Suricata anomaly detected from source IP address

This rule is part of a beta feature. To learn more, contact Support.
suricata

Classification:

anomaly

Set up the suricata integration.

Goal

Detect when Suricata raises an anomaly based detection.

Strategy

The rule monitors the anomaly type of Suricata log for when there is an anomaly detected from a source IP address.

Triage and response

  1. Investigate the anomaly generated from {{@network.client.ip}} by anomaly type - {{@anomaly.type}} and anomaly event name - {{@anomaly.event}}
  2. Examine the reassembled traffic to understand the nature of the anomaly and determine if the anomaly is due to benign network issues or malicious activity.
  3. If the anomalies are deemed malicious, take steps to block the offending traffic and strengthen network defences.