Corelight Network Sensors

Corelight network sensors are available as software or appliances. They use a specialized version of the open-source Zeek (f.k.a., Bro) framework to provide detailed insights into what is happening in your network. This rich source of data covers over thirty-five different protocols and hundreds of different log fields, making it a valuable resource for security operation teams — including Threat Hunters.

Configure Ingestion to Humio

Configuring a Corelight sensor to send data to Humio is effortless and quick. Once you have network traffic coming in through the monitoring port of the Corelight sensor, there are only a few things you need to do.

First, you’ll need to create a repository in Humio just for Corelight. Then you’ll have to configure Corelight to send data to Humio.

Preparations in Humio

You’ll need to create a new repository in Humio to hold the Corelight data. If you’re not sure how to do this, see the Creating Repositories documentation page.

Once you’ve created a repository, from that target repository in the Humio Interface, select the Settings tab and then Packages on the left. From there, choose Marketplace and install the Humio Package for Corelight (i.e., corelight/sensor), as shown in the screenshot in Figure 1 below.

Figure 1, Humio Packages Marketplace

When you select the Corelight package, it will describe what the package provides and other related information. Of most interest is that it will install the required corelight-json parser. And it will install some overview dashboards that you can edit later to suit your needs.

When it’s finished installing, from the Corelight repository, go to the Settings tab. In the Ingest section, choose API Tokens on the left (see Figure 2).

In the right panel, click + Create Token to create a new token. Be sure to assign it the corelight-json parser. You can see the results of doing this in Figure 2.

Figure 2, Corelight Repository Settings - Ingest

Before leaving this page, click the copy icon (i.e., content_copy) for the Corelight token to copy it to your clipboard — or to save it temporarily elsewhere.

Now that you have a repository set up in Humio to receive data from Corelight, you’re ready to configure Corelight.

Configure Corelight

To configure Corelight to send data to Humio, to the repository created in the previous section, you’ll have to log into the Corelight management interface. Navigate to the Sensor menu and choose Export. From there, select Export to Splunk HEC. Despite the label, this is the preferred option for sending logs from Corelight to Humio.

You’ll be presented with a screen asking for several setting values similar to the screenshot shown below in Figure 3.

Figure 3, Corelight Management Interface

For the first box, the HEC URL, enter your Humio service URL appended with /api/v1/ingest/hec. For example, if you’re using the Humio EU Cloud, you would enter, https://cloud.humio.com/api/v1/ingest/hec.

In the box labled, HEC Token, paste in the ingest token you copied earlier from the target repository above (see Figure 2). Then set the Sourcetype Template to $LOG, as shown in the screenshot above.

For the rest of the settings you can probably accept the defaults, initially. However, you may want to check those settings to ensure all of the logs you need are being sent to Humio — and that you’re excluding what you don’t want to send.

After a bit, the Corelight logs should be ingested into your Humio repository. Navigate to the Humio repository and view the Corelight dashboards to check data is coming in and is displayed as expected.

More Information

Corelight and Humio’s integrated solution helps customers manage security threats and gain visibility across an organization’s entire network. Humio and Corelight have a long established partnership. The Humio service is used for the Corelight@home program, which provides an easy way to use Corelight with a Raspberry Pi based software sensor.

For Corelight customers wishing to use Humio purely for their Corelight data, we have a unique pricing offer that provides unlimited ingest. Pricing is based on the size of Corelight sensor.

For more information on using Corelight with Humio, review these resources: