SuricataAE - Suricata Alerting in Elastic
It's always a special day when we get to share! Introducing SuricataAE, a Watcher for Elasticsearch that sends e-mail alerts based on Suricata findings.
"Where's my e-mail alert?"
If you do any deployment of Suricata in any organization and if you could have a penny for every time you heard those magic words, you'd be set for life!
Whether we like it or not, e-mail is not going anywhere and neither are the alarms that should end up in a case management system, ideally one built specifically for security operations.
Calm down, I'm not saying that each alert should be a case or that all events should be an alert, OK? Let's get back on track here.
Until the day where organizations reach a position that can better leverage detection, the best we can do is develop tools that equip them to do the best possible job with what they have.
SuricataAE is an alarm configuration for Elasticsearch. More specially, it's an Elasticsearch Watcher.
The purpose of this Watcher is to look at data that is coming in from Suricata and, based on workflows or conditions we established, send e-mail notifications/alerts to the appropriate teams.
SuricataAE was developed to address some of the problems I mentioned above and eventually it reached a stage where we felt that releasing it could benefit other organizations that are looking into automating some of their interactions with Suricata.
The release of SuricataAE follows an ideology that is absolutely critical to us: responsible use of open source and a commitment to the projects that are so important to us. We're motivated and inspired by the people that are genuinely working towards a better, safer and more responsible information security eco-system and we try our best to be a part of that!
We hope that with this release we can help others in their deployments of Suricata and we're looking forward to comments or feature requests!
Also, a big welcome to the new mascot of the 3CORESec family! 😍