• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Logo
  • About
  • Bulletins
  • Corelight.com
  • Contact us

Bright Ideas Blog

Bright Ideas Blog

Bright Ideas Blog

Home ›› Industry ›› Corelight ECS mapping: Unified Zeek data for more efficient analytics

Corelight ECS mapping: Unified Zeek data for more efficient analytics

January 28, 2020 by Ed Smith

By Ed Smith, Senior Product Marketing Manager, Corelight

In addition to other great news we’ve recently shared, I’m pleased to announce that Corelight sensors now support the Elastic Common Schema (ECS) via our Corelight ECS Mapping.

If you’re not familiar with ECS, Elastic provides a nice summary in their intro blog post:

“ECS facilitates the unified analysis of data from diverse sources so that content such as dashboards and machine learning jobs can be applied more broadly, searches can be crafted more efficiently, and field names can be recalled by analysts more easily.”

Zeek (formerly Bro) is a great example of one of those diverse sources of data, and it becomes much more powerful and valuable when mapped to ECS by enabling customers to realize those benefits. For example, let’s examine how ECS can help craft searches more efficiently…

Imagine you’re investigating a particular IP address and you want to see information about traffic originating from that host. Your Elastic Stack is doing a fantastic job ingesting, storing, analyzing, and visualizing data from your firewalls, endpoints, networks, IDS and other sources but there’s a small but annoying obstacle you frequently encounter: there’s no field name consistency across all those sources. 

Your firewall labels the source IP address “src”, while your proxy calls it “client_ip”. Zeek labels it as “id.org_h”, while Suricata calls it “src_ip”. To cover your bases, you craft a search that looks something like this:

src:10.42.42.42 OR client_ip:10.42.42.42 OR id.org_h:10.42.42.42 OR src_ip:10.42.42.42

With ECS there is a better way! Your query simply becomes:

Source.ip:10.42.42.42

Much easier, right? Not only is there less typing, but there’s less to remember since there’s only one set of standardized fields instead of multiple variations. 

This simplification applies to visualizations, dashboards, alerts, and machine learning jobs as well. For example, when you create a visualization you are creating it based on a defined field type. If there is a disparity for the same type of data, such as IP addresses, but different field naming convention, you’ll have to create a visualization for each separate field name. With ECS, you no longer have to create variations for each unique data source. 

ECS also enables better sharing within the community because when you create things like visualizations or dashboards, you can share them with others using ECS who may not have the exact same data sources. When those data sources are in ECS format, it just works.
The Corelight ECS mapping supports Corelight data as well as open-source Zeek and is available on Github. We will continue to follow and update these mapping as ECS evolves.  To learn more about Corelight’s integration with Elastic, please read our joint solution data sheet.

Filed Under: Industry, Partnership, Zeek Tagged With: Corelight vs. Open-Source, data visualization, ECS, Elastic, Elastic Common Schema, GitHub, IP address, network security, Network Security Monitoring, network traffic analysis, network visibility, Zeek

Contact

  • Contact Us
  • Find a Reseller
  • Headquarters+1(510) 281-0760
  • Sales+1(888) 547-9497

Primary Sidebar

Search

Recent Posts

  • Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
  • Finding SUNBURST backdoor with Zeek logs & Corelight
  • Introducing the Cloud Sensor for GCP
  • Who’s your fridge talking to at night?
  • Small, fast and easy. Pick any three.

Categories

Archives

Tags

Bro conn.log Corelight Corelight Sensor cybersecurity DNS Elastic encrypted traffic encryption files.log GitHub HTTP HTTPS incident response ja3 ja3s JSON Linux logs MITRE ATT&CK NDR network security Network Security Monitoring network traffic analysis network visibility NSM NTA open source open source community PCAP Richard Bejtlich SANS SIEM SMTP SOC Splunk SSH SSL ssl.log Suricata TCP TLS TLS 1.3 Vern Paxson Zeek

Footer

Use Cases

  • Our Use Cases
  • MITRE ATT&CK
  • Government
  • Enterprise
  • Higher Education
  • Why Corelight

Products

  • Zeek
  • Suricata
  • Collections
  • Appliance Sensors
  • Cloud Sensors
  • Software Sensor
  • Virtual Sensors
  • Fleet Manager
  • Compare to open Source Zeek

Company

  • About Corelight
  • Awards
  • Careers
  • Events
  • News Coverage
  • Media Kit

Resources

  • Support Overview
  • Open A Support Ticket
  • Product Training
  • Case Studies
  • Video
  • Github
  • Scripts + Packages
  • Zeek Community

Follow us

  • facebook
  • twitter
  • linkedin
  • github
  • reddit
  • youtube

Copyright © 2021 · Corelight, Inc. · All rights reserved. · Privacy Policy · Terms of Use