Suricata Logs
Connecting Suricata logs to your Panther Console
Overview
Panther supports ingesting Suricata logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
How to onboard Suricata logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Suricata to push logs to the Data Transport source.
See Suricata's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Required fields in all tables are in bold.
Suricata.Alert
Suricata parser for the Alert event type in the EVE JSON output.
For more information, see the Suricata documentation on
Reference: Suricata.Alert
parser:
native:
name: Suricata.Alert
fields:
- name: files
description: files
type: array
element:
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: tx_id
description: tx_id
type: bigint
- name: http
description: http
type: object
fields:
- name: http_content_type
description: http_content_type
type: string
- name: hostname
description: hostname
type: string
- name: http_method
description: http_method
type: string
- name: http_user_agent
description: http_user_agent
type: string
- name: length
description: length
type: bigint
- name: protocol
description: protocol
type: string
- name: status
description: status
type: bigint
- name: url
description: url
type: string
- name: ssh
description: ssh
type: object
fields:
- name: server
description: server
type: object
fields:
- name: proto_version
required: true
description: proto_version
type: float
- name: software_version
required: true
description: software_version
type: string
- name: app_proto_tc
description: app_proto_tc
type: string
- name: tls
description: tls
type: object
fields:
- name: sni
description: sni
type: string
indicators:
- ip
- name: ja3
required: true
description: ja3
type: object
fields:
- name: hash
required: true
description: hash
type: string
- name: string
required: true
description: string
type: string
- name: version
required: true
description: version
type: string
- name: app_proto
description: app_proto
type: string
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: alert
required: true
description: alert
type: object
fields:
- name: metadata
description: metadata
type: object
fields:
- name: former_category
description: former_category
type: array
element:
type: string
- name: affected_product
description: affected_product
type: array
element:
type: string
- name: attack_target
description: attack_target
type: array
element:
type: string
- name: deployment
description: deployment
type: array
element:
type: string
- name: signature_severity
description: signature_severity
type: array
element:
type: string
- name: tag
description: tag
type: array
element:
type: string
- name: created_at
required: true
description: created_at
type: array
element:
type: float
- name: updated_at
required: true
description: updated_at
type: array
element:
type: float
- name: action
required: true
description: action
type: string
- name: category
required: true
description: category
type: string
- name: gid
required: true
description: gid
type: bigint
- name: rev
required: true
description: rev
type: bigint
- name: severity
required: true
description: severity
type: bigint
- name: signature
required: true
description: signature
type: string
- name: signature_id
required: true
description: signature_id
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: start
required: true
description: start
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata.Anomaly
Suricata parser for the Anomaly event type in the EVE JSON output.
Reference: Suricata Documentation on EVE JSON Output Anomalies.
Column
Type
Description
anomaly
{ "code":bigint, "event":string, "layer":string, "type":string }
Suricata Anomaly Anomaly
app_proto
string
Suricata Anomaly AppProto
community_id
string
Suricata Anomaly CommunityID
dest_ip
string
Suricata Anomaly DestIP
dest_port
int
Suricata Anomaly DestPort
event_type
string
Suricata Anomaly EventType
flow_id
bigint
Suricata Anomaly FlowID
icmp_code
bigint
Suricata Anomaly IcmpCode
icmp_type
bigint
Suricata Anomaly IcmpType
metadata
{ "flowbits":[string], "flowints":{ "applayer_anomaly_count":bigint, "http_anomaly_count":bigint, "tcp_retransmission_count":bigint, "tls_anomaly_count":bigint } }
Suricata Anomaly Metadata
packet
string
Suricata Anomaly Packet
packet_info
{ "linktype":bigint }
Suricata Anomaly PacketInfo
pcap_cnt
bigint
Suricata Anomaly PcapCnt
pcap_filename
string
Suricata Anomaly PcapFilename
proto
bigint
Suricata Anomaly Proto
src_ip
string
Suricata Anomaly SrcIP
src_port
int
Suricata Anomaly SrcPort
timestamp
timestamp
Suricata Anomaly Timestamp
tx_id
bigint
Suricata Anomaly TxID
vlan
[bigint]
Suricata Anomaly Vlan
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row
Suricata.DHCP
Suricata parser for the DHCP event type in the EVE JSON output.
Reference: Suricata.DHCP
parser:
native:
name: Suricata.DHCP
description: Suricata parser for the DHCP event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html
fields:
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: dhcp
required: true
description: dhcp
type: object
fields:
- name: assigned_ip
required: true
description: assigned_ip
type: string
indicators:
- ip
- name: client_mac
required: true
description: client_mac
type: string
- name: dhcp_type
required: true
description: dhcp_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: id
required: true
description: id
type: string
indicators:
- trace_id
- name: type
required: true
description: type
type: string
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata.DNS
Suricata parser for the DNS event type in the EVE JSON output.
