CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Corelight ECS mapping: Unified Zeek data for more efficient analytics

In addition to other great news we’ve recently shared, I’m pleased to announce that Corelight sensors now support the Elastic Common Schema (ECS) via our Corelight ECS Mapping.

If you’re not familiar with ECS, Elastic provides a nice summary in their intro blog post:

“ECS facilitates the unified analysis of data from diverse sources so that content such as dashboards and machine learning jobs can be applied more broadly, searches can be crafted more efficiently, and field names can be recalled by analysts more easily.”

Zeek (formerly Bro) is a great example of one of those diverse sources of data, and it becomes much more powerful and valuable when mapped to ECS by enabling customers to realize those benefits. For example, let’s examine how ECS can help craft searches more efficiently…

Imagine you’re investigating a particular IP address and you want to see information about traffic originating from that host. Your Elastic Stack is doing a fantastic job ingesting, storing, analyzing, and visualizing data from your firewalls, endpoints, networks, IDS and other sources but there’s a small but annoying obstacle you frequently encounter: there’s no field name consistency across all those sources. 

Your firewall labels the source IP address “src”, while your proxy calls it “client_ip”. Zeek labels it as “id.org_h”, while Suricata calls it “src_ip”. To cover your bases, you craft a search that looks something like this:

src:10.42.42.42 OR client_ip:10.42.42.42 OR id.org_h:10.42.42.42 OR src_ip:10.42.42.42

With ECS there is a better way! Your query simply becomes:

Source.ip:10.42.42.42

Much easier, right? Not only is there less typing, but there’s less to remember since there’s only one set of standardized fields instead of multiple variations. 

This simplification applies to visualizations, dashboards, alerts, and machine learning jobs as well. For example, when you create a visualization you are creating it based on a defined field type. If there is a disparity for the same type of data, such as IP addresses, but different field naming convention, you’ll have to create a visualization for each separate field name. With ECS, you no longer have to create variations for each unique data source. 

ECS also enables better sharing within the community because when you create things like visualizations or dashboards, you can share them with others using ECS who may not have the exact same data sources. When those data sources are in ECS format, it just works.
The Corelight ECS mapping supports Corelight data as well as Zeek and is available on Github. We will continue to follow and update these mapping as ECS evolves.  To learn more about Corelight’s integration with Elastic, please read our joint solution data sheet.

 

Recent Posts