Author | Corelight, Inc. |
App Version | 2.2.0 |
Vendor Products | Corelight Sensor |
Has index-time operations | false |
Creates an index | false |
Implements summarization | Currently, the app does not generate summaries |
About Corelight App For Splunk
Corelight App For Splunk allows a Splunk Enterprise administrator to extract information and knowledge from Bro data via the Corelight Sensor appliance or open-source Bro
This App provides the following scripts:
Corelight data natively enables Splunk Enterprise Security correlation search functionality for more than 30 correlation searches within the Certificates, Network Resolution, Network Sessions, Network Traffic, and Web data models. Corelight provides data for many Splunk Enterprise Security dashboards out of the box.
• Added parsing and dashboard visibility for Corelight Suricata logs.
• Tagged Suricata for Intrusion Detection data model functionality.
• Improved x509 log tagging for Certificate data model functionality.
• Improved conn log tagging for Network Traffic and Network Session data model functionality.
• Improved dns log tagging for Network Resolution data model functionality.
• Added DNS Hunting dashboard.
• Corrected parsing and extraction issues for corelight_x509_red log.
• Corrected issues with Home and Notices dashboards
Compatability
The app and TA extracts information and knowledge from Zeek (formerly known as Bro) via Corelight Sensors or open-source Zeek, resulting in powerful security insights through key traffic dashboards such as:
Version 2.0.0 of Corelight App For Splunk has the following known issues:
Access questions and answers specific to Corelight App For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Support is available via email at appsupport@corelight.com. Responses vary on working days between working hours. Find the latest information about the App and integration on the support website.
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements at https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements apply.
Download Corelight App For Splunk at https://splunkbase.splunk.com/.
NOTE: Where referenced, TA-CorelightForSplunk is located on Splunkbase.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
By default all events will be written to the main index. Please see Corelight documentation on how to change the destination index from the appliance.
By default, all corelight information is searched for using the corelight_idx event type. To change the location for the app to search for Corelight data, edit the corelight_idx event type to point to your Corelight index.
Corelight App For Splunk contains several lookup files.
Corelight App For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured.
The stanzas are:
New Feature
- Added Suricata Dashboard
Improvement
- Iimproved DNS Hunting dashboard functionality
- Improved support for Open Source Zeek data
Bug
- Corrected issues with Drill-down from SSH Inferences Dashboard</li>
Corelight data natively enables Splunk Enterprise Security correlation search functionality for more than 30 correlation searches within the Certificates, Network Resolution, Network Sessions, Network Traffic, and Web data models. Corelight provides data for many Splunk Enterprise Security dashboards out of the box.
• Added parsing and dashboard visibility for Corelight Suricata logs.
• Tagged Suricata for Intrusion Detection data model functionality.
• Improved x509 log tagging for Certificate data model functionality.
• Improved conn log tagging for Network Traffic and Network Session data model functionality.
• Improved dns log tagging for Network Resolution data model functionality.
• Added DNS Hunting dashboard.
• Corrected parsing and extraction issues for corelight_x509_red log.
• Corrected issues with Home and Notices dashboards
New SSH dashboard, bug fixes, major ingest and dashboard performance improvements. Community ID can now be generated at search time for non-Corelight data.
Updated Dashboards for speed and optimization
Fixes the HTTP Panel, much faster.
Adds support for Corelight Reduced logging.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.