The Corelight App for Splunk enables incident responders and threat hunters who use Splunk® and Splunk Enterprise Security to work faster and more effectively.
| App Version | 2.5.1 |
| App Version | 2.5.1 |
| App Build | 161 |
| Splunk Enterprise Versions | 9.X, 8.2, 8.1 (Dashboard Studio: 9.X Only) |
| Platforms | Splunk Enterprise, Splunk Cloud |
| Splunkbase Url | https://splunkbase.splunk.com/app/3884 |
| Author | Aplura, LLC. and Corelight, Inc. |
| Creates an index | False |
| Implements summarization | No |
| Summary Indexing | False |
| Report Acceleration | False |
| Release Date | 11/25/2024 |
When upgrading from Corelight App For Splunk version 2.4.4 or earlier, remove the previous app before installing the latest Corelight App For Splunk app release. Additionally, check in the `local/data/ui/views` folder for conflicting dashboards.
The Corelight App For Splunk transforms complex network data into actionable security intelligence, enabling faster threat detection and incident response. By seamlessly integrating with Corelight Sensors and Zeek data, the app provides security teams with comprehensive visibility through specialized dashboards covering alert aggregation, protocol analysis, threat intelligence matching, and network behavior analytics. Built for security analysts, incident responders, and threat hunters, the app streamlines investigation workflows and enhances threat hunting capabilities with features like MITRE ATT&CK framework integration, automated alert correlation, and detailed traffic analysis.
Alert Aggregations: Consolidates and prioritizes security alerts with MITRE ATT&CK mapping for streamlined threat response
Intel: Monitors IOC matches from external threat intelligence sources in network traffic
IP Interrogation: Analyzes specific IP addresses for connection patterns, protocol usage, and network interactions
Log Hunting: Enables detailed investigation of network events with customizable filters and search criteria
Notices: Tracks system-generated security notices and intelligence alerts with severity classification
Security Posture: Provides comprehensive overview of network security status including alerts, encryption, and DNS health
RDP Inferences: Monitors Remote Desktop Protocol connections, authentication patterns, and security protocols
SSH Inferences: Analyzes SSH connection patterns, authentication methods, and potential security issues
Suricata IDS Alert Overview: Displays intrusion detection alerts with temporal patterns and severity levels
VPN Insights: Tracks VPN usage patterns, connections, and user activity across the network
Connections: Visualizes top services, ports, dataflows, and network connection patterns
DNS: Monitors DNS query patterns and potential exfiltration attempts through domain analysis
Files: Identifies suspicious files, executables, and compressed file transfers
HTTP: Analyzes HTTP transactions for suspicious patterns in headers, user agents, and requests
Software: Tracks software versions and usage patterns across monitored network traffic
SSL and x509: Monitors SSL/TLS certificates and validation status for encrypted traffic
Secure Channel Insights: Analyzes encrypted and non-encrypted SSL, SSH, TLS, and x509 traffic
Name Resolution Insights: Provides deep analysis of DNS traffic patterns and potential threats
Remote Activity Insights: Monitors remote access patterns and authentication attempts
Configuration: Manages app settings, indexes, and logging configuration
Lookup Generation: Creates and manages lookup files for dashboard filtering
Sensor Overview: Provides operational status of Corelight sensors
About: Displays app version information and documentation
cid is a custom command provided to turn a tuple of src_ip, src_port, dest_ip, and dest_port into a community string.
Corelight App For Splunk contains several lookup files.
It is a best practice and recommendation to **not** use the direct CSV name, as these will change between versions. Use the `transforms` name as listed in the table.
| Transforms | Filename | Description |
| port_descriptions | port_desc_2.5.1.csv | Gives port descriptions to ports. |
| corelight_systems | corelight_systems_2.5.1.csv | Auto-generated from sensor data |
| corelight_services | corelight_services_2.5.1.csv | Auto-generated from services data |
| corelight_dns_ports | corelight_dns_ports_2.5.1.csv | Auto-generated from DNS data |
| orelight_dns_record_types | corelight_dns_record_type_2.5.1.csv | Auto-generated from NDS data |
| corelight_files_mime_types | corelight_files_mime_types_2.5.1.csv | Auto-generated from files data |
| corelight_software_types | corelight_software_types_2.5.1.csv | Auto-generated from software data |
| corelight_dns_reply_code | corelight_dns_reply_code_2.5.1.csv | Provided to lookup reply code types |
| corelight_conn_state_description | corelight_conn_state_description_2.5.1.csv | Describes connection states |
| corelight_status_action | corelight_status_action_2.5.1.csv | Describes Corelight action and status |
| ssh_inference | ssh_inference_lookup_2.5.1.csv | Describes inferences |
| corelight_inferences_description | corelight_inferences_description_2.5.1.csv | Describes inferences |
| corelight_severity | corelight_severities_2.5.1.csv | Maps severity ids and severity text |
| corelight_error_messages | corelight_error_messages_2.5.1.csv | Contains information on Corelight Error messages. |
| corelight_alert_aggregations | corelight_alert_aggregations_enrichment.csv | Provides enrichments for Suricata alerts. |
This App provides the following scripts:
cid command.Corelight App For Splunk does not make use of an event generator.
corelight_ssh to the CIM framework with accurate tagging and mapping to their respective Splunk Data Models.corelight_http, corelight_http_red, and corelight_http2 stanzas in props.conf to correctly handle field aliases for bytes_in and bytes_out.splunk-sdk to 2.0.2.Welcome dashboardSecurity PostureSecure Channel InsightsName Resolution InsightsRemote Activity InsightsLargest Transfers Between Host Pairs Over VPNmsg or note fields.Corelight Suricata IDS Alerts dashboard.id.* fields.corelight_ntp sourcetype: correct an if statementKV_MODE on corelight_tsv as invalid against INDEXED_EXTRACTIONS= Version 2.4.6
cid search command relating to icmp6 with IPv6 src_ips.inferences props for better extractions.cid custom command to a v2 Search Command.splunklib to current version.As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.