Reference: Suricata Documentation on EVE JSON Output DNS.
schema: Suricata.DNS
description: Suricata parser for the DNS event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#dns
fields:
- name: community_id
description: Suricata DNS CommunityID
type: string
- name: dns
required: true
description: Suricata DNS DNS
type: object
fields:
- name: aa
description: Suricata DNSDetails Aa
type: boolean
- name: answers
description: Suricata DNSDetails Answers
type: array
element:
type: object
fields:
- name: rdata
required: true
description: Suricata DNSDetailsAnswers Rdata
type: string
indicators:
- hostname
- name: rrname
required: true
description: Suricata DNSDetailsAnswers Rrname
type: string
indicators:
- domain
- name: rrtype
required: true
description: Suricata DNSDetailsAnswers Rrtype
type: string
- name: ttl
required: true
description: Suricata DNSDetailsAnswers TTL
type: bigint
- name: authorities
description: Suricata DNSDetails Authorities
type: array
element:
type: object
fields:
- name: rrname
required: true
description: Suricata DNSDetailsAuthorities Rrname
type: string
- name: rrtype
required: true
description: Suricata DNSDetailsAuthorities Rrtype
type: string
- name: soa
required: true
type: object
fields:
- name: expire
required: true
type: bigint
- name: minimum
required: true
type: bigint
- name: mname
required: true
type: string
- name: refresh
required: true
type: bigint
- name: retry
required: true
type: bigint
- name: rname
required: true
type: string
- name: serial
required: true
type: bigint
- name: ttl
required: true
description: Suricata DNSDetailsAuthorities TTL
type: bigint
- name: flags
description: Suricata DNSDetails Flags
type: string
- name: grouped
description: Suricata DNSDetails Grouped
type: object
fields:
- name: A
description: Suricata DNSDetailsGrouped A
type: array
element:
type: string
indicators:
- ip
- name: AAAA
description: Suricata DNSDetailsGrouped Aaaa
type: array
element:
type: string
indicators:
- ip
- name: CNAME
description: Suricata DNSDetailsGrouped Cname
type: array
element:
type: string
indicators:
- domain
- name: MX
description: Suricata DNSDetailsGrouped Mx
type: array
element:
type: string
indicators:
- domain
- name: PTR
description: Suricata DNSDetailsGrouped Ptr
type: array
element:
type: string
- name: TXT
description: Suricata DNSDetailsGrouped Txt
type: array
element:
type: string
- name: id
required: true
description: Suricata DNSDetails ID
type: bigint
- name: qr
description: Suricata DNSDetails Qr
type: boolean
- name: ra
description: Suricata DNSDetails Ra
type: boolean
- name: rcode
description: Suricata DNSDetails Rcode
type: string
- name: rd
description: Suricata DNSDetails Rd
type: boolean
- name: rrname
description: Suricata DNSDetails Rrname
type: string
indicators:
- domain
- name: rdata
description: Suricata DNSDetails RData
type: string
indicators:
- ip
- name: rrtype
description: Suricata DNSDetails Rrtype
type: string
- name: ttl
description: Suricata DNSDetails TTL
type: bigint
- name: tx_id
description: Suricata DNSDetails TxID
type: bigint
- name: type
description: Suricata DNSDetails Type
type: string
- name: version
description: Suricata DNSDetails Version
type: bigint
- name: dest_ip
required: true
description: Suricata DNS DestIP
type: string
indicators:
- ip
- name: dest_port
description: Suricata DNS DestPort
type: int
- name: event_type
required: true
description: Suricata DNS EventType
type: string
- name: flow_id
required: true
description: Suricata DNS FlowID
type: bigint
indicators:
- trace_id
- name: pcap_cnt
description: Suricata DNS PcapCnt
type: bigint
- name: pcap_filename
description: Suricata DNS PcapFilename
type: string
- name: proto
required: true
description: Suricata DNS Proto
type: string
- name: in_iface
type: string
- name: src_ip
required: true
description: Suricata DNS SrcIP
type: string
indicators:
- ip
- name: src_port
description: Suricata DNS SrcPort
type: int
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormats:
- '%Y-%m-%dT%H:%M:%S.%f%z'
isEventTime: true
- name: vlan
description: Suricata DNS Vlan
type: array
element:
type: bigint
Suricata.FileInfo
Suricata parser for the FileInfo event type in the EVE JSON output.
