Corelight connector for Microsoft Sentinel
The Corelight data connector enables incident responders and threat hunters who use Microsoft Sentinel to work faster and more effectively. The data connector enables ingestion of events from Zeek and Suricata via Corelight Sensors into Microsoft Sentinel.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Corelight_CL |
| Data collection rules support | Not currently supported |
| Supported by | Corelight |
Query samples
Top 10 Clients (Source IP)
Corelight
| summarize count() by SrcIpAddr
| top 10 by count_
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected Corelight which is deployed with the Microsoft Sentinel Solution.
- Install and onboard the agent for Linux or Windows
Install the agent on the Server where the Corelight logs are generated.
Logs from Corelight Server deployed on Linux or Windows servers are collected by Linux or Windows agents.
- Configure the logs to be collected
Follow the configuration steps below to get Corelight logs into Microsoft Sentinel. This configuration enriches events generated by Corelight module to provide visibility on log source information for Corelight logs. Refer to the Azure Monitor Documentation for more details on these steps.
Log in to the server where you have installed Azure Log Analytics agent.
Copy corelight.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.
Edit corelight.conf as follows:
i. configure an alternate port to send data to, if desired (line 3)
ii. replace workspace_id with real value of your Workspace ID (lines 22,23,24,27)
Save changes and restart the Azure Log Analytics agent for Linux service with the following command: sudo /opt/microsoft/omsagent/bin/service_control restart
Configure the Corelight Sensor to send logs to the Azure Log Analytics Agent
See the Corelight documentation for details on how to configure the Corelight Sensor to export JSON over TCP. Configure the JSON TCP Server to the IP address of the Azure Log Analytics Agent, using the port configured in the previous step (port 21234 by default)
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for