ids.corelight

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ]

Introduction

The tags beginning with ids.corelight identify events generated by Corelight.

Valid tags and data tables

The full tag must have at least 2 levels. The first two are fixed as ids.corelight. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Corelight	`ids.corelight`	`ids.corelight`
	`ids.corelight.analyzer`	`ids.corelight.analyzer`
	`ids.corelight.broker`	`ids.corelight.broker`
	`ids.corelight.capture_loss`	`ids.corelight.capture_loss`
	`ids.corelight.cluster`	`ids.corelight.cluster`
	`ids.corelight.config`	`ids.corelight.config`
	`ids.corelight.conn`	`ids.corelight.conn`
	`ids.corelight.conn_long`	`ids.corelight.conn_long`
	`ids.corelight.conn_red`	`ids.corelight.conn_red`
	`ds.corelight.connlong`	`ds.corelight.connlong`
	`ids.corelight.connmod`	`ids.corelight.connmod`
	`ids.corelight.connred`	`ids.corelight.connred`
	`ids.corelight.corelight_metrics_suricata`	`ids.corelight.corelight_metrics_suricata`
	`ids.corelight.corelight_metrics_zeek_doctor`	`ids.corelight.corelight_metrics_zeek_doctor`
	`ids.corelight.corelight_service_status`	`ids.corelight.corelight_service_status`
	`ids.corelight.data_red`	`ids.corelight.data_red`
	`ids.corelight.datared`	`ids.corelight.datared`
	`ids.corelight.dce_rpc`	`ids.corelight.dce_rpc`
	`ids.corelight.dcerpc`	`ids.corelight.dcerpc`
	`ids.corelight.dga`	`ids.corelight.dga`
	`ids.corelight.dhcp`	`ids.corelight.dhcp`
	`ids.corelight.dnp3`	`ids.corelight.dnp3`
	`ids.corelight.dns`	`ids.corelight.dns`
	`ids.corelight.dns_red`	`ids.corelight.dns_red`
	`ids.corelight.dnsred`	`ids.corelight.dnsred`
	`ids.corelight.dpd`	`ids.corelight.dpd`
	`ids.corelight.encrypted_dns`	`ids.corelight.encrypted_dns`
	`ids.corelight.etc_viz`	`ids.corelight.etc_viz`
	`ids.corelight.files`	`ids.corelight.files`
	`ids.corelight.files_red`	`ids.corelight.files_red`
	`ids.corelight.filesred`	`ids.corelight.filesred`
	`ids.corelight.ftp`	`ids.corelight.ftp`
	`ids.corelight.generic_dns_tunnels`	`ids.corelight.generic_dns_tunnels`
	`ids.corelight.generic_icmp_tunnels`	`ids.corelight.generic_icmp_tunnels`
	`ids.corelight.http`	`ids.corelight.http`
	`ids.corelight.http2`	`ids.corelight.http2`
	`ids.corelight.http_red`	`ids.corelight.http_red`
	`ids.corelight.httpred`	`ids.corelight.httpred`
	`ids.corelight.intel`	`ids.corelight.intel`
	`ids.corelight.ipsec`	`ids.corelight.ipsec`
	`ids.corelight.irc`	`ids.corelight.irc`
	`ids.corelight.kerberos`	`ids.corelight.kerberos`
	`ids.corelight.known_certs`	`ids.corelight.known_certs`
	`ids.corelight.known_devices`	`ids.corelight.known_devices`
	`ids.corelight.known_domains`	`ids.corelight.known_domains`
	`ids.corelight.known_hosts`	`ids.corelight.known_hosts`
	`ids.corelight.known_names`	`ids.corelight.known_names`
	`ids.corelight.known_remotes`	`ids.corelight.known_remotes`
	`ids.corelight.known_services`	`ids.corelight.known_services`
	`ids.corelight.known_users`	`ids.corelight.known_users`
	`ids.corelight.ldap`	`ids.corelight.ldap`
	`ids.corelight.ldap_search`	`ids.corelight.ldap_search`
	`ids.corelight.log4shell`	`ids.corelight.log4shell`
	`ids.corelight.metrics_bro`	`ids.corelight.metrics_bro`
	`ids.corelight.metrics_cpu`	`ids.corelight.metrics_cpu`
	`ids.corelight.metrics_disk`	`ids.corelight.metrics_disk`
	`ids.corelight.metrics_docker`	`ids.corelight.metrics_docker`
	`ids.corelight.metrics_iface`	`ids.corelight.metrics_iface`
	`ids.corelight.metrics_memory`	`ids.corelight.metrics_memory`
	`ids.corelight.metrics_smartpcap`	`ids.corelight.metrics_smartpcap`
	`ids.corelight.metrics_suricata`	`ids.corelight.metrics_suricata`
	`ids.corelight.metrics_s3`	`ids.corelight.metrics_s3`
	`ids.corelight.metrics_sftp`	`ids.corelight.metrics_sftp`
	`ids.corelight.metrics_system`	`ids.corelight.metrics_system`
`ids.corelight.metrics_utilization`	`ids.corelight.metrics_utilization`
`ids.corelight.metrics_zeek_doctor`	`ids.corelight.metrics_zeek_doctor`
`ids.corelight.modbus`	`ids.corelight.modbus`
`ids.corelight.mqtt_connect`	`ids.corelight.mqtt_connect`
`ids.corelight.mqtt_publish`	`ids.corelight.mqtt_publish`
`ids.corelight.mqtt_subscribe`	`ids.corelight.mqtt_subscribe`
`ids.corelight.mysql`	`ids.corelight.mysql`
`ids.corelight.new_license_capacity`	`ids.corelight.new_license_capacity`
`ids.corelight.notice`	`ids.corelight.notice`
`ids.corelight.ntlm`	`ids.corelight.ntlm`
`ids.corelight.ntp`	`ids.corelight.ntp`
`ids.corelight.ocsp`	`ids.corelight.ocsp`
`ids.corelight.overall_capture_loss`	`ids.corelight.overall_capture_loss`
`ids.corelight.pcr`	`ids.corelight.pcr`
`ids.corelight.pe`	`ids.corelight.pe`
`ids.corelight.pipeline_test`	`ids.corelight.pipeline_test`
`ids.corelight.radius`	`ids.corelight.radius`
`ids.corelight.rdp`	`ids.corelight.rdp`
`ids.corelight.reporter`	`ids.corelight.reporter`
`ids.corelight.rfb`	`ids.corelight.rfb`
`ids.corelight.service_status`	`ids.corelight.service_status`
`ids.corelight.sip`	`ids.corelight.sip`
`ids.corelight.smb_files`	`ids.corelight.smb_files`
`ids.corelight.smb_mapping`	`ids.corelight.smb_mapping`
`ids.corelight.smtp`	`ids.corelight.smtp`
`ids.corelight.smtplinks`	`ids.corelight.smtplinks`
`ids.corelight.snmp`	`ids.corelight.snmp`
`ids.corelight.socks`	`ids.corelight.socks`
`ids.corelight.software`	`ids.corelight.software`
`ids.corelight.ssdp`	`ids.corelight.ssdp`
`ids.corelight.ssh`	`ids.corelight.ssh`
`ids.corelight.ssl`	`ids.corelight.ssl`
`ids.corelight.ssl_red`	`ids.corelight.ssl_red`
`ids.corelight.sslred`	`ids.corelight.sslred`
`ids.corelight.stats`	`ids.corelight.stats`
`ids.corelight.stepping`	`ids.corelight.stepping`
`ids.corelight.stun`	`ids.corelight.stun`
`ids.corelight.stun_nat`	`ids.corelight.stun_nat`
`ids.corelight.suricata_corelight`	`ids.corelight.suricata_corelight`
`ids.corelight.suricata_enhanced`	`ids.corelight.suricata_enhanced`
`ids.corelight.suricata_stats`	`ids.corelight.suricata_stats`
`ids.corelight.syslog`	`ids.corelight.syslog`
`ids.corelight.traceroute`	`ids.corelight.traceroute`
`ids.corelight.tunnel`	`ids.corelight.tunnel`
`ids.corelight.vpn`	`ids.corelight.vpn`
`ids.corelight.weird`	`ids.corelight.weird`
`ids.corelight.weird_red`	`ids.corelight.weird_red`
`ids.corelight.weird_stats`	`ids.corelight.weird_stats`
`ids.corelight.weirdmod`	`ids.corelight.weirdmod`
`ids.corelight.wireguard`	`ids.corelight.wireguard`
`ids.corelight.x509`	`ids.corelight.x509`
`ids.corelight.x509_red`	`ids.corelight.x509_red`
`ids.corelight.x509red`	`ids.corelight.x509red`
`ids.corelight.zeek_doctor`	`ids.corelight.zeek_doctor`

