1 - Open Network Detection & Response (NDR)
Open Network Detection & Response (NDR): Provides network detection and response by analyzing traffic for advanced threats and anomalous behavior.
To onboard such a source to Axoflow, complete the generic appliance onboarding steps.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| Analytics label | Message field | value |
|---|---|---|
vendor |
meta.vendor |
corelight |
product |
meta.product |
ndr-platform |
You can use the labels as:
- Filter labels on the Analytics page,
- in the Filter By Label field during log tapping.
You can use the message fields
- in Flow Processing steps, for example, in the Query field of Select Messages steps,
- in AQL expressions in the search bars.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:
| sourcetype | index |
|---|---|
corelight_alerts |
main |
corelight_conn |
main |
corelight_corelight |
main |
corelight_corelight_metrics_bro |
main |
corelight_corelight_metrics_iface |
main |
corelight_dhcp |
main |
corelight_dpd |
main |
corelight_etc_viz |
main |
corelight_evt_all |
main |
corelight_evt_http |
main |
corelight_evt_suri |
main |
corelight_files |
main |
corelight_ftp |
main |
corelight_http |
main |
corelight_http_red |
main |
corelight_idx |
main |
corelight_irc |
main |
corelight_kerberos |
main |
corelight_metrics_bro |
main |
corelight_metrics_iface |
main |
corelight_rdp |
main |
corelight_smb |
main |
corelight_smb_files |
main |
corelight_socks |
main |
corelight_ssh |
main |
corelight_ssh_red |
main |
corelight_ssl |
main |
corelight_st_base |
main |
corelight_suri |
main |
corelight_suricata_corelight |
main |
corelight_x509 |
main |
Sending data to Google SecOps
When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CORELIGHT.