The Corelight App for Splunk enables incident responders and threat hunters who use Splunk® and Splunk Enterprise Security to work faster and more effectively.
| App Version | 2.5.6 |
| App Build | 185 |
| Splunk Enterprise Versions | 10.X, 9.X |
| Platforms | Splunk Enterprise, Splunk Cloud |
| Splunkbase Url | https://splunkbase.splunk.com/app/3884 |
| Author | Aplura, LLC. and Corelight, Inc. |
| Creates an index | False |
| Implements summarization | No |
| Summary Indexing | False |
| Report Acceleration | False |
| Release Date | 06/16/2025 |
IMPORTANT
When upgrading from Corelight App For Splunk version 2.4.4 or earlier, remove the previous app before installing the latest Corelight App For Splunk app release. Additionally, check in the local/data/ui/views folder for conflicting dashboards.
Corrupt CSV
In versions of Corelight App For Splunk 2.5.3 and earlier, there is a semi-corrupt lookup. The lookup still works as intended, but will generate an increased volume in internal logging warnings. These additional logs do not increase license usage, as they are in the _internal index. The following search command can be executed within the Corelight App For Splunk to correct the CSV.
| inputlookup corelight_base64conversion |outputlookup corelight_base64conversion
The Corelight App For Splunk transforms complex network data into actionable security intelligence, enabling faster threat detection and incident response. By seamlessly integrating with Corelight Sensors and Zeek data, the app provides security teams with comprehensive visibility through specialized dashboards covering alert aggregation, protocol analysis, threat intelligence matching, and network behavior analytics. Built for security analysts, incident responders, and threat hunters, the app streamlines investigation workflows and enhances threat hunting capabilities with features like MITRE ATT&CK framework integration, automated alert correlation, and detailed traffic analysis.
Alert Aggregations: Consolidates and prioritizes security alerts with MITRE ATT&CK mapping for streamlined threat response
Intel: Monitors IOC matches from external threat intelligence sources in network traffic
IP Interrogation: Analyzes specific IP addresses for connection patterns, protocol usage, and network interactions
Log Hunting: Enables detailed investigation of network events with customizable filters and search criteria
Notices: Tracks system-generated security notices and intelligence alerts with severity classification
Security Posture: Provides comprehensive overview of network security status including alerts, encryption, and DNS health
RDP Inferences: Monitors Remote Desktop Protocol connections, authentication patterns, and security protocols
SSH Inferences: Analyzes SSH connection patterns, authentication methods, and potential security issues
Suricata IDS Alert Overview: Displays intrusion detection alerts with temporal patterns and severity levels
VPN Insights: Tracks VPN usage patterns, connections, and user activity across the network
Connections: Visualizes top services, ports, dataflows, and network connection patterns
DNS: Monitors DNS query patterns and potential exfiltration attempts through domain analysis
Files: Identifies suspicious files, executables, and compressed file transfers
HTTP: Analyzes HTTP transactions for suspicious patterns in headers, user agents, and requests
Software: Tracks software versions and usage patterns across monitored network traffic
SSL and x509: Monitors SSL/TLS certificates and validation status for encrypted traffic
Secure Channel Insights: Analyzes encrypted and non-encrypted SSL, SSH, TLS, and x509 traffic
Name Resolution Insights: Provides deep analysis of DNS traffic patterns and potential threats
Remote Activity Insights: Monitors remote access patterns and authentication attempts
Configuration: Manages app settings, indexes, and logging configuration
Lookup Generation: Creates and manages lookup files for dashboard filtering
Sensor Overview: Provides operational status of Corelight sensors
About: Displays app version information and documentation
cid is a custom command provided to turn a tuple of src_ip, src_port, dest_ip, and dest_port into a community string.
Corelight App For Splunk contains several lookup files.
