Corelight for Microsoft Sentinel

Solution: Corelight

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Corelight
Support Tier	Partner
Support Link	https://support.corelight.com/
Categories	domains
Version	3.2.4
Author	Corelight - info@corelight.com
First Published	2022-06-01
Last Updated	2026-03-30
Solution Folder	Corelight
Marketplace	Azure Marketplace · Rating: ★★★★★ 4.8/5 (20 ratings) · Popularity: ⚪ Very Low (0%)

The Corelight solution provides the capability to ingest events from Zeek and Suricata via Corelight Sensors into Microsoft Sentinel.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Agent based logs collection from Windows and Linux machines

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Corelight Connector Exporter 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 119 table(s):

Table	Used By Connectors	Used By Content
`Corelight_CL` 🔶	Corelight Connector Exporter	-
`Corelight_v2_bacnet_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_capture_loss_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_cip_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_conn_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_conn_agg_CL` 🔶	-	Workbooks
`Corelight_v2_conn_long_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_conn_red_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_corelight_burst_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_corelight_metrics_disk_CL` 🔶	-	Workbooks
`Corelight_v2_corelight_metrics_iface_CL` 🔶	-	Workbooks
`Corelight_v2_corelight_metrics_memory_CL` 🔶	-	Workbooks
`Corelight_v2_corelight_metrics_system_CL` 🔶	-	Workbooks
`Corelight_v2_corelight_metrics_zeek_doctor_CL` 🔶	-	Workbooks
`Corelight_v2_corelight_overall_capture_loss_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_corelight_profiling_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_datared_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_dce_rpc_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_dga_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_dhcp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_dnp3_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_dns_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_dns_agg_CL` 🔶	-	Workbooks
`Corelight_v2_dns_red_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_dpd_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_encrypted_dns_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_enip_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_enip_debug_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_enip_list_identity_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_etc_viz_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_files_CL` 🔶	Corelight Connector Exporter	Hunting, Workbooks
`Corelight_v2_files_agg_CL` 🔶	-	Workbooks
`Corelight_v2_files_red_CL` 🔶	Corelight Connector Exporter	Hunting, Workbooks
`Corelight_v2_ftp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_generic_dns_tunnels_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_generic_icmp_tunnels_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_http2_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_http_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_http_agg_CL` 🔶	-	Workbooks
`Corelight_v2_http_red_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_icmp_specific_tunnels_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_intel_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ipsec_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_irc_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_iso_cotp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_kerberos_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_certs_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_devices_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_domains_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_hosts_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_names_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_remotes_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_services_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_known_users_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_local_subnets_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_local_subnets_dj_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_local_subnets_graphs_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_log4shell_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_modbus_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_mqtt_connect_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_mqtt_publish_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_mqtt_subscribe_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_mysql_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_notice_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ntlm_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ntp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ocsp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_openflow_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_packet_filter_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_pe_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_profinet_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_profinet_dce_rpc_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_profinet_debug_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_radius_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_rdp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_reporter_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_rfb_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_s7comm_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_signatures_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_sip_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_smartpcap_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_smartpcap_stats_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_smb_files_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_smb_mapping_CL` 🔶	Corelight Connector Exporter	Hunting, Workbooks
`Corelight_v2_smtp_CL` 🔶	Corelight Connector Exporter	Analytics, Hunting, Workbooks
`Corelight_v2_smtp_links_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_snmp_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_socks_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_software_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_specific_dns_tunnels_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ssh_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ssl_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_ssl_agg_CL` 🔶	-	Workbooks
`Corelight_v2_ssl_red_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_stats_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_stepping_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_stun_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_stun_nat_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_suricata_corelight_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_suricata_eve_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_suricata_stats_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_suricata_zeek_stats_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_syslog_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_tds_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_tds_rpc_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_tds_sql_batch_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_traceroute_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_tunnel_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_unknown_smartpcap_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_util_stats_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_vpn_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_weird_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_weird_red_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_weird_stats_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_wireguard_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_x509_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_x509_red_CL` 🔶	Corelight Connector Exporter	Workbooks
`Corelight_v2_zeek_doctor_CL` 🔶	Corelight Connector Exporter	Workbooks
`Usage`	-	Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 153 content item(s):

