Looking for some general help, or somewhere to look into tuning for eve.json ingest into splunk. Trying to lower our ingest amount.
Currently using Suricata 4.1 (need to verify version, but do not think its 5.0) with SecurityOnion. In 10minutes was getting 11GB of ingested traffic.
-eve.json is enabled
-community-id is enabled
-added a seperate include file for variables.
- Using the basic ET rules (with some basic tuning)
Should we be focusing on the enabled/disabled rule sets or is there something we should be doing in the yaml file?