Corelight

Overview

This documentation outlines the configuration process for Corelight to transfer network security data to AlphaSOC. Through this integration, the network telemetry collected by Corelight can be used for security monitoring and threat detection.

To enable log data transfers:

1. Enable S3 export via Sensor > Export.
2. Set the destination hostname: s3.alphasoc.net.
3. Go to AlphaSOC Console > Credentials and set the username to the provided organization UUID.

Note: Both Path relative to home and Zeek logs to exclude are optional. Path relative to home can be used to distinguish between multiple sources. For now, we'll only process the following Zeek log files:

• conn.log
• dns.log
• ssl.log
• http.log
• dhcp.log

4. Set the log rotation value to 5 minutes.

5. Apply the changes, generate S3 credentials in your AlphaSOC console to receive a set of access keys and add them to the S3 configuration.

6. Enhance SSL logs with additional columns – JA3 and server certificate hashes:

• enable JA3 support under System > Packages > Core
• download latest alphasoc-zeek-cert-hash.bundle from GitHub and upload into the sensor under System > Packages > Custom

This concludes the configuration process for integrating Corelight with AlphaSOC.