New Corelight app for Splunk: Making network-based threat hunting easier

November 18, 2019 by Ed Smith

Want to use Zeek (formerly Bro) network data in Splunk ES, but don’t know how to start or where to look?

Need to quickly narrow down Zeek logs from a mountain, to a hill, to a handful?

Want to avoid hours of work mapping Corelight key-value pairs for ingest?

Our recently updated Corelight App for Splunk may be just what you’re looking for. It accelerates SOC workflows by providing guided threat hunting workflows using dashboards and filters that enable analysts to quickly narrow down and pivot across Zeek logs. It’s also a great demonstration of how Zeek data sent into the Splunk platform can be leveraged to find encrypted malicious traffic, DNS exfiltration, hidden malware and other network risks.

In addition we’ve released an updated technology add-on (TA) that automatically normalizes Corelight security data for easier ingest into the Splunk platform. The TA can be used standalone or in conjunction with the new app — a tool worth checking out if you’re a Corelight + Splunk shop.

The Corelight App for Splunk works with Corelight sensors as well as Zeek. The app requires the above mentioned TA for Corelight data, or the Splunk Add-on for Zeek data. You can download the app and either TA for free on Splunkbase.

To learn more about Corelight’s integration with Splunk software and how it helps incident responders and threat hunters work faster and more effectively, please read our joint solution data sheet, watch our webinar on Threat Hunting in Splunk with Zeek or check out the screenshots of the app below:

Detections dashboard