Content Type	Count
Parsers	122
Analytic Rules	10
Hunting Queries	10
Workbooks	6
Watchlists	5

Analytic Rules

Name	Severity	Tactics	Tables Used
Corelight - C2 DGA Detected Via Repetitive Failures	Medium	CommandAndControl	`Corelight_v2_dns_CL` `Corelight_v2_dns_red_CL`
Corelight - External Proxy Detected	Low	DefenseEvasion, CommandAndControl	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Forced External Outbound SMB	Medium	CredentialAccess	`Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL`
Corelight - Multiple Compressed Files Transferred over HTTP	Medium	Exfiltration	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Multiple files sent over HTTP with abnormal requests	Medium	Exfiltration	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Network Service Scanning Multiple IP Addresses	Medium	InitialAccess	`Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL`
Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request	Medium	InitialAccess	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Possible Webshell	Medium	Persistence	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Possible Webshell (Rare PUT or POST)	Medium	Persistence	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - SMTP Email containing NON Ascii Characters within the Subject	Low	InitialAccess	`Corelight_v2_smtp_CL`

Hunting Queries

Name	Tactics	Tables Used
Corelight - Abnormal Email Subject	InitialAccess	`Corelight_v2_smtp_CL`
Corelight - Compressed Files Transferred over HTTP	Exfiltration	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - External Facing Services	InitialAccess	`Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL`
Corelight - File uploads by source	Exfiltration	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Files in logs	InitialAccess, Exfiltration	`Corelight_v2_files_CL` `Corelight_v2_files_red_CL`
Corelight - Multiple Remote SMB Connections from single client	Discovery	`Corelight_v2_smb_mapping_CL`
Corelight - Obfuscated binary filenames	InitialAccess	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Rare PUT or POST	Persistence	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`
Corelight - Repetitive DNS Failures	CommandAndControl	`Corelight_v2_dns_CL` `Corelight_v2_dns_red_CL`
Corelight - Top sources of data transferred	Exfiltration	`Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL`

