New Corelight ECS Mapping applies to visualizations, dashboards, alerts, and machine learning
San Francisco, Calif.—Jan. 28, 2020—Corelight, provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity, today reinforced its support for the Elastic Common Schema (ECS), a specification that provides a consistent and customizable way to structure log data from a variety of diverse sources in Elasticsearch. Using Corelight ECS Mapping streamlines the implementation of automated analysis methods on Zeek logs, including machine learning-based anomaly detection and alerting.
“Corelight was one of the first Elastic partners to test ECS when it was launched in 2019. Our support for ECS underscores a mutual focus on providing customers with a standardized approach on how to collect, ingest and understand their data,” said Allen Male, director of strategic alliances and partnerships for Corelight. “These efforts help customers make use of enhanced capabilities that reduce their security risk without additional analyst effort.”
ECS facilitates the unified analysis of data from diverse sources so that content such as dashboards and machine learning jobs can be applied more broadly, searches can be crafted and shared more efficiently, and field names can be recalled by analysts more easily.
“The Elastic Common Schema provides a shared language for our community of users to understand their data, collaborate to develop resources across the Elastic Stack, and more quickly drill down to identify a potential attacker or determine the root cause of an operational issue,” said Mike Paquette, director of product, Elastic SIEM. “Mapping to ECS makes it easier for users to visualize, search, drill down, and pivot through their Zeek log data, and enables easy sharing of analysis content amongst the Zeek user community.”
ECS streamlines the development of analytics content. Instead of creating new searches and dashboards each time an organization adds a data source with a new format, users can continue leveraging ECS-aware searches and dashboards. ECS also makes it far easier for organizations to directly adopt analytics content from other parties that use ECS, whether Elastic, a partner, or an open source project.
Corelight ECS mapping supports Corelight data as well as open-source Zeek and is available on Github.
For more information on ECS check out the “Introducing Elastic Common Schema” post on the Elastic blog.
Corelight product marketing has also described the benefits of Corelight ECS Mapping in its “Corelight ECS Mapping: Unified Zeek data for more efficient analytics” post now available on the Corelight blog.
Corelight delivers the most powerful network visibility solutions for information security professionals, helping them understand network traffic and defend their organizations more effectively. Corelight solutions are built on the Zeek framework (formerly known as “Bro”), the powerful and widely-used open source network analysis framework that generates actionable, real-time data for thousands of security teams worldwide. Zeek data has become the ‘gold standard’ for incident response, threat hunting, and forensics in large enterprises and government agencies worldwide. Corelight makes a family of network sensors — both physical and virtual, at every scale — that take the pain out of deploying open-source Zeek by adding integrations and capabilities large organizations need. The Zeek project was initially developed at Lawrence Berkeley National Laboratory (LBNL), and has been supported by the US Department of Energy (DOE), the National Science Foundation (NSF), and the International Computer Science Institute (ICSI). Corelight is based in San Francisco, Calif. For more information, visit Corelight.com or follow @corelight_inc.