Overview#
A critical infrastructure operator running power grid management systems deployed Suricata sensors at the boundary between their corporate network and operational technology (OT) segment. Within 48 hours of ingesting EVE JSON logs into Argus, analysts identified a pattern of low-frequency DNS queries to an algorithmically named domain originating from an OT historian server. Cross-correlation with MISP indicators from a sector-specific ISAC confirmed the traffic matched a known ICS-targeting threat actor's C2 profile. Without the automated correlation between Suricata and the threat intelligence layer, the analyst would have needed to pivot through four separate tools manually.
Argus integrates with Suricata, the high-performance open-source Intrusion Detection and Prevention System maintained by the Open Information Security Foundation (OISF). EVE JSON alert logs produced by Suricata sensors are ingested directly into Argus, normalised into structured alert records, and made available for cross-correlation with threat intelligence, MISP indicators, and Sigma rule matches. This closes the loop between network-level detection and the broader operational intelligence picture, transforming network telemetry into actionable security events.
Diagram
flowchart LR
A[Perimeter Suricata Sensors] --> E[Argus EVE Ingestion Pipeline]
B[OT/ICS Boundary Sensors] --> E
C[Cloud Egress Sensors] --> E
D[Suricata REST API Poll] --> E
E --> F[Alert Normalisation]
E --> G[Deduplication Engine]
E --> H[Classification Tagging]
F --> I[MISP IOC Cross-Correlation]
G --> J[Analyst Alert Queue]
H --> K[Sigma Rule Match Overlay]Key Features#
EVE JSON Batch Ingestion#
The ingestEveBatch operation accepts raw EVE JSON log lines (one JSON object per element) and processes them as a pipeline: parse, normalise, persist, audit. The parse_eve_json_batch adapter handles Suricata's EVE format including alert, dns, http, tls, and fileinfo event types. Each alert is normalised into a structured Argus record capturing signature ID, rule name, severity, source and destination IP and port, protocol, and alert category. Rule-name-based deduplication prevents alert floods from a single repeated signature overwhelming analyst queues during active attack phases.
API Polling#
For deployments where Suricata exposes a local REST API, the SuricataClient polls the API endpoint to retrieve new alerts on a configured interval. This supports both push-based (log file ingestion) and pull-based (API polling) deployment patterns, accommodating diverse sensor architecture layouts from centralised log aggregators to edge-deployed sensors in remote or air-gapped environments.
Alert Inventory and Cross-Correlation#
Query alert inventory filtered by signature ID, severity, source IP, or time range. Suricata alerts can be cross-referenced against MISP indicators and Sigma rules to identify where network-level IDS signals confirm or extend threat intelligence feeds. This correlation capability is especially valuable during threat hunting operations, where accumulated alert history provides the raw material for identifying low-and-slow attack patterns that real-time alerting misses.
Clearance-Aware Alert Access#
Alert records carry secrecy_level tags enabling multi-classification network monitoring. Traffic from classified network segments can be ingested with higher classification labels, restricting visibility to cleared analysts. This directly supports NATO network monitoring scenarios where sensor telemetry from SECRET-level segments must remain isolated from UNCLASSIFIED analyst views, satisfying EDF data sovereignty requirements for coalition deployments.
EDF Audit Trail#
Every EVE batch ingestion generates an interop ingest audit record. This satisfies EDF Golden Rule 15 requirements for logging all data inflows into the platform, including network sensor telemetry originating from operational environments.
Use Cases#
- DMZ Monitoring: Ingest Suricata alerts from perimeter sensors and correlate hits against MISP threat actor IOCs to identify targeted intrusion attempts in near-real-time, providing the SOC with immediate context that transforms a raw signature hit into an attributed threat event.
- Threat Hunting: Query accumulated Suricata alert history to hunt for low-and-slow lateral movement patterns that signature-based alerting missed in real time. Historical alert data becomes a structured dataset analysts can interrogate with precision.
- Malware C2 Detection: Feed Suricata ET Pro or Emerging Threats Suricata rules covering known C2 communication patterns and surface confirmed C2 activity directly in the Argus incident timeline, accelerating containment decisions.
- NATO Sensor Grid: Aggregate alerts from multiple Suricata sensors deployed at different network trust levels and enforce classification-based access control across the combined dataset, supporting multi-domain coalition operations without co-mingling intelligence across classification boundaries.
Integration#
Available via GraphQL with queries for alert listing and statistics, and mutations for EVE batch ingestion and API polling. All operations require authentication and organisation scoping.
Compatible with Suricata 6.x and 7.x EVE JSON format. Works alongside Sigma (detection rule management), MISP (IOC cross-referencing), and the SIEM Connector domain (forwarding alerts to downstream SIEM platforms).
Last Reviewed: 2026-03-18 Last Updated: 2026-04-14