Corelight
Enable SFTP export via Sensor > Export
Set the destination hostname: sftp.alphasoc.net:2222
.
Go to AlphaSOC Console > Credentials and set the username to the provided organization UUID.
Path relative to home
is optional and can be used to distinguish between multiple sources.
Zeek logs to exclude
is optional, but for now we’ll only process the following log files:
conn.log
dns.log
ssl.log
http.log
dhcp.log
Set the log rotation value to 5 minutes.
Apply the changes and add the sensor’s SSH public key to AlphaSOC Console > Credentials.
Enhance SSL logs with additional columns – JA3 and server certificate hashes:
- enable JA3 support under System > Packages > Core
- download latest
alphasoc-zeek-cert-hash.bundle
from GitHub and upload into the sensor under System > Packages > Custom