[corelight] initial release of Corelight #11288
Conversation
|
💚 CLA has been signed |
sharadcrest
changed the title
andrewkroh
added
needs CLA
|
|
||
| ## Prerequisites: | ||
|
|
||
| **Add ECS Mappings**: Start by adding the ECS (Elastic Common Schema) mappings from the [Corelight GitHub repository](https://github.com/corelight). You can find the required templates here: [Corelight ECS Templates](https://github.com/corelight/ecs-templates). These mappings will ensure that Corelight data is correctly formatted and aligned with Elastic's schema. |
There was a problem hiding this comment.
Why are users been asked to manually download an input ECS mappings from Github. The ingest pipeline can be included with the integration to avoid this additional step. Any reason why we can't include the ingest pipeline as part of the integration (inline with all other integrations?)
There was a problem hiding this comment.
Corelight have mapped custom mapping differently in their GitHub repo, also they have Elastic as a configuration page where they have build pipeline along with ECS mapping for the fields, so the only ask from them is to build dashboards inline to dashboards for other vendors(Splunk, Looker etc..)
|
/test |
andrewkroh
removed
the
needs CLA
|
💚 Build Succeeded
|
|
@jamiehynds Are we okay to start review for this PR, please? |
|
@kcreddy are you ok to review this PR for Corelight (developed by Crest). Would be great to understand if the work you had done previously with Corelight, could be leveraged here? The current workflow goes against the experience of most integrations, as you're required have to manually download the mappings from Github. |
kcreddy
added
Crest
Integration:corelight
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
There was a problem hiding this comment.
The integration is unconventional and requests users to install assets such as mappings, settings, templates, ingest pipelines, etc. using an installation script provided by Corelight.
Although the Corelight repositories (providing the script and assets) are well-maintained, it should be noted and documented that this integration only provides dashboards and nothing more. The users are responsible for the updates and have to frequently check and update assets from the script provided by the Corelight repository. This should also be documented in the README.
Also it should be documented that any issues with the installation during initial setup or updates must be followed up with Corelight as we don't own them. This applies to any non-dashboard issues.
In the future, if we were to add some or all of these assets to our integration, users will need to manually delete existing stale Corelight assets.
cc: @jamiehynds
|
|
||
| [Corelight](https://corelight.com/) provides network detection and response (NDR) solutions that enhance visibility, threat detection, and incident response by leveraging open-source technologies like Zeek. Its platform integrates with existing security tools to deliver high-fidelity network data, helping organizations detect and respond to threats more effectively across both on-premises and cloud environments. | ||
|
|
||
| This integration includes only the Corelight dashboards for Security Posture, Remote Activity Insights, Name Resolution Insights, and Secure Channel Insights. |
There was a problem hiding this comment.
Can you add a bulleted list?
|
|
||
| **Add ECS Mappings**: Start by adding the ECS (Elastic Common Schema) mappings from the [Corelight GitHub repository](https://github.com/corelight). You can find the required templates here: [Corelight ECS Templates](https://github.com/corelight/ecs-templates). These mappings will ensure that Corelight data is correctly formatted and aligned with Elastic's schema. | ||
|
|
||
| **Send Data from Corelight to Elastic**: Once the ECS mappings are in place, configure Corelight to send data directly to your Elastic environment. |
There was a problem hiding this comment.
This needs to be explained step-by-step.
|
|
||
| **Send Data from Corelight to Elastic**: Once the ECS mappings are in place, configure Corelight to send data directly to your Elastic environment. | ||
|
|
||
| **Note**: Use the default index (logs-*) name instead of a custom index. |
There was a problem hiding this comment.
I don't get this. Where do users set this? This can be explained better.
| ### Enabling the integration in Elastic: | ||
|
|
||
| 1. In Kibana go to Management > Integrations. | ||
| 2. In "Search for integrations" search bar, type Corelight. | ||
| 3. Click on the "Corelight" integration from the search results. | ||
| 4. Go to Settings. | ||
| 5. Click on the "Install Corelight assets". | ||
| 6. Go to Assets to get list of dashboards. |
There was a problem hiding this comment.
To conform the docs across integration, we should make this section wording exactly same as https://github.com/elastic/integrations/blob/main/packages/abnormal_security/_dev/build/docs/README.md#enabling-the-integration-in-elastic
There was a problem hiding this comment.
Was there any requirement to make the title Remote Access Hygiene while the left navigation calls it Remote Activity Insights? I think they should be alike to avoid confusion.
There was a problem hiding this comment.
Same for the rest of the dashboards.
| description: Collect logs from Corelight with Elastic Agent. | ||
| type: integration | ||
| categories: | ||
| - security |
There was a problem hiding this comment.
Add following as well:
- dns_security
- network
- network_security
- vpn_security
|
@piyush-elastic, related to #11288 (comment), can you update Crest template for README with changes from #11210? This is to conform the README docs across integrations. |
Proposed commit message
Create New integration package corelight and add below four dashboards:
Checklist
changelog.ymlfile.How to test this PR locally
Screenshots