Workbooks

Name	Tables Used
Corelight	`Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL` `Corelight_v2_dns_CL` `Corelight_v2_dns_red_CL` `Corelight_v2_etc_viz_CL` `Corelight_v2_files_CL` `Corelight_v2_files_red_CL` `Corelight_v2_ftp_CL` `Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL` `Corelight_v2_notice_CL` `Corelight_v2_rdp_CL` `Corelight_v2_software_CL` `Corelight_v2_ssh_CL` `Corelight_v2_ssl_CL` `Corelight_v2_ssl_red_CL` `Corelight_v2_suricata_corelight_CL` `Corelight_v2_vpn_CL` `Corelight_v2_x509_CL` `Corelight_v2_x509_red_CL`
Corelight_AWS_VPC_Flow	`Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL`
Corelight_Alert_Aggregations	`Corelight_v2_bacnet_CL` `Corelight_v2_capture_loss_CL` `Corelight_v2_cip_CL` `Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL` `Corelight_v2_corelight_burst_CL` `Corelight_v2_corelight_overall_capture_loss_CL` `Corelight_v2_corelight_profiling_CL` `Corelight_v2_datared_CL` `Corelight_v2_dce_rpc_CL` `Corelight_v2_dga_CL` `Corelight_v2_dhcp_CL` `Corelight_v2_dnp3_CL` `Corelight_v2_dns_CL` `Corelight_v2_dns_red_CL` `Corelight_v2_dpd_CL` `Corelight_v2_encrypted_dns_CL` `Corelight_v2_enip_CL` `Corelight_v2_enip_debug_CL` `Corelight_v2_enip_list_identity_CL` `Corelight_v2_etc_viz_CL` `Corelight_v2_files_CL` `Corelight_v2_files_red_CL` `Corelight_v2_ftp_CL` `Corelight_v2_generic_dns_tunnels_CL` `Corelight_v2_generic_icmp_tunnels_CL` `Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL` `Corelight_v2_icmp_specific_tunnels_CL` `Corelight_v2_intel_CL` `Corelight_v2_ipsec_CL` `Corelight_v2_irc_CL` `Corelight_v2_iso_cotp_CL` `Corelight_v2_kerberos_CL` `Corelight_v2_known_certs_CL` `Corelight_v2_known_devices_CL` `Corelight_v2_known_domains_CL` `Corelight_v2_known_hosts_CL` `Corelight_v2_known_names_CL` `Corelight_v2_known_remotes_CL` `Corelight_v2_known_services_CL` `Corelight_v2_known_users_CL` `Corelight_v2_local_subnets_CL` `Corelight_v2_local_subnets_dj_CL` `Corelight_v2_local_subnets_graphs_CL` `Corelight_v2_log4shell_CL` `Corelight_v2_modbus_CL` `Corelight_v2_mqtt_connect_CL` `Corelight_v2_mqtt_publish_CL` `Corelight_v2_mqtt_subscribe_CL` `Corelight_v2_mysql_CL` `Corelight_v2_notice_CL` `Corelight_v2_ntlm_CL` `Corelight_v2_ntp_CL` `Corelight_v2_ocsp_CL` `Corelight_v2_openflow_CL` `Corelight_v2_packet_filter_CL` `Corelight_v2_pe_CL` `Corelight_v2_profinet_CL` `Corelight_v2_profinet_dce_rpc_CL` `Corelight_v2_profinet_debug_CL` `Corelight_v2_radius_CL` `Corelight_v2_rdp_CL` `Corelight_v2_reporter_CL` `Corelight_v2_rfb_CL` `Corelight_v2_s7comm_CL` `Corelight_v2_signatures_CL` `Corelight_v2_sip_CL` `Corelight_v2_smartpcap_CL` `Corelight_v2_smartpcap_stats_CL` `Corelight_v2_smb_files_CL` `Corelight_v2_smb_mapping_CL` `Corelight_v2_smtp_CL` `Corelight_v2_smtp_links_CL` `Corelight_v2_snmp_CL` `Corelight_v2_socks_CL` `Corelight_v2_software_CL` `Corelight_v2_specific_dns_tunnels_CL` `Corelight_v2_ssh_CL` `Corelight_v2_ssl_CL` `Corelight_v2_ssl_red_CL` `Corelight_v2_stats_CL` `Corelight_v2_stepping_CL` `Corelight_v2_stun_CL` `Corelight_v2_stun_nat_CL` `Corelight_v2_suricata_corelight_CL` `Corelight_v2_suricata_eve_CL` `Corelight_v2_suricata_stats_CL` `Corelight_v2_suricata_zeek_stats_CL` `Corelight_v2_syslog_CL` `Corelight_v2_tds_CL` `Corelight_v2_tds_rpc_CL` `Corelight_v2_tds_sql_batch_CL` `Corelight_v2_traceroute_CL` `Corelight_v2_tunnel_CL` `Corelight_v2_unknown_smartpcap_CL` `Corelight_v2_util_stats_CL` `Corelight_v2_vpn_CL` `Corelight_v2_weird_CL` `Corelight_v2_weird_red_CL` `Corelight_v2_weird_stats_CL` `Corelight_v2_wireguard_CL` `Corelight_v2_x509_CL` `Corelight_v2_x509_red_CL` `Corelight_v2_zeek_doctor_CL`
