Corelight For Splunk
Overview
Details
Welcome to Corelight for Splunk Apps documentation!
Overview
About Corelight For Splunk
| Author | Aplura, LLC. Corelight, Inc. |
| App Version | 1.0.3 |
| App Build | 156 |
| Vendor Products | Corelight Sensor |
| Has index-time operations | false |
| Creates an index | false |
| Implements summarization | Currently, the app does not generate summaries |
About Corelight For Splunk
Corelight For Splunk allows a Splunk Enterprise administrator to extract information and knowledge from Bro data via the Corelight Sensor appliance or open-source Bro
Scripts and binaries
This App provides the following scripts:
- None
Release notes
Version 1.0.3
- Bug
- [CL-51] - HTTP Search needs updated
- Improvement
- [CL-52] - Add _red sourcetypes
- [CL-53] - Rework HTTP Page
- [CL-54] - RED DNS field update
Version 1.0.2
-
Bug
- [CL-47] - Update DNS Dashboard
-
Improvement
- [CL-50] - Update CIM for new data types
Version 1.0.1
-
Bug
- [CL-42] - Conn data does not always display service
-
Improvement
- [CL-43] - Panel Rename
- [CL-44] - Update sparkline
- [CL-45] - Dashboard Search Optimizations
Version 1.0.0
-
New Feature
- [CL-3] - Custom Icons
- [CL-5] - Build Eventgen
- [CL-6] - Overview Dashboard
- [CL-11] - CIM Mapping
- [CL-17] - Workflow Action
- [CL-18] - HTTP Dashboard
- [CL-19] - DNS Dashboard
-
Improvement
- [CL-10] - Documentation
- [CL-21] - Improve HTTP Dashboard
- [CL-22] - Overview Updates
- [CL-23] - Overview Dashboard
- [CL-24] - Connections Page - Revise
- [CL-25] - DNS Dashboard - Revise
- [CL-26] - Files Dashboard - Revise
- [CL-27] - SSL Dashboard
- [CL-28] - Software Dashboard
- [CL-29] - Connections Revision
- [CL-30] - DNS Revisions
- [CL-31] - Files Revisions
- [CL-32] - HTTP Revisions
- [CL-33] - Software Revisions
- [CL-34] - Dashboard Improvements
- [CL-35] - Dashboards
- [CL-36] - Minor Edits and Updates
- [CL-38] - Documentation
- [CL-40] - Tags
- [CL-41] - Additional Dashboard Changes
-
Sub-task
- [CL-14] - Corelight Connection
- [CL-15] - Corelight SSL
- [CL-16] - Corelight File
About this release
Version 1.0.3 of Corelight For Splunk is compatible with:
| Splunk Enterprise versions | 6.6, 7.0 |
| Platforms | Splunk Enterprise |
Compatability
Known Issues
Version 1.0.3 of Corelight For Splunk has the following known issues:
- None
Support and resources
Questions and answers
Access questions and answers specific to Corelight For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Support
- Support Email: appsupport@corelight.com
- Support Website: https://www.corelight.com/support
- Support Offered: Email, Web
Support is available via email at appsupport@corelight.com. Responses vary on working days between working hours. Find the latest information about the App and integration on the support website.
Installation and Configuration
Software requirements
Splunk Enterprise system requirements
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements at https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements apply.
Download
Download Corelight For Splunk at https://splunkbase.splunk.com/.
Installation steps
NOTE: Where referenced, TA-CorelightForSplunk is located on Splunkbase.
Deploy to single server instance
Follow these steps to install the app in a single server instance of Splunk Enterprise:
- Deploy as you would any App, and restart Splunk. Do NOT install the TA.
Deploy to Splunk Cloud
- Have your Splunk Cloud Support handle this installation.
Deploy to a Distributed Environment
- For each Search Head in the environment, deploy the App. DO NOT SEND TA to a Search Head Cluster (SHC).
- For each indexer in the environment, deploy a copy of the |ta_name| Add-On that is located as mentioned above.
User Guide
Key concepts for Corelight For Splunk
Configure TA-CorelightForSplunk for use with Corelight.
- TA-CorelightForSplunk should be placed upon the servers that will get the forwarded data from the Corelight Sensor.
- Questions should be asked at https://www.corelight.com/support
Indexes
Getting Data In
By default all events will be written to the main index. Please see Corelight documentation on how to change the destination index from the appliance.
Searching for Data
By default, all corelight information is searched for using the corelight_idx event type. To change the location for the app to search for Corelight data, edit the corelight_idx event type to point to your Corelight index.
Troubleshoot Corelight For Splunk
- Check the Monitoring Console (>=v6.5) for errors
Lookups
Corelight For Splunk contains several lookup files.
- port_descriptions - Gives port descriptions to ports.
- corelight_systems - Auto-generated from sensor data
- corelight_services - Auto-generated from services data
- corelight_dns_ports - Auto-generated from DNS data
- corelight_dns_record_types - Auto-generated from NDS data
- corelight_files_mime_types - Auto-generated from files data
- corelight_software_types - Auto-generated from software data
- corelight_dns_reply_code - Provided to lookup reply code types
Event Generator
Corelight For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured.
The stanzas are:
- conn.json.sample
- conn_red.json.sample
- metrics_disk.json.sample
- files.json.sample
- files_red.json.sample
- metrics_memory.json.sample
- metrics_system.json.sample
- metrics_iface.json.sample
- metrics_bro.json.sample
- http.json.sample
- http_red.json.sample
- dns.json.sample
- dns_red.json.sample
Acceleration
- Summary Indexing: No
- Data Model Acceleration: No
- Report Acceleration: No
Release Notes
Version 1.0.3
Fixes the HTTP Panel, much faster.
Adds support for Corelight Reduced logging.
Version 1.0.2
Bug Fixes, increase performance of dashboards.
Version 1.0.1
Search optimizations and bug fixes