<div class="note"> It is a best practice and recommendation to **not** use the direct CSV name, as these will change between versions. Use the `transforms` name as listed in the table. </div>| Transforms | Filename | Description |
| port_descriptions | port_desc_2.5.6.csv | Gives port descriptions to ports. |
| corelight_systems | corelight_systems_2.5.6.csv | Auto-generated from sensor data |
| corelight_services | corelight_services_2.5.6.csv | Auto-generated from services data |
| corelight_dns_ports | corelight_dns_ports_2.5.6.csv | Auto-generated from DNS data |
| corelight_dns_record_types | corelight_dns_record_type_2.5.6.csv | Auto-generated from NDS data |
| corelight_files_mime_types | corelight_files_mime_types_2.5.6.csv | Auto-generated from files data |
| corelight_software_types | corelight_software_types_2.5.6.csv | Auto-generated from software data |
| corelight_dns_reply_code | corelight_dns_reply_code_2.5.6.csv | Provided to lookup reply code types |
| corelight_conn_state_description | corelight_conn_state_description_2.5.6.csv | Describes connection states |
| corelight_status_action | corelight_status_action_2.5.6.csv | Describes Corelight action and status |
| ssh_inference | ssh_inference_lookup_2.5.6.csv | Describes inferences |
| corelight_inferences_description | corelight_inferences_description_2.5.6.csv | Describes inferences |
| corelight_severity | corelight_severities_2.5.6.csv | Maps severity ids and severity text |
| corelight_error_messages | corelight_error_messages_2.5.6.csv | Contains information on Corelight Error messages. |
| corelight_alert_aggregations | corelight_alert_aggregations_enrichment.csv | Provides enrichments for Suricata alerts. |
This App provides the following scripts:
cid.py
Script for use with the cid command.
Diag.py
Custom diag generation
Utilities.py
Splunk utilities for python scripts
version.py
The splunk app version for logging purposes
app_properties.py
The Splunk extension properties.
Corelight App For Splunk does not make use of an event generator.
Summary Indexing: No
Data Model Acceleration: No
Report Acceleration: No
Review the Splunk Enterprise system requirements at Splunk Enterprise system Requirements at https://docs.splunk.com.
The Corelight App For Splunk and the TA for Corelight add-on are available on Splunkbase.
Important: The TA for Corelight add-on is required on indexers, or index clusters. If your Corelight sensors send data directly to a heavy forwarder or a Splunk Cloud Platform receiver that is a heavy forwarder, the TA for Corelight is also required on those instances. The add-on is not required on search heads, or single-instance Splunk Enterprise environments.
Your Splunk Enterprise infrastructure will determine where the Corelight App for Splunk is installed.
Contact your Splunk Administrator before installing Splunk apps in your Splunk Cloud Platform environment. The Corelight App for Splunk supports self-service installation. Cloud app installation guidance is available in Install apps on your Splunk Cloud Platform deployment at https://docs.splunk.com
When working with an on-premises Splunk Enterprise infrastructure, contact your Splunk Administrator to determine what locations and options are available for installing and distributing Splunk Apps. Installing Splunk apps typically requires administrative credentials.
To deploy to single server instance of Splunk Enterprise:
Log in to Splunk Web as an administrator.
Browse to Apps > Find More Apps.
Use the search box to find Corelight.
Click the Install button for the Corelight App for Splunk.
(Optional) If a restart is required, click Restart Splunk to restart Splunk services.
Review the Corelight App for Splunk documentation at https://docs.corelight.com
The TA for Corelight add-on is required on indexers, or index clusters. If your Corelight sensors send data directly to a heavy forwarder or a Splunk Cloud Platform receiver that is a heavy forwarder, the TA for Corelight is also required on those instances. The add-on is not required on search heads, or single-instance Splunk Enterprise environments.
Configuring the Corelight App For Splunk requires the ``admin_all_objects`` capability, typical reserved for administrative users only. Once the configuration changes are saved, the admin user is no longer required.
Log in to Splunk Web on the search head as an administrator.
Browse to Apps > Corelight App for Splunk.
Select the Corelight drop-down, and click Configuration.
Review the Indexes field, and add all indexes that contain Corelight sensor log data.
Review the Products field, and verify that Corelight is selected.
If the Corelight option is selected, the dashboard searches will use log data source types beginning with the name ``corelight_``.
If the Zeek option is selected, the dashboard searches will use log data source types beginning with the name ``bro_``. If those source types do not exist in the indexes configured, the dashboard panels will display a warning about missing eventtypes. For example, ``Eventtype bro_x509 does not exist or is disabled.`` If your sensor log sources don’t use source type names starting with ``bro_``, you can disable the Zeek option.
Review the Local Network Block(s) field, and define your local networks in CIDR format. The networks defined in the app should match the Local Network Blocks defined on the Corelight sensor, or in the Fleet Manager sensor policy. For more information on sensor local networks, see Configure network infrastructure at https://docs.corelight.com.
(Optional) In the Aggregation Saved Searches field, enable the Corelight Suricata Detections search option. The search runs on a 10-minute interval by default, and generates data for the corelight_suri_aggregations sourcetype.
Under Application Control, click the Application Configured switch.
