What Changed
Updated 8 Corelight aggregation parsers and the Data Explorer workbook to properly handle aggregated network events with corrected field mappings and new filtering capabilities.
Parser Impact
The aggregation parsers had several field mapping issues that caused data fidelity problems:
- UID field mapping: Changed from uid_s to uids_s across all aggregation parsers — queries referencing connection UIDs against these parsers previously returned null values
- Community ID mapping: Fixed from community_id_s to community_ids_s in connection aggregation parser
- User agent handling: Converted from string to dynamic array format in HTTP parsers for proper multi-value support
- MIME type normalization: Fixed field references and converted to dynamic arrays where appropriate
- Netskope field corrections: Updated field names to plural form (netskope_site_ids_s, netskope_user_ids_s)
These changes restore data availability for queries that reference aggregated network session data. The incorrect field mappings caused zero results for connection correlation and user agent analysis on aggregated logs.
Workbook Enhancement
Added Show Aggregation filters to the Corelight Data Explorer workbook, enabling SOC analysts to specifically query and visualize aggregated network events alongside raw events.
Affected Files
Solutions/Corelight/Parsers/corelight_conn_agg.yaml
Solutions/Corelight/Parsers/corelight_dns_agg.yaml
Solutions/Corelight/Parsers/corelight_files.yaml
Solutions/Corelight/Parsers/corelight_files_agg.yaml
Solutions/Corelight/Parsers/corelight_http.yaml
Solutions/Corelight/Parsers/corelight_http_agg.yaml
Solutions/Corelight/Parsers/corelight_ssl_agg.yaml
Solutions/Corelight/Parsers/corelight_weird_agg.yaml
Solutions/Corelight/Workbooks/Corelight_Data_Explorer.json
(packaging artefacts: 3.2.4.zip, ReleaseNotes.md, Solution_Corelight.json, mainTemplate.json)