Skip to content
  • There are no suggestions because the search field is empty.

Corelight recognized as a leader in the 2025 Gartner Magic Quadrant™ for network detection and response

GET THE REPORT >

Corelight recognized as a leader in the 2025 Gartner Magic Quadrant™ for network detection and response

+1(888) 547-9497
Home / Blog / New Corelight app for Splunk:...
Zeek

New Corelight app for Splunk: Making network-based threat hunting easier

Ed Smith
Nov 19, 2019

Want to use Zeek (formerly Bro) network data in Splunk ES, but don’t know how to start or where to look?

Need to quickly narrow down Zeek logs from a mountain, to a hill, to a handful?

Want to avoid hours of work mapping Corelight key-value pairs for ingest?

Our recently updated Corelight App for Splunk may be just what you’re looking for. It  accelerates SOC workflows by providing guided threat hunting workflows using dashboards and filters that enable analysts to quickly narrow down and pivot across Zeek logs. It’s also a great demonstration of how Zeek data sent into the Splunk platform can be leveraged to find encrypted malicious traffic, DNS exfiltration, hidden malware and other network risks. 

In addition we’ve released an updated technology add-on (TA) that automatically normalizes Corelight security data for easier ingest into the Splunk platform. The TA can be used standalone or in conjunction with the new app — a tool worth checking out if you’re a Corelight + Splunk shop.

The Corelight App for Splunk works with Corelight sensors as well as Zeek. The app requires the above mentioned TA for Corelight data, or the Splunk Add-on for Zeek data. You can download the app and either TA for free on Splunkbase.

To learn more about Corelight’s integration with Splunk software and how it helps incident responders and threat hunters work faster and more effectively, please read our joint solution data sheet, watch our webinar on Threat Hunting in Splunk with Zeek or check out the screenshots of the app below:

Detections dashboard

detestions_overview

Find and respond to off-port protocol usage, IOC matches, and other potentially interesting events.

Intel workflow

Intel

Find IOCs from external sources matched in network traffic.

Notices workflow

Notices

See situations flagged by the Notice policy for further investigation.

Log hunting workflow

Log_Hunting

Accelerate your hunt by narrowing down many logs to only the logs that matter.

DNS dashboard

DNS_Hunting

Detect DNS exfiltration by spotting queries to non-existent domains and high connection counts.

Corelight egress monitor

Corelight_Egress_Monitors

Find risky North/South user connections to weak SSL versions.

 

Ed Smith - Senior Product Marketing Manager, Corelight

 
Zeek network security Network Security Monitoring network traffic analysis Industry network visibility Partnership SIEM SOC Splunk IOC threat hunting Splunkbase technology add-on

Similar Posts

Zeek

Announcing The New Corelight for Splunk App

The Corelight for Splunk app is now available! Using the new app you can now monitor the health and performance of Corelight Sensors in Splunk and...

Corelight Mar 29, 2018

Get notified on new marketing insights

Be the first to know about new B2B SaaS Marketing insights to build or refine your marketing function with the tools and knowledge of today’s industry.