The strength of a SIEM or log analytics platform like Splunk revolves around turning the machine data from your enterprise into searchable answers and alerts. When the network data ingested is at a summary L2-L4 level, sampled in the case of Netflow, or only inferred from the logs of end systems, then the network component of an incident response investigation is at best limited and at worst compromised. WHY?

  • All cyberattacks must necessarily originate or propagate on the network, and unlike log files captured packets remain the only form of forensic evidence that cannot be hidden, erased, or modified. So why isn’t this evidence typically used by platforms like Splunk for alerting or incident response? Because traditional packet capture methods accumulate terabytes and even petabytes of information in an inefficient format (PCAP) that is not searchable, comprehensive, or designed for machine analysis and automation.
  • Effectively, all threats with any real chance of success are cross-vector threats. The security industry likes to silo threats as they pertain to specific solutions (email security, anti-virus, etc.), but in reality threats don’t respect any arbitrary “borders” and will leverage the network to propagate, exfiltrate, and attack. Without an extremely detailed view of actual network activity, and if need be the extraction of delivered payloads for examination, it is impossible to assess the entire lifecycle of an attack.

As you may already know, Bro is an open source network monitoring framework developed over the last 20 years and used by over 10,000 organizations worldwide for incident response, threat hunting, and forensics. It ingests actual network traffic and then extracts over 400 data elements in real time to generate a log format designed by incident responders, for incident responders.

  • This gives Splunk investigations PCAP-level visibility in a format that is as easy to ingest and search as Netflow.
  • Bro logs are available in a single, accessible log format which can be exported to any SIEM or data pipeline, and are specifically formatted and linked to enable fast search.
  • Bro eliminates the hassle of having to ingest and cross-analyze network data from different sources where data formats and timestamps may differ.
  • Bro is also connection-oriented, not packet-oriented, generating the connection and application-layer metadata needed to thoroughly dissect an attack from a network perspective. This is especially critical for advanced persistent threats, which evade traditional packet capture tools because they typically lack the disk space necessary to store PCAP files for durations of more than 1-2 weeks.

However, Bro is notoriously difficult to deploy, lacks enterprise-grade support, and doesn’t scale to meet the needs of demanding network environments. To address these issues the original developers of Bro saw a need for an enterprise grade version of Bro that resolves them, and they founded Corelight.

Available as both a physical and virtual appliance, Corelight deployment involves connecting a network feed and pointing the appliance toward the IP of your Splunk forwarder or SIEM. Where open source Bro struggles to attain throughputs of 3-4 Gbps, the Corelight appliance can easily generate logs and do file extraction at 25Gbps.

In summary, Corelight feeds accurate, comprehensive, and definitive network activity data for Splunk. It helps you merge host and network telemetry on the platform you already use for incident response and threat hunting. The free Corelight For Splunk app on Splunkbase makes it easy for a Splunk Enterprise Administrator to extract information and knowledge from Bro data.