The Corelight App for Splunk enables incident responders and threat hunters who use Splunk® and Splunk Enterprise Security to work faster and more effectively. The app and required TA extracts information and knowledge from Zeek (formerly known as Bro) via Corelight Sensors or open-source Zeek, resulting in powerful security insights through key traffic dashboards such as:
Intel: Find IOCs from external sources matched in network traffic.
Notices: See situations flagged by the Notice policy for further investigation.
IP Interrogation: Identify anomalies by reviewing top protocol usage, internal vs. external connections, top connections by bytes transferred and more.
Log Hunting: Accelerate your hunt by narrowing down many logs to only the logs that matter.
Detections: Find and respond to off-port protocol usage, IOC matches, and other potentially interesting events.
Connections: Gain situational awareness using lists of top services, ports, dataflows, originators, and responders.
HTTP: Find suspicious HTTP transactions by reviewing a list of top host headers, originators, rare user agents and rare host headers.
DNS: Detect DNS exfiltration by spotting queries to non-existent domains and high connection counts.
Files: Find executables hidden in benign extensions and compressed files.
Corelight Egress Monitor: Find risky North/South user connections to weak SSL versions.