Corelight App For Splunk

The Corelight App for Splunk enables incident responders and threat hunters who use Splunk® and Splunk Enterprise Security to work faster and more effectively. The app and required TA extracts information and knowledge from Zeek (formerly known as Bro) via Corelight Sensors or open-source Zeek, resulting in powerful security insights through key traffic dashboards such as: Intel: Find IOCs from external sources matched in network traffic. Notices: See situations flagged by the Notice policy for further investigation. IP Interrogation: Identify anomalies by reviewing top protocol usage, internal vs. external connections, top connections by bytes transferred and more. Log Hunting: Accelerate your hunt by narrowing down many logs to only the logs that matter. Detections: Find and respond to off-port protocol usage, IOC matches, and other potentially interesting events. Connections: Gain situational awareness using lists of top services, ports, dataflows, originators, and responders. HTTP: Find suspicious HTTP transactions by reviewing a list of top host headers, originators, rare user agents and rare host headers. DNS: Detect DNS exfiltration by spotting queries to non-existent domains and high connection counts. Files: Find executables hidden in benign extensions and compressed files. Corelight Egress Monitor: Find risky North/South user connections to weak SSL versions.