Corelight_Data_Explorer	`Corelight_v2_bacnet_CL` `Corelight_v2_capture_loss_CL` `Corelight_v2_cip_CL` `Corelight_v2_conn_CL` `Corelight_v2_conn_agg_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL` `Corelight_v2_corelight_burst_CL` `Corelight_v2_corelight_overall_capture_loss_CL` `Corelight_v2_corelight_profiling_CL` `Corelight_v2_datared_CL` `Corelight_v2_dce_rpc_CL` `Corelight_v2_dga_CL` `Corelight_v2_dhcp_CL` `Corelight_v2_dnp3_CL` `Corelight_v2_dns_CL` `Corelight_v2_dns_agg_CL` `Corelight_v2_dns_red_CL` `Corelight_v2_dpd_CL` `Corelight_v2_encrypted_dns_CL` `Corelight_v2_enip_CL` `Corelight_v2_enip_debug_CL` `Corelight_v2_enip_list_identity_CL` `Corelight_v2_etc_viz_CL` `Corelight_v2_files_CL` `Corelight_v2_files_agg_CL` `Corelight_v2_files_red_CL` `Corelight_v2_ftp_CL` `Corelight_v2_generic_dns_tunnels_CL` `Corelight_v2_generic_icmp_tunnels_CL` `Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_agg_CL` `Corelight_v2_http_red_CL` `Corelight_v2_icmp_specific_tunnels_CL` `Corelight_v2_intel_CL` `Corelight_v2_ipsec_CL` `Corelight_v2_irc_CL` `Corelight_v2_iso_cotp_CL` `Corelight_v2_kerberos_CL` `Corelight_v2_known_certs_CL` `Corelight_v2_known_devices_CL` `Corelight_v2_known_domains_CL` `Corelight_v2_known_hosts_CL` `Corelight_v2_known_names_CL` `Corelight_v2_known_remotes_CL` `Corelight_v2_known_services_CL` `Corelight_v2_known_users_CL` `Corelight_v2_local_subnets_CL` `Corelight_v2_local_subnets_dj_CL` `Corelight_v2_local_subnets_graphs_CL` `Corelight_v2_log4shell_CL` `Corelight_v2_modbus_CL` `Corelight_v2_mqtt_connect_CL` `Corelight_v2_mqtt_publish_CL` `Corelight_v2_mqtt_subscribe_CL` `Corelight_v2_mysql_CL` `Corelight_v2_notice_CL` `Corelight_v2_ntlm_CL` `Corelight_v2_ntp_CL` `Corelight_v2_ocsp_CL` `Corelight_v2_openflow_CL` `Corelight_v2_packet_filter_CL` `Corelight_v2_pe_CL` `Corelight_v2_profinet_CL` `Corelight_v2_profinet_dce_rpc_CL` `Corelight_v2_profinet_debug_CL` `Corelight_v2_radius_CL` `Corelight_v2_rdp_CL` `Corelight_v2_reporter_CL` `Corelight_v2_rfb_CL` `Corelight_v2_s7comm_CL` `Corelight_v2_signatures_CL` `Corelight_v2_sip_CL` `Corelight_v2_smartpcap_CL` `Corelight_v2_smartpcap_stats_CL` `Corelight_v2_smb_files_CL` `Corelight_v2_smb_mapping_CL` `Corelight_v2_smtp_CL` `Corelight_v2_smtp_links_CL` `Corelight_v2_snmp_CL` `Corelight_v2_socks_CL` `Corelight_v2_software_CL` `Corelight_v2_specific_dns_tunnels_CL` `Corelight_v2_ssh_CL` `Corelight_v2_ssl_CL` `Corelight_v2_ssl_agg_CL` `Corelight_v2_ssl_red_CL` `Corelight_v2_stats_CL` `Corelight_v2_stepping_CL` `Corelight_v2_stun_CL` `Corelight_v2_stun_nat_CL` `Corelight_v2_suricata_corelight_CL` `Corelight_v2_suricata_eve_CL` `Corelight_v2_suricata_stats_CL` `Corelight_v2_suricata_zeek_stats_CL` `Corelight_v2_syslog_CL` `Corelight_v2_tds_CL` `Corelight_v2_tds_rpc_CL` `Corelight_v2_tds_sql_batch_CL` `Corelight_v2_traceroute_CL` `Corelight_v2_tunnel_CL` `Corelight_v2_unknown_smartpcap_CL` `Corelight_v2_util_stats_CL` `Corelight_v2_vpn_CL` `Corelight_v2_weird_CL` `Corelight_v2_weird_red_CL` `Corelight_v2_weird_stats_CL` `Corelight_v2_wireguard_CL` `Corelight_v2_x509_CL` `Corelight_v2_x509_red_CL` `Corelight_v2_zeek_doctor_CL`
