Corelight


Enable SFTP export via Sensor > Export

Set the destination hostname: sftp.alphasoc.net:2222.

Go to AlphaSOC Console > Sources > Corelight and set the username to the provided organization UUID.

Path relative to home is optional and can be used to distinguish between multiple sources.

Zeek logs to exclude is optional, but for now we’ll only process the following log files:

  • conn.log
  • dns.log
  • ssl.log
  • http.log
  • dhcp.log

Set the log rotation value to 5 minutes.

Corelight export

Apply the changes and add the sensor’s SSH public key to AlphaSOC Console > Organization > SSH keys.

Corelight SSH Public Key

Enhance SSL logs with additional columns – JA3 and server certificate hashes:

  • enable JA3 support under System > Packages > Core
  • download latest alphasoc-zeek-cert-hash.bundle from GitHub and upload into the sensor under System > Packages > Custom

Enable JA3

Add cert