How is the data sent to Devo?

Below are the guidelines for the rules you need to define on the relay. These rules will apply to events received on the specified port and, based on a string found in an event's content, apply the correct Devo tag.

In the example below, we use port 13011 but you can use any free port you want.

You should create the following rules and it is very important to prioritize following the order we indicate for each rule:

Rule 1: IDS Corelight corelight_types

Source port → 13011
Source data → \"path\":\"corelight_([a-zA-Z_]+)\"
Target tag → ids.corelight.\\d1
Check the Stop processing and Sent without syslog tag checkboxes.

Rule 2: IDS Corelight types

Source port → 13011
Source data → \"path\":\"([a-zA-Z_]+)\"
Target tag → ids.corelight.\\d1
Check the Stop processing and Sent without syslog tag checkboxes.

This is a sample event for these events:

2024-09-03 02:30:00.711 localhost=127.0.0.1 ids.corelight.dga: {"_path":"dga","_system_name":"MFCHK08SZSEN01","_write_ts":"2024-09-03T02:29:48.611205Z","ts":"2024-09-03T02:29:48.611205Z","id.orig_h":"10.252.126.194","id.orig_p":52015,"id.resp_h":"10.216.2.16","id.resp_p":53,"id.vlan":3133,"id.vlan_inner":null,"id.orig_ep_status":null,"id.orig_ep_uid":null,"id.orig_ep_cid":null,"id.orig_ep_source":null,"id.resp_ep_status":null,"id.resp_ep_uid":null,"id.resp_ep_cid":null,"id.resp_ep_source":null,"query":"sfc.hk","family":"qsnatch:a","qtype_name":"A","rcode":0,"is_collision_heavy":true,"ruse":false}