CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Enhance your search experience within Splunk by using the Corelight App

The Corelight App for Splunk provides the foundation for organizations to boost SOC effectiveness and productivity by using Corelight data in Splunk. In this blog, I’ll walk through how the Corelight App leverages Splunk’s Common Information Model (CIM) to enhance users' search experience when they are using Corelight data.

About Splunk’s CIM and the Corelight App for Splunk

The Corelight App for Splunk optimizes the data streamed to Splunk using the Common Information Model. A quick aside—almost every vendor has, or supports one data model, but Corelight supports many natively. The Splunk CIM is implemented as an add-on Splunk app that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time. For those unfamiliar there are twenty four data models, and Corelight support these seven:

Data Model Corelight
Certificates ig-site-icon-green-check

 

Email ig-site-icon-green-check

 

Intrusion Detection ig-site-icon-green-check

 

Network Resolution (DNS) ig-site-icon-green-check

 

Network Sessions ig-site-icon-green-check

 

Network Traffic ig-site-icon-green-check

 

Web ig-site-icon-green-check

 

 

This means that once you install the Corelight App for Splunk and configure Splunk’s CIM app, all of the data, field names, and values that are already correlated within Corelight’s context-rich alerts are normalized, validated and available within several Splunk data models. With this seamless process, Splunk users can accelerate their SOC workflows by being able to immediately access and action the data they need for investigations and long-term threat hunting. Ultimately, Corelight wants all security teams, regardless of the technology that they’re using, to have the opportunity to enhance their search experience and improve their overall effectiveness.

How to Configure the Corelight App for Splunk

Configuring the CIM is as easy as clicking the “Apps” drop-down menu and then selecting “Manage Apps”.

 

how to configure the corelight app for splunk image

 

Next, select “Setup” from the Splunk Common Information Model app under the action column. You will be presented with a UI for each of the data models. In this example we have configured acceleration and an index whitelist.

 

data-models-screen

 

Download the Corelight for Splunk and Splunk CIM apps and see for yourself how easy it is to get Corelight data into Splunk and quickly begin using accelerated data models within Splunk.

Stay tuned to our blog for updates! For guidance on threat hunting with Splunk and other security solutions, I also recommend visiting the Corelight YouTube channel.

For more about Corelight and Splunk’s strategic partnership, check out this page.

Recent Posts