Document toolboxDocument toolbox

ids.corelight

Introduction

The tags beginning with ids.corelight identify events generated by Corelight.

Valid tags and data tables

The full tag must have at least 2 levels. The first two are fixed as ids.corelight. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Corelight

  • ids.corelight

  • ids.corelight.broker

  • ids.corelight.capture_loss

  • ids.corelight.cluster

  • ids.corelight.config

  • ids.corelight.conn

  • ids.corelight.conn_long

  • ids.corelight.connlong

  • ids.corelight.connmod

  • ids.corelight.conn_red

  • ids.corelight.connred

  • ids.corelight.corelight_metrics_suricata

  • ids.corelight.corelight_metrics_zeek_doctor

  • ids.corelight.corelight_service_status

  • ids.corelight.data_red

  • ids.corelight.datared

  • ids.corelight.dce_rpc

  • ids.corelight.dcerpc

  • ids.corelight.dhcp

  • ids.corelight.dnp3

  • ids.corelight.dns

  • ids.corelight.dns_red

  • ids.corelight.dnsred

  • ids.corelight.dpd

  • ids.corelight.encrypted_dns

  • ids.corelight.etc_viz

  • ids.corelight.files

  • ids.corelight.files_red

  • ids.corelight.filesred

  • ids.corelight.ftp

  • ids.corelight.generic_dns_tunnels

  • ids.corelight.generic_icmp_tunnels

  • ids.corelight.http

  • ids.corelight.http2

  • ids.corelight.http_red

  • ids.corelight.httpred

  • ids.corelight.intel

  • ids.corelight.ipsec

  • ids.corelight.irc

  • ids.corelight.kerberos

  • ids.corelight.known_certs

  • ids.corelight.known_devices

  • ids.corelight.known_domains

  • ids.corelight.known_hosts

  • ids.corelight.known_names

  • ids.corelight.known_remotes

  • ids.corelight.known_services

  • ids.corelight.known_users

  • ids.corelight.ldap

  • ids.corelight.ldap_search

  • ids.corelight.log4shell

  • ids.corelight.metrics_bro

  • ids.corelight.metrics_cpu

  • ids.corelight.metrics_disk

  • ids.corelight.metrics_docker

  • ids.corelight.metrics_iface

  • ids.corelight.metrics_memory

  • ids.corelight.metrics_s3

  • ids.corelight.metrics_sftp

  • ids.corelight.metrics_system

  • ids.corelight.metrics_utilization

  • ids.corelight.modbus

  • ids.corelight.mqtt_connect

  • ids.corelight.mqttconnect

  • ids.corelight.mqtt_subscribe

  • ids.corelight.mysql

  • ids.corelight.notice

  • ids.corelight.ntlm

  • ids.corelight.ntp

  • ids.corelight.overall_capture_loss

  • ids.corelight.pcr

  • ids.corelight.pe

  • ids.corelight.radius

  • ids.corelight.rdp

  • ids.corelight.reporter

  • ids.corelight.rfb

  • ids.corelight.sip

  • ids.corelight.smb_files

  • ids.corelight.smb_mapping

  • ids.corelight.smtp

  • ids.corelight.smtp_links

  • ids.corelight.smtplinks

  • ids.corelight.snmp

  • ids.corelight.socks

  • ids.corelight.software

  • ids.corelight.ssh

  • ids.corelight.ssl

  • ids.corelight.ssl_red

  • ids.corelight.sslred

  • ids.corelight.stats

  • ids.corelight.stepping

  • ids.corelight.stun

  • ids.corelight.stun_nat

  • ids.corelight.suricata_corelight

  • ids.corelight.suricata_enhanced

  • ids.corelight.suricata_stats

  • ids.corelight.syslog

  • ids.corelight.traceroute

  • ids.corelight.tunnel

  • ids.corelight.weird

  • ids.corelight.weird_red

  • ids.corelight.weird_stats

  • ids.corelight.weirdmod

  • ids.corelight.x509

  • ids.corelight.x509_red

  • ids.corelight.x509red

  • ids.corelight.zeek_doctor

  • ids.corelight

  • ids.corelight.broker

  • ids.corelight.capture_loss

  • ids.corelight.cluster

  • ids.corelight.config

  • ids.corelight.conn

  • ids.corelight.connlong

  • ids.corelight.connmod

  • ids.corelight.connred

  • ids.corelight.corelight_metrics_suricata

  • ids.corelight.corelight_metrics_zeek_doctor

  • ids.corelight.corelight_service_status

  • ids.corelight.datared

  • ids.corelight.dcerpc

  • ids.corelight.dhcp

  • ids.corelight.dnp3

  • ids.corelight.dns

  • ids.corelight.dnsred

  • ids.corelight.dpd

  • ids.corelight.encrypted_dns

  • ids.corelight.etc_viz

  • ids.corelight.files

  • ids.corelight.filesred

  • ids.corelight.ftp

  • ids.corelight.generic_dns_tunnels

  • ids.corelight.generic_icmp_tunnels

  • ids.corelight.http

  • ids.corelight.http2

  • ids.corelight.httpred

  • ids.corelight.intel

  • ids.corelight.ipsec

  • ids.corelight.irc

  • ids.corelight.kerberos

  • ids.corelight.known_certs

  • ids.corelight.known_devices

  • ids.corelight.known_domains

  • ids.corelight.known_hosts

  • ids.corelight.known_names

  • ids.corelight.known_remotes

  • ids.corelight.known_services

  • ids.corelight.known_users

  • ids.corelight.ldap

  • ids.corelight.ldap_search

  • ids.corelight.log4shell

  • ids.corelight.metrics_bro

  • ids.corelight.metrics_cpu

  • ids.corelight.metrics_disk

  • ids.corelight.metrics_docker

  • ids.corelight.metrics_iface

  • ids.corelight.metrics_memory

  • ids.corelight.metrics_s3

  • ids.corelight.metrics_sftp

  • ids.corelight.metrics_system

  • ids.corelight.metrics_utilization

  • ids.corelight.modbus

  • ids.corelight.mqttconnect

  • ids.corelight.mqtt_subscribe

  • ids.corelight.mysql

  • ids.corelight.notice

  • ids.corelight.ntlm

  • ids.corelight.ntp

  • ids.corelight.overall_capture_loss

  • ids.corelight.pcr

  • ids.corelight.pe

  • ids.corelight.radius

  • ids.corelight.rdp

  • ids.corelight.reporter

  • ids.corelight.rfb

  • ids.corelight.sip

  • ids.corelight.smb_files

  • ids.corelight.smb_mapping

  • ids.corelight.smtp

  • ids.corelight.smtplinks

  • ids.corelight.snmp

  • ids.corelight.socks

  • ids.corelight.software

  • ids.corelight.ssh

  • ids.corelight.ssl

  • ids.corelight.sslred

  • ids.corelight.stats

  • ids.corelight.stepping

  • ids.corelight.stun

  • ids.corelight.stun_nat

  • ids.corelight.suricata_corelight

  • ids.corelight.suricata_enhanced

  • ids.corelight.suricata_stats

  • ids.corelight.syslog

  • ids.corelight.traceroute

  • ids.corelight.tunnel

  • ids.corelight.weird

  • ids.corelight.weird_red

  • ids.corelight.weird_stats

  • ids.corelight.weirdmod

  • ids.corelight.x509

  • ids.corelight.x509red

  • ids.corelight.zeek_doctor

Â