Corelight: New Anomaly and First-Seen Event Parsers for Advanced Threat Detection

What Changed

Two new KQL parsers added to the Corelight solution for enhanced network threat detection capabilities:

corelight_anomaly parser for ML-based anomaly detection events
corelight_first_seen parser for tracking first-occurrence events

Parser Impact

Both parsers normalise Corelight v2 sensor data into structured fields with EventVendor=“Corelight” and EventProduct=“CorelightSensor” tagging. The corelight_anomaly parser provides extensive ML scoring and nearest-neighbor analysis fields for anomaly detection, while corelight_first_seen tracks entity baseline establishment events. No change to existing normalised field names — safe for current detection logic.

Affected Files

Solutions/Corelight/Parsers/corelight_anomaly.yaml Solutions/Corelight/Parsers/corelight_first_seen.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_Corelight.json)

What Changed#

Parser Impact#

Affected Files#

What Changed

Parser Impact

Affected Files