https://burnett.sh/tags/community-id/Recent content in Community-Id on Joshua's NotebookHugoenTue, 16 Jun 2026 09:00:00 -0500https://burnett.sh/posts/honeypi-enrich-mac/Tue, 16 Jun 2026 09:00:00 -0500https://burnett.sh/posts/honeypi-enrich-mac/<p>In the <a href="https://burnett.sh/posts/honeypi-enrich-pi/">previous post</a> I got two of the three streams live on the Pi: Cowrie and Suricata, both shipping to Loki through Alloy with a shared <code>src_ip</code> key. This post covers the Mac side, which is where the third stream comes in and where the whole correlation idea stops being a diagram and starts being something you can actually query. By the end of it, one attacker IP lights up across all three tools at once, and any single network flow can be matched between Suricata and Zeek deterministically rather than by eyeballing timestamps.</p>