• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Logo
  • About
  • Bulletins
  • Corelight.com
  • Contact us

Bright Ideas Blog

Bright Ideas Blog

Bright Ideas Blog

Home ›› Industry ›› New Corelight app for Splunk: Making network-based threat hunting easier

New Corelight app for Splunk: Making network-based threat hunting easier

November 19, 2019 by Ed Smith

By Ed Smith, Senior Product Marketing Manager, Corelight

Want to use Zeek (formerly Bro) network data in Splunk ES, but don’t know how to start or where to look?

Need to quickly narrow down Zeek logs from a mountain, to a hill, to a handful?

Want to avoid hours of work mapping Corelight key-value pairs for ingest?

Our recently updated Corelight App for Splunk may be just what you’re looking for. It  accelerates SOC workflows by providing guided hunting workflows using dashboards and filters that enable analysts to quickly narrow down and pivot across Zeek logs. It’s also a great demonstration of how Zeek data sent into the Splunk platform can be leveraged to find encrypted malicious traffic, DNS exfiltration, hidden malware and other network risks. 

In addition we’ve released an updated technology add-on (TA) that automatically normalizes Corelight security data for easier ingest into the Splunk platform. The TA can be used standalone or in conjunction with the new app — a tool worth checking out if you’re a Corelight + Splunk shop.

The Corelight App for Splunk works with Corelight sensors as well as open source Zeek. The app requires the above mentioned TA for Corelight data, or the Splunk Add-on for open source Zeek data. You can download the app and either TA for free on Splunkbase.

To learn more about Corelight’s integration with Splunk software and how it helps incident responders and threat hunters work faster and more effectively, please read our joint solution data sheet, watch our webinar on Threat Hunting in Splunk with Zeek or check out the screenshots of the app below:

Detections dashboard

Find and respond to off-port protocol usage, IOC matches, and other potentially interesting events.

Intel workflow

Find IOCs from external sources matched in network traffic.

Notices workflow

See situations flagged by the Notice policy for further investigation.

Log hunting workflow

Accelerate your hunt by narrowing down many logs to only the logs that matter.

DNS dashboard

Detect DNS exfiltration by spotting queries to non-existent domains and high connection counts.

Corelight egress monitor

Find risky North/South user connections to weak SSL versions.

Filed Under: Industry, Network Security Monitoring, Partnership, SIEM Tagged With: DNS, IOC, network security, Network Security Monitoring, network traffic analysis, network visibility, SIEM, SOC, Splunk, Splunkbase, technology add-on, threat hunting, workflow, Zeek

Contact

  • Contact Us
  • Find a Reseller
  • Headquarters+1(510) 281-0760
  • Sales+1(888) 547-9497

Primary Sidebar

Search

Recent Posts

  • Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
  • Finding SUNBURST backdoor with Zeek logs & Corelight
  • Introducing the Cloud Sensor for GCP
  • Who’s your fridge talking to at night?
  • Small, fast and easy. Pick any three.

Categories

Archives

Tags

Bro conn.log Corelight Corelight Sensor cybersecurity DNS Elastic encrypted traffic encryption files.log GitHub HTTP HTTPS incident response ja3 ja3s JSON Linux logs MITRE ATT&CK NDR network security Network Security Monitoring network traffic analysis network visibility NSM NTA open source open source community PCAP Richard Bejtlich SANS SIEM SMTP SOC Splunk SSH SSL ssl.log Suricata TCP TLS TLS 1.3 Vern Paxson Zeek

Footer

Use Cases

  • Our Use Cases
  • MITRE ATT&CK
  • Government
  • Enterprise
  • Higher Education
  • Why Corelight

Products

  • Zeek
  • Suricata
  • Collections
  • Appliance Sensors
  • Cloud Sensors
  • Software Sensor
  • Virtual Sensors
  • Fleet Manager
  • Compare to open Source Zeek

Company

  • About Corelight
  • Awards
  • Careers
  • Events
  • News Coverage
  • Media Kit

Resources

  • Support Overview
  • Open A Support Ticket
  • Product Training
  • Case Studies
  • Video
  • Github
  • Scripts + Packages
  • Zeek Community

Follow us

  • facebook
  • twitter
  • linkedin
  • github
  • reddit
  • youtube

Copyright © 2021 · Corelight, Inc. · All rights reserved. · Privacy Policy · Terms of Use