Corelight_Security_Workflow	`Corelight_v2_bacnet_CL` `Corelight_v2_capture_loss_CL` `Corelight_v2_cip_CL` `Corelight_v2_conn_CL` `Corelight_v2_conn_long_CL` `Corelight_v2_conn_red_CL` `Corelight_v2_corelight_burst_CL` `Corelight_v2_corelight_overall_capture_loss_CL` `Corelight_v2_corelight_profiling_CL` `Corelight_v2_datared_CL` `Corelight_v2_dce_rpc_CL` `Corelight_v2_dga_CL` `Corelight_v2_dhcp_CL` `Corelight_v2_dnp3_CL` `Corelight_v2_dns_CL` `Corelight_v2_dns_red_CL` `Corelight_v2_dpd_CL` `Corelight_v2_encrypted_dns_CL` `Corelight_v2_enip_CL` `Corelight_v2_enip_debug_CL` `Corelight_v2_enip_list_identity_CL` `Corelight_v2_etc_viz_CL` `Corelight_v2_files_CL` `Corelight_v2_files_red_CL` `Corelight_v2_ftp_CL` `Corelight_v2_generic_dns_tunnels_CL` `Corelight_v2_generic_icmp_tunnels_CL` `Corelight_v2_http2_CL` `Corelight_v2_http_CL` `Corelight_v2_http_red_CL` `Corelight_v2_icmp_specific_tunnels_CL` `Corelight_v2_intel_CL` `Corelight_v2_ipsec_CL` `Corelight_v2_irc_CL` `Corelight_v2_iso_cotp_CL` `Corelight_v2_kerberos_CL` `Corelight_v2_known_certs_CL` `Corelight_v2_known_devices_CL` `Corelight_v2_known_domains_CL` `Corelight_v2_known_hosts_CL` `Corelight_v2_known_names_CL` `Corelight_v2_known_remotes_CL` `Corelight_v2_known_services_CL` `Corelight_v2_known_users_CL` `Corelight_v2_local_subnets_CL` `Corelight_v2_local_subnets_dj_CL` `Corelight_v2_local_subnets_graphs_CL` `Corelight_v2_log4shell_CL` `Corelight_v2_modbus_CL` `Corelight_v2_mqtt_connect_CL` `Corelight_v2_mqtt_publish_CL` `Corelight_v2_mqtt_subscribe_CL` `Corelight_v2_mysql_CL` `Corelight_v2_notice_CL` `Corelight_v2_ntlm_CL` `Corelight_v2_ntp_CL` `Corelight_v2_ocsp_CL` `Corelight_v2_openflow_CL` `Corelight_v2_packet_filter_CL` `Corelight_v2_pe_CL` `Corelight_v2_profinet_CL` `Corelight_v2_profinet_dce_rpc_CL` `Corelight_v2_profinet_debug_CL` `Corelight_v2_radius_CL` `Corelight_v2_rdp_CL` `Corelight_v2_reporter_CL` `Corelight_v2_rfb_CL` `Corelight_v2_s7comm_CL` `Corelight_v2_signatures_CL` `Corelight_v2_sip_CL` `Corelight_v2_smartpcap_CL` `Corelight_v2_smartpcap_stats_CL` `Corelight_v2_smb_files_CL` `Corelight_v2_smb_mapping_CL` `Corelight_v2_smtp_CL` `Corelight_v2_smtp_links_CL` `Corelight_v2_snmp_CL` `Corelight_v2_socks_CL` `Corelight_v2_software_CL` `Corelight_v2_specific_dns_tunnels_CL` `Corelight_v2_ssh_CL` `Corelight_v2_ssl_CL` `Corelight_v2_ssl_red_CL` `Corelight_v2_stats_CL` `Corelight_v2_stepping_CL` `Corelight_v2_stun_CL` `Corelight_v2_stun_nat_CL` `Corelight_v2_suricata_corelight_CL` `Corelight_v2_suricata_eve_CL` `Corelight_v2_suricata_stats_CL` `Corelight_v2_suricata_zeek_stats_CL` `Corelight_v2_syslog_CL` `Corelight_v2_tds_CL` `Corelight_v2_tds_rpc_CL` `Corelight_v2_tds_sql_batch_CL` `Corelight_v2_traceroute_CL` `Corelight_v2_tunnel_CL` `Corelight_v2_unknown_smartpcap_CL` `Corelight_v2_util_stats_CL` `Corelight_v2_vpn_CL` `Corelight_v2_weird_CL` `Corelight_v2_weird_red_CL` `Corelight_v2_weird_stats_CL` `Corelight_v2_wireguard_CL` `Corelight_v2_x509_CL` `Corelight_v2_x509_red_CL` `Corelight_v2_zeek_doctor_CL`
Corelight_Sensor_Overview	`Corelight_v2_corelight_metrics_disk_CL` `Corelight_v2_corelight_metrics_iface_CL` `Corelight_v2_corelight_metrics_memory_CL` `Corelight_v2_corelight_metrics_system_CL` `Corelight_v2_corelight_metrics_zeek_doctor_CL` `Usage`

Parsers

Name	Description	Tables Used
Corelight	-	-
corelight_anomaly	-	`Corelight_v2_anomaly_CL` (read)
corelight_bacnet	-	`Corelight_v2_bacnet_CL` (read)
corelight_capture_loss	-	`Corelight_v2_capture_loss_CL` (read)
corelight_cip	-	`Corelight_v2_cip_CL` (read)
corelight_conn	-	`Corelight_v2_conn_CL` (read) `Corelight_v2_conn_long_CL` (read) `Corelight_v2_conn_red_CL` (read)
corelight_conn_agg	-	`Corelight_v2_conn_agg_CL` (read)
corelight_conn_long	-	`Corelight_v2_conn_long_CL` (read)
corelight_conn_red	-	`Corelight_v2_conn_red_CL` (read)
corelight_corelight_burst	-	`Corelight_v2_corelight_burst_CL` (read)
corelight_corelight_metrics_disk	-	`Corelight_v2_corelight_metrics_disk_CL` (read)
corelight_corelight_metrics_iface	-	`Corelight_v2_corelight_metrics_iface_CL` (read)
corelight_corelight_metrics_memory	-	`Corelight_v2_corelight_metrics_memory_CL` (read)
corelight_corelight_metrics_system	-	`Corelight_v2_corelight_metrics_system_CL` (read)
corelight_corelight_metrics_zeek_doctor	-	`Corelight_v2_corelight_metrics_zeek_doctor_CL` (read)
corelight_corelight_overall_capture_loss	-	`Corelight_v2_corelight_overall_capture_loss_CL` (read)
corelight_corelight_profiling	-	`Corelight_v2_corelight_profiling_CL` (read)
corelight_datared	-	`Corelight_v2_datared_CL` (read)
corelight_dce_rpc	-	`Corelight_v2_dce_rpc_CL` (read)
corelight_dga	-	`Corelight_v2_dga_CL` (read)
corelight_dhcp	-	`Corelight_v2_dhcp_CL` (read)
corelight_dnp3	-	`Corelight_v2_dnp3_CL` (read)
corelight_dns	-	`Corelight_v2_dns_CL` (read) `Corelight_v2_dns_red_CL` (read)
corelight_dns_agg	-	`Corelight_v2_dns_agg_CL` (read)
corelight_dns_red	-	`Corelight_v2_dns_red_CL` (read)
corelight_dpd	-	`Corelight_v2_dpd_CL` (read)
corelight_encrypted_dns	-	`Corelight_v2_encrypted_dns_CL` (read)
corelight_enip	-	`Corelight_v2_enip_CL` (read)
corelight_enip_debug	-	`Corelight_v2_enip_debug_CL` (read)
corelight_enip_list_identity	-	`Corelight_v2_enip_list_identity_CL` (read)
corelight_etc_viz	-	`Corelight_v2_etc_viz_CL` (read)
corelight_files	-	`Corelight_v2_files_CL` (read) `Corelight_v2_files_red_CL` (read)
corelight_files_agg	-	`Corelight_v2_files_agg_CL` (read)
corelight_files_red	-	`Corelight_v2_files_red_CL` (read)
corelight_first_seen	-	`Corelight_v2_first_seen_CL` (read)
corelight_ftp	-	`Corelight_v2_ftp_CL` (read)
corelight_generic_dns_tunnels	-	`Corelight_v2_generic_dns_tunnels_CL` (read)
corelight_generic_icmp_tunnels	-	`Corelight_v2_generic_icmp_tunnels_CL` (read)
corelight_http	-	`Corelight_v2_http2_CL` (read) `Corelight_v2_http_CL` (read) `Corelight_v2_http_red_CL` (read)
corelight_http2	-	`Corelight_v2_http2_CL` (read)
corelight_http_agg	-	`Corelight_v2_http_agg_CL` (read)
corelight_http_red	-	`Corelight_v2_http_red_CL` (read)
corelight_icmp_specific_tunnels	-	`Corelight_v2_icmp_specific_tunnels_CL` (read)
corelight_intel	-	`Corelight_v2_intel_CL` (read)
corelight_ipsec	-	`Corelight_v2_ipsec_CL` (read)
corelight_irc	-	`Corelight_v2_irc_CL` (read)
corelight_iso_cotp	-	`Corelight_v2_iso_cotp_CL` (read)
corelight_kerberos	-	`Corelight_v2_kerberos_CL` (read)
corelight_known_certs	-	`Corelight_v2_known_certs_CL` (read)
corelight_known_devices	-	`Corelight_v2_known_devices_CL` (read)
corelight_known_domains	-	`Corelight_v2_known_domains_CL` (read)
corelight_known_hosts	-	`Corelight_v2_known_hosts_CL` (read)
corelight_known_names	-	`Corelight_v2_known_names_CL` (read)
corelight_known_remotes	-	`Corelight_v2_known_remotes_CL` (read)
corelight_known_services	-	`Corelight_v2_known_services_CL` (read)
corelight_known_users	-	`Corelight_v2_known_users_CL` (read)
corelight_local_subnets	-	`Corelight_v2_local_subnets_CL` (read)
corelight_local_subnets_dj	-	`Corelight_v2_local_subnets_dj_CL` (read)
