Corelight Integration Guide
integrations network corelight
The Corelight Sensor should be configured to send logs via syslog to the Taegis™ XDR Collector. Please follow the instructions in the documentation provided by Corelight (account required) to export to syslog.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| Corelight Sensor Management IP | XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Corelight (Zeek) | D | Y | D | D | D | D | D, V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Supported Corelight Logs ⫘
The following Corelight log types are supported by Secureworks® Taegis™ XDR.
Important
Events from log types not listed here are ignored.
- Conn
- DHCP
- DNS
- HTTP
- Intel
- Kerberos
- NTLM
- Notice
- RDP
- Signature
- SMB_File
- SSH
- SSL
- Signatures
- Suricata
- Tunnel
- Weird
- x509
Configuration Instructions ⫘
To configure the Corelight Sensor to send logs to XDR via syslog, follow the instructions provided by Corelight to export to syslog.
Consider the following requirements when completing the configuration steps:
- Syslog Server:Port — The hostname or IP address of the XDR Collector
- Syslog Format — Select Alternate.
Corelight Configuration