Document toolboxDocument toolbox

Corelight

Owned by Former user (Deleted)
Last updated: May 12, 2023 by Juan Tomás Alonso Nieto (Deactivated)
3 min read
[ 1 Overview ] [ 2 Pre-requisites ] [ 3 Deployment architecture ] [ 4 Devo Configuration ] [ 5 Corelight configuration ]

Overview

Corelight turns high-volume network traffic into high-fidelity data for incident response, intrusion detection, and forensics. It enables rich Zeek logs to be imported directly to Devo, enhancing the platform for SecOps, and aiding in Threat Hunting and Incident Response.

Pre-requisites

You must have a Corelight Sensor and a Devo cloud domain to integrate your data. For deployment and installation instructions, please refer to the Corelight documentation and Devo Product Documentation.

Version compatibility

This integration applies to:

  • Corelight v18+ (Sensor Appliances: AP 200, AP 1000, AP 1001, AP 3001, Cloud Sensor: AWS, Azure, Virtual Sensors: VMware ESXi 6.0 or later and compatible Center, Hyper-V on Windows Server).

  • Devo Platform.

Deployment architecture

Corelight Sensor is generally deployed in front of network traffic mirroring sources, such as a packet broker, SPAN port, or TAP. The sensor analyzes the traffic and exports Corelight logs and security insights to the Devo Data Analytics Platform. Corelight also supports extracting files carved out from the network stream into the File Analysis tool for investigations, including Devo Security Operations through integrations.

Devo Configuration

Here you will find the needed configuration for the Devo Platform.

Devo Cloud domain configuration

To sign up or create a new Devo Cloud domain, contact your Devo sales representative to obtain the domain.

Devo Relay configuration

Devo Relay is a software application that detects and receives inbound events, applies processing rules to the events, and then forwards them over a secure channel using SSL/TLS encryption to Devo Cloud.

Refer to Installing Devo Relay section if you want to know how to install it.

Once you have installed it and confirm it is activated in the Devo Platform, you will need to add a relay rule. You can copy the inputs from below and paste them into the relay rule configuration. Learn how to define relay rules in this article.

  • Source data - (\{.*\"_path\":\"(?:corelight_)?(\w+)\".*\})

  • Target tag - ids. corelight.\\D2

  • Target message - \\D1

Corelight configuration

Configuring Corelight Sensor

The Corelight Sensor analyzes raw packets from the network and transforms them into powerful logs and custom security insights, which are then exported to the Devo Platform.

How to set up the integration

The Home Dashboard of the Corelight Sensor displays overall information.

To export to Devo, you need to enable the Corelight Syslog Exporter and configure it to export to the Devo Relay.

Verify the Exporter status

You can verify the status of the Exporter on the Home page. A green checkmark in the Exporter section on the right side next to the Syslog Export will indicate you that the integration is working normally. Any error will result in a red X.

Verification of Data export

Verify the data is being exported correctly into your Devo Platform: