By Ed Smith, Senior Product Marketing Manager, Corelight
In addition to other great news we’ve recently shared, I’m pleased to announce that Corelight sensors now support the Elastic Common Schema (ECS) via our Corelight ECS Mapping.
If you’re not familiar with ECS, Elastic provides a nice summary in their intro blog post:
“ECS facilitates the unified analysis of data from diverse sources so that content such as dashboards and machine learning jobs can be applied more broadly, searches can be crafted more efficiently, and field names can be recalled by analysts more easily.”
Zeek (formerly Bro) is a great example of one of those diverse sources of data, and it becomes much more powerful and valuable when mapped to ECS by enabling customers to realize those benefits. For example, let’s examine how ECS can help craft searches more efficiently…
Imagine you’re investigating a particular IP address and you want to see information about traffic originating from that host. Your Elastic Stack is doing a fantastic job ingesting, storing, analyzing, and visualizing data from your firewalls, endpoints, networks, IDS and other sources but there’s a small but annoying obstacle you frequently encounter: there’s no field name consistency across all those sources.
Your firewall labels the source IP address “src”, while your proxy calls it “client_ip”. Zeek labels it as “id.org_h”, while Suricata calls it “src_ip”. To cover your bases, you craft a search that looks something like this:
src:10.42.42.42 OR client_ip:10.42.42.42 OR id.org_h:10.42.42.42 OR src_ip:10.42.42.42
With ECS there is a better way! Your query simply becomes:
Source.ip:10.42.42.42
Much easier, right? Not only is there less typing, but there’s less to remember since there’s only one set of standardized fields instead of multiple variations.
This simplification applies to visualizations, dashboards, alerts, and machine learning jobs as well. For example, when you create a visualization you are creating it based on a defined field type. If there is a disparity for the same type of data, such as IP addresses, but different field naming convention, you’ll have to create a visualization for each separate field name. With ECS, you no longer have to create variations for each unique data source.
ECS also enables better sharing within the community because when you create things like visualizations or dashboards, you can share them with others using ECS who may not have the exact same data sources. When those data sources are in ECS format, it just works.
The Corelight ECS mapping supports Corelight data as well as open-source Zeek and is available on Github. We will continue to follow and update these mapping as ECS evolves. To learn more about Corelight’s integration with Elastic, please read our joint solution data sheet.