Corelight Network Monitoring: Six New Aggregation Parsers for Enhanced Analytics

What Changed

Added six new aggregation parsers for Corelight network sensor data to enhance security analytics capabilities:

• DNS Aggregation Parser: Normalizes DNS query/response data with CIM field mapping for record types, reply codes, and threat intelligence context
• HTTP Aggregation Parser: Processes HTTP transactions with status code mapping, user agent analysis, and URL categorization
• Files Aggregation Parser: Tracks file transfers with hash analysis (MD5, SHA1, SHA256) and MIME type detection
• Connection Aggregation Parser: Enhanced network session analysis with improved field extraction
• SSL Aggregation Parser: Certificate and encryption protocol monitoring
• Weird Events Parser: Anomalous network behavior detection and alerting

Detection Surface Unlocked

These parsers enable advanced network security monitoring including:

• DNS tunneling and exfiltration detection via DNS aggregation analysis
• Web-based attack pattern identification through HTTP transaction monitoring
• Malware propagation tracking via file hash correlation
• Encrypted channel abuse detection through SSL/TLS analysis
• Network anomaly identification via weird event correlation

Affected Files

Solutions/Corelight/Parsers/corelight_conn_agg.yaml
Solutions/Corelight/Parsers/corelight_dns_agg.yaml
Solutions/Corelight/Parsers/corelight_files_agg.yaml
Solutions/Corelight/Parsers/corelight_http_agg.yaml
Solutions/Corelight/Parsers/corelight_ssl_agg.yaml
Solutions/Corelight/Parsers/corelight_weird_agg.yaml
(validation schemas and packaging artefacts)