Reference: File and store EVE file info.
schema: Suricata.FileInfo
parser:
native:
name: Suricata.FileInfo
description: Suricata parser for the FileInfo event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/file-extraction/file-extraction.html#file-store-and-eve-fileinfo
fields:
- name: app_proto
required: true
description: app_proto
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: fileinfo
required: true
description: fileinfo
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: flow_id
required: true
description: flow_id
type: bigint
- name: http
required: true
description: http
type: object
fields:
- name: http_user_agent
description: http_user_agent
type: string
- name: http_content_type
description: http_content_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: http_method
required: true
description: http_method
type: string
- name: length
required: true
description: length
type: bigint
- name: protocol
required: true
description: protocol
type: string
- name: status
required: true
description: status
type: bigint
- name: url
required: true
description: url
type: string
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata.Flow
Suricata parser for the Flow event type in the EVE JSON output.
Reference: Flow event type.
schema: Suricata.Flow
parser:
native:
name: Suricata.Flow
description: Suricata parser for the Flow event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-flow
fields:
- name: app_proto_tc
description: app_proto_tc
type: string
- name: icmp_code
description: icmp_code
type: bigint
- name: icmp_type
description: icmp_type
type: bigint
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: app_proto
description: app_proto
type: string
- name: tcp
description: tcp
type: object
fields:
- name: psh
description: psh
type: boolean
- name: cwr
description: cwr
type: boolean
- name: ecn
description: ecn
type: boolean
- name: fin
description: fin
type: boolean
- name: rst
description: rst
type: boolean
- name: ack
description: ack
type: boolean
- name: state
description: state
type: string
- name: syn
description: syn
type: boolean
- name: tcp_flags
required: true
description: tcp_flags
type: string
- name: tcp_flags_tc
required: true
description: tcp_flags_tc
type: string
- name: tcp_flags_ts
required: true
description: tcp_flags_ts
type: string
- name: dest_port
description: dest_port
type: bigint
- name: src_port
description: src_port
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: age
required: true
description: age
type: bigint
- name: alerted
required: true
description: alerted
type: boolean
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: end
required: true
description: end
type: string
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: reason
required: true
description: reason
type: string
- name: start
required: true
description: start
type: string
- name: state
required: true
description: state
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata.HTTP
Suricata parser for the HTTP event type in the EVE JSON output.
Reference: HTTP event type.
schema: Suricata.HTTP
parser:
native:
name: Suricata.HTTP
description: Suricata parser for the HTTP event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-output.html#http
fields:
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: http
required: true
description: http
type: object
fields:
- name: http_user_agent
description: http_user_agent
type: string
- name: http_content_type
description: http_content_type
type: string
- name: hostname
description: hostname
type: string
- name: http_method
description: http_method
type: string
- name: length
description: length
type: bigint
- name: protocol
description: protocol
type: string
- name: status
description: status
type: bigint
- name: url
description: url
type: string
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
- name: tx_id
required: true
description: tx_id
type: bigint
Suricata.SSH
Suricata parser for the SSH event type in the EVE JSON output.
Reference: SSH event type.
schema: Suricata.SSH
parser:
native:
name: Suricata.SSH
description: Suricata parser for the SSH event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-ssh
fields:
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: ssh
required: true
description: ssh
type: object
fields:
- name: client
description: client
type: object
fields:
- name: proto_version
required: true
description: proto_version
type: float
- name: software_version
required: true
description: software_version
type: string
- name: server
description: server
type: object
fields:
- name: proto_version
required: true
description: proto_version
type: float
- name: software_version
required: true
description: software_version
type: string
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
- name: tx_id
required: true
description: tx_id
type: bigint
Suricata.TLS
Suricata parser for the TLS event type in the EVE JSON output.
Reference: TLS event type.
schema: Suricata.TLS
parser:
native:
name: Suricata.TLS
description: Suricata parser for the TLS event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-tls
fields:
- name: metadata
description: metadata
type: object
fields:
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
- name: tls
required: true
description: tls
type: object
fields:
- name: fingerprint
description: fingerprint
type: string
- name: issuerdn
description: issuerdn
type: string
- name: notafter
description: notafter
type: string
- name: notbefore
description: notbefore
type: string
- name: serial
description: serial
type: string
- name: subject
description: subject
type: string
- name: ja3
required: true
description: ja3
type: object
fields:
- name: hash
description: hash
type: string
- name: string
description: string
type: string
- name: ja3s
required: true
description: ja3s
type: object
fields:
- name: hash
description: hash
type: string
- name: string
description: string
type: string
- name: sni
description: sni
type: string
- name: version
required: true
description: version
type: string
Last updated