corelight_local_subnets_graphs	-	`Corelight_v2_local_subnets_graphs_CL` (read)
corelight_log4shell	-	`Corelight_v2_log4shell_CL` (read)
corelight_modbus	-	`Corelight_v2_modbus_CL` (read)
corelight_mqtt_connect	-	`Corelight_v2_mqtt_connect_CL` (read)
corelight_mqtt_publish	-	`Corelight_v2_mqtt_publish_CL` (read)
corelight_mqtt_subscribe	-	`Corelight_v2_mqtt_subscribe_CL` (read)
corelight_mysql	-	`Corelight_v2_mysql_CL` (read)
corelight_notice	-	`Corelight_v2_notice_CL` (read)
corelight_ntlm	-	`Corelight_v2_ntlm_CL` (read)
corelight_ntp	-	`Corelight_v2_ntp_CL` (read)
corelight_ocsp	-	`Corelight_v2_ocsp_CL` (read)
corelight_openflow	-	`Corelight_v2_openflow_CL` (read)
corelight_packet_filter	-	`Corelight_v2_packet_filter_CL` (read)
corelight_pe	-	`Corelight_v2_pe_CL` (read)
corelight_profinet	-	`Corelight_v2_profinet_CL` (read)
corelight_profinet_dce_rpc	-	`Corelight_v2_profinet_dce_rpc_CL` (read)
corelight_profinet_debug	-	`Corelight_v2_profinet_debug_CL` (read)
corelight_radius	-	`Corelight_v2_radius_CL` (read)
corelight_rdp	-	`Corelight_v2_rdp_CL` (read)
corelight_reporter	-	`Corelight_v2_reporter_CL` (read)
corelight_rfb	-	`Corelight_v2_rfb_CL` (read)
corelight_s7comm	-	`Corelight_v2_s7comm_CL` (read)
corelight_signatures	-	`Corelight_v2_signatures_CL` (read)
corelight_sip	-	`Corelight_v2_sip_CL` (read)
corelight_smartpcap	-	`Corelight_v2_smartpcap_CL` (read)
corelight_smartpcap_stats	-	`Corelight_v2_smartpcap_stats_CL` (read)
corelight_smb_files	-	`Corelight_v2_smb_files_CL` (read)
corelight_smb_mapping	-	`Corelight_v2_smb_mapping_CL` (read)
corelight_smtp	-	`Corelight_v2_smtp_CL` (read)
corelight_smtp_links	-	`Corelight_v2_smtp_links_CL` (read)
corelight_snmp	-	`Corelight_v2_snmp_CL` (read)
corelight_socks	-	`Corelight_v2_socks_CL` (read)
corelight_software	-	`Corelight_v2_software_CL` (read)
corelight_specific_dns_tunnels	-	`Corelight_v2_specific_dns_tunnels_CL` (read)
corelight_ssh	string	`Corelight_v2_ssh_CL` (read)
corelight_ssl	-	`Corelight_v2_ssl_CL` (read) `Corelight_v2_ssl_red_CL` (read)
corelight_ssl_agg	-	`Corelight_v2_ssl_agg_CL` (read)
corelight_ssl_red	-	`Corelight_v2_ssl_red_CL` (read)
corelight_stats	-	`Corelight_v2_stats_CL` (read)
corelight_stepping	-	`Corelight_v2_stepping_CL` (read)
corelight_stun	-	`Corelight_v2_stun_CL` (read)
corelight_stun_nat	-	`Corelight_v2_stun_nat_CL` (read)
corelight_suri_aggregations	-	-
corelight_suricata_corelight	-	`Corelight_v2_suricata_corelight_CL` (read)
corelight_suricata_eve	-	`Corelight_v2_suricata_eve_CL` (read)
corelight_suricata_stats	-	`Corelight_v2_suricata_stats_CL` (read)
corelight_suricata_zeek_stats	-	`Corelight_v2_suricata_zeek_stats_CL` (read)
corelight_syslog	-	`Corelight_v2_syslog_CL` (read)
corelight_tds	-	`Corelight_v2_tds_CL` (read)
corelight_tds_rpc	-	`Corelight_v2_tds_rpc_CL` (read)
corelight_tds_sql_batch	-	`Corelight_v2_tds_sql_batch_CL` (read)
corelight_traceroute	-	`Corelight_v2_traceroute_CL` (read)
corelight_tunnel	-	`Corelight_v2_tunnel_CL` (read)
corelight_unknown_smartpcap	-	`Corelight_v2_unknown_smartpcap_CL` (read)
corelight_util_stats	-	`Corelight_v2_util_stats_CL` (read)
corelight_vpn	string	`Corelight_v2_vpn_CL` (read)
corelight_weird	-	`Corelight_v2_weird_CL` (read)
corelight_weird_agg	-	`Corelight_v2_weird_agg_CL` (read)
corelight_weird_red	-	`Corelight_v2_weird_red_CL` (read)
corelight_weird_stats	-	`Corelight_v2_weird_stats_CL` (read)
corelight_wireguard	-	`Corelight_v2_wireguard_CL` (read)
corelight_x509	-	`Corelight_v2_x509_CL` (read) `Corelight_v2_x509_red_CL` (read)
corelight_x509_red	-	`Corelight_v2_x509_red_CL` (read)
corelight_zeek_doctor	-	`Corelight_v2_zeek_doctor_CL` (read)

