VYPR
advisoryPublished Jul 15, 2026· 1 source

DShield SIEM Enhanced with ELK Stack 8.19.15, Adds TTY and Suricata Log Analysis

The DShield SIEM has been updated to ELK stack version 8.19.15, introducing enhanced dashboards and new log collection capabilities for TTY and Suricata logs to improve threat analysis.

The DShield Security Information and Event Management (SIEM) system has received a significant update, moving to ELK stack version 8.19.15. This latest iteration brings forth not only minor tweaks but also substantial enhancements in its dashboarding and log collection functionalities, aiming to provide deeper insights into the activities occurring on DShield sensors.

The core of this update lies in the integration of two new log sources: TTY logs and Suricata logs. TTY logs, which record command execution on sensors, are now directly collected and parsed. Before being sent to the SIEM, these logs are base64 encoded to ensure secure transmission. Upon arrival, Kibana decodes them, allowing security analysts to review the exact commands executed by actors who have gained access to a sensor. This provides a granular view of post-exploitation activities.

These TTY logs are processed and uploaded daily at 23:58Z. Analysts can access this data within the DShield SIEM's Traffic Analysis tab, correlating the TTY log hashes with other security events. The system also now integrates Suricata logs, a popular open-source intrusion detection system (IDS). This integration further enriches the threat analysis capabilities, allowing for a more comprehensive understanding of network traffic and potential threats detected by Suricata.

The update also includes revamped dashboards designed to better visualize the collected data. A key feature of the new dashboards is their enhanced interactivity. For instance, selecting an IP address in one sub-dashboard will now automatically replicate that filter across all related sub-dashboards, streamlining the investigation process. This interconnectedness allows for a more fluid and efficient analysis of security incidents.

Furthermore, the updated dashboards incorporate a Threat Map, offering a visual representation of log traffic activity. This map allows users to observe the 'movement' of threats across networks, providing a high-level overview that can quickly highlight areas of concern or unusual activity. The ability to share queries across sub-dashboards and visualize traffic patterns on a map significantly improves the usability and effectiveness of the SIEM.

To enable the collection of TTY logs, users need to install and configure a specific BASH script, with detailed instructions available on the project's GitHub page. Similarly, instructions for configuring Suricata integration are also provided. These additions are part of an ongoing effort to enhance the DShield SIEM's capabilities and provide a more robust platform for monitoring and analyzing security events.

The DShield SIEM, maintained by the SANS Internet Storm Center, plays a crucial role in collecting and analyzing data from a global network of sensors. By continuously updating its capabilities, the project aims to provide valuable threat intelligence to the cybersecurity community, helping defenders stay ahead of emerging threats. This latest update, incorporating TTY and Suricata logs, represents a significant step forward in its ability to offer detailed and actionable security insights.

Synthesized by Vypr AI