: Suricata parser for the FileInfo event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/file-extraction/file-extraction.html#file-store-and-eve-fileinfo
fields:
- name: app_proto
required: true
description: app_proto
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: fileinfo
required: true
description: fileinfo
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: flow_id
required: true
description: flow_id
type: bigint
- name: http
required: true
description: http
type: object
fields:
- name: http_user_agent
description: http_user_agent
type: string
- name: http_content_type
description: http_content_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: http_method
required: true
description: http_method
type: string
- name: length
required: true
description: length
type: bigint
- name: protocol
required: true
description: protocol
type: string
- name: status
required: true
description: status
type: bigint
- name: url
required: true
description: url
type: string
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata parser for the Flow event type in the EVE JSON output.
schema: Suricata.Flow
parser:
native:
name: Suricata.Flow
description: Suricata parser for the Flow event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-flow
fields:
- name: app_proto_tc
description: app_proto_tc
type: string
- name: icmp_code
description: icmp_code
type: bigint
- name: icmp_type
description: icmp_type
type