Watchlists

Name	Description	Tables Used
CorelightAggregationsEnrichment1	-	-
CorelightAggregationsEnrichment2	-	-
CorelightDNSPortDesc	-	-
CorelightGeoCountries	-	-
CorelightInferencesDesc	-	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.2.4	19-03-2026	Added 'Show Aggregation' filters in Corelight Data Explorer Workbook.
3.2.3	27-01-2026	Added Corelight AWS VPC Flow dashboard.
3.2.2	01-12-2025	Added Corelight Aggregation Parsers.
3.2.1	30-10-2025	Added corelight_first_seen and corelight_anomaly Parsers.
3.2.0	05-03-2025	Added new Parsers, Workbooks and Watchlists.
3.1.0	27-09-2024	Updated Parsers and added new tabs in Workbook.
3.0.2	31-01-2024	Updated Parser Corelight Updated tactics of Hunting Query Corelight - Repetitive DNS Failures
3.0.1	16-11-2023	Updated package mainTemplate variables
3.0.0	20-09-2023	Changed backend format to use separate tables with parsed values
2.0.0	10-06-2022	Updated Workbooks
1.1.0	22-10-2021	Packaging updates
1.0.2	22-04-2021	Updated instructions, rules, LA config
1.0.1	09-04-2021	Updated Analytic Rule
1.0.0	01-04-2021	Initial Solution Release