Skip to content

Corelight Integration Guide🔗

The Corelight Sensor should be configured to send logs via syslog to the Taegis™ XDR Collector. Please follow the instructions in the documentation provided by Corelight (account required) to export to syslog.

Connectivity Requirements🔗

Source Destination Port/Protocol
Corelight Sensor Management IP XDR Collector (mgmt IP) TCP/601

Data Provided from Integration🔗

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Corelight (Zeek) DHCP Auth, DNS, Encrypt, HTTP, Netflow, Detections Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.

Supported Corelight Logs🔗

The following Corelight log types are supported by Secureworks® Taegis™ XDR.

Important

Events from log types not listed here are ignored.

  • Conn
  • DHCP
  • DNS (including aggregated DNS, dns_agg, if enabled on the sensor; see Corelight data aggregation)
  • HTTP
  • Intel
  • Kerberos
  • NTLM
  • Notice
  • RDP
  • Signature
  • SMB_File
  • SSH
  • SSL
  • Signatures
  • Suricata
  • Tunnel
  • Weird
  • x509

Corelight Data Aggregation🔗

Corelight can optionally apply data aggregation to reduce the volume of Zeek-based logs sent to your collector (for example, grouping similar events over a time window and emitting summary records). When aggregation is used for DNS, the sensor may send dns_agg records in addition to or instead of per-transaction dns/dns_red events, depending on your Corelight configuration.

Recommendation

Do not enable aggregation for data you rely on for high-fidelity security analytics, unless you accept the tradeoff. Aggregation reduces fidelity—multiple underlying transactions are represented as a single summary event, which can change event counts, limit per-query timing and correlation, and omit or merge fields that exist on the non-aggregated log stream. For detection, investigation, and compliance use cases that require one event per DNS query (or full Zeek field coverage), use non-aggregated exports.

When aggregation may be acceptable

If your goal is lower ingest volume and approximate visibility, and you understand that investigations and some analytics will be coarser, aggregation can be a deliberate cost tradeoff. For the strongest match to XDR’s Corelight DNS parsing, prefer unaggregated dns/dns_red where possible.

Configuration Instructions🔗

To configure the Corelight Sensor to send logs to XDR via syslog, follow the instructions provided by Corelight to export to syslog.

Consider the following requirements when completing the configuration steps:

  • Syslog Server:Port — The hostname or IP address of the XDR Collector

  • Syslog Format — Select Alternate.

    Corelight Configuration