The Corelight App for Splunk includes lookup searches used to populate filters on the Corelight App dashboards.
Log in to Splunk Web on the search head as an administrator.
Browse to Apps > Corelight App for Splunk.
Select the Corelight drop-down, and click Configuration.
In the Lookup Generators section, verify the lookup generating searches are enabled.
The lookup searches run on a 60-minute interval by default.
The lookup generating searches run on a schedule by default. You can generate the lookup files immediately by running the lookup searches manually.
Use app dashboards such as the Data Explorer dashboards to verify the sensor data is available in Splunk Enterprise, and the Corelight App For Splunk is configured.
Check the Monitoring Console for errors
Validate if the Index(s), Product(s) and Local Network Block(s) are configured (Corelight > Configuration).
Ensure the lookup tables were fully updated by running the searches in the Lookup Generation dashboard (Corelight > Lookup Generation)
Support Email: None
Support Website: https://www.corelight.com/support
Support Offered: Web
App support is available through the Corelight Support site at https://corelight.com.
You can find the latest documentation on the Corelight documentation site at https://docs.corelight.com.
POTENTIAL BREAKING Change
Due to enforcement of Splunk AppInspect check check_props_conf_has_no_prohibited_characters_in_sourcetypes, the "wildcard" property in props.conf has been REMOVED.
The settings are included below for reference if needed.
NOTE: This will not be available in Splunk Cloud.
[(?::){0}corelight*]
TRUNCATE = 9999999
SHOULD_LINEMERGE = FALSE
TIME_PREFIX = _write_ts(?:"\s*:\s*")?
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6QZ
MAX_TIMESTAMP_LOOKAHEAD = 40
KV_MODE = JSON
FIELDALIAS-dest = id.resp_h ASNEW dest id.resp_h ASNEW id_resp_h
FIELDALIAS-dest_ip = id.resp_h ASNEW dest_ip
FIELDALIAS-dest_port = id.resp_p ASNEW dest_port id.resp_p ASNEW id_resp_p
FIELDALIAS-src = id.orig_h ASNEW src id.orig_h ASNEW id_orig_h
FIELDALIAS-src_ip = id.orig_h ASNEW src_ip
FIELDALIAS-src_port = id.orig_p ASNEW src_port id.orig_p ASNEW id_orig_p
EVAL-direction = case(isnotnull(direction),direction,local_orig="true" AND local_resp="true", "internal", local_orig="true" and local_resp="false", "outbound", local_orig="false" and local_resp="false", "external", local_orig="false" and local_resp="true", "inbound", 1=1, "unknown")
EVAL-is_broadcast = if(src in("0.0.0.0", "255.255.255.255") OR dest in("255.255.255.255", "0.0.0.0"),"true","false")
EVAL-is_src_internal_ip = if(cidrmatch("10.0.0.0/8",src) OR cidrmatch("172.16.0.0/12",src) OR cidrmatch("192.168.0.0/16", src), "true", "false")
EVAL-is_dest_internal_ip = if(cidrmatch("10.0.0.0/8",dest) OR cidrmatch("172.16.0.0/12",dest) OR cidrmatch("192.168.0.0/16", dest), "true", "false")
EVAL-vendor_product = "Corelight"
EVAL-vendor = "Corelight"
EVAL-sensor_name = coalesce(system_name, host, "unknown")
=== Version 2.5.4
system by default. Please see latest Splunk documentation to enable system-wide export of knowledge objects. This change is to allow Splunk Administrators the ability to review all configurations prior to making the configurations globally available.corelight_investigator_alerts_time caused subsearch failure in ITSI specific searchessrc_ip and dest_ip have incorrect mvfilterscorelight_investigator_alertssplunk-sdk to 2.1.0corelight_ssh to the CIM framework with accurate tagging and mapping to their respective Splunk Data Models.corelight_http, corelight_http_red, and corelight_http2 stanzas in props.conf to correctly handle field aliases for bytes_in and bytes_out.splunk-sdk to 2.0.2.Welcome dashboardSecurity PostureSecure Channel InsightsName Resolution InsightsRemote Activity InsightsLargest Transfers Between Host Pairs Over VPNmsg or note fields.Corelight Suricata IDS Alerts dashboard.id.* fields.corelight_ntp sourcetype: correct an if statementKV_MODE on corelight_tsv as invalid against INDEXED_EXTRACTIONS= Version 2.4.6
cid search command relating to icmp6 with IPv6 src_ips.inferences props for better extractions.cid custom command to a v2 Search Command.splunklib to current version.As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.