Corelight Integration Guide🔗
The Corelight Sensor should be configured to send logs via syslog to the Taegis™ XDR Collector. Please follow the instructions in the documentation provided by Corelight (account required) to export to syslog.
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Corelight Sensor Management IP | XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Corelight (Zeek) | DHCP | Auth, DNS, Encrypt, HTTP, Netflow, NIDS | NIDS |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Supported Corelight Logs🔗
The following Corelight log types are supported by Secureworks® Taegis™ XDR.
Important
Events from log types not listed here are ignored.
- Conn
- DHCP
- DNS
- HTTP
- Intel
- Kerberos
- NTLM
- Notice
- RDP
- Signature
- SMB_File
- SSH
- SSL
- Signatures
- Suricata
- Tunnel
- Weird
- x509
Configuration Instructions🔗
To configure the Corelight Sensor to send logs to XDR via syslog, follow the instructions provided by Corelight to export to syslog.
Consider the following requirements when completing the configuration steps:
- Syslog Server:Port — The hostname or IP address of the XDR Collector
-
Syslog Format — Select Alternate.
Corelight Configuration