Export alerts

The Alert Export feature is your primary tool for streaming network security alerts from Corelight Investigator directly into your Security Information and Event Management (SIEM) platform.

The goal is to create a single, centralized triage queue for your security team. For many security teams, a SIEM is the starting point for their daily investigations. By exporting Corelight alerts, they can see high-fidelity network findings alongside alerts from endpoint, identity, and other security tools. From the SIEM, they can then pivot back to Investigator for deep-dive analysis and evidence gathering.

This guide explains how the feature works, helping you choose the right strategy and making the most of your data.

Understand alerts vs. detections

Before you begin, it’s critical to understand the difference between the data you export and the findings you see in the Investigator UI. You might notice Investigator showing 60 detections, but your SIEM receives 6,000 events. This is expected.

• Alerts: These are the raw, individual security indicators. An alert acts as a signal that something potentially malicious has occurred, while the supporting logs provide the evidence. The Alert Export feature sends a continuous stream of every single alert generated by the rules you have enabled.

• Detections: These are the aggregated findings you see in the Investigator UI. To reduce noise, Investigator groups hundreds or even thousands of related alerts into a single, high-level detection.

This one-to-many relationship is key: one detection in the UI represents many underlying alerts. The exporter sends the alerts, giving your SIEM the most detailed data possible.

How the alert export works

The alert export is designed for one main job: streaming all your alert data to an external system. Here’s a simple breakdown of what it does and doesn’t do.

What it does	What it doesn’t do
Streams all alerts: Sends a complete, unfiltered stream of every alert from your enabled analytics in near real-time.	Filter alerts: Cannot send only a subset of alerts. If a rule is turned on, its alerts will be sent.
Includes full details: Exports contain the full event record. This can include the full Suricata payload if that option is enabled on your sensor. For a complete reference, see the Alert export schema.	Send summarized detections: Only sends the raw alerts. It cannot send the aggregated detection objects that you see in the UI.
Sends to multiple places: You can set up multiple exporters to send the same data to different destinations (for example, Splunk and CrowdStrike).

When to use the API instead of the alert export

The alert exporter is the most common method for sending data to a SIEM. However, you should use the Investigator API if you need more control over the data being sent.

Choose the API if your goal is to:

• Filter alerts before sending: The Alerts API lets you pull only the alerts that match specific criteria you define, such as severity or time range. In contrast, the exporter sends an unfiltered stream of all enabled alerts.

• Get summarized detections: The Detections API is the only way to pull the aggregated findings that you see in the Investigator UI. This is ideal for creating a lower-volume feed that mirrors the UI or for use in automation playbooks.

For more information, see the Investigator API.

Work with exported alerts in your SIEM

Once alerts flow into your SIEM, you can use the data in the following ways:

Group alerts to see the bigger picture

To manage the high volume of raw alerts, you can group them using the same logic as Investigator. The simple recipe below helps you turn a stream of individual events into more meaningful findings.

The correlation recipe

To replicate the way Investigator groups alerts, combine the following two fields in your SIEM:

Concept	Field Name
Source IP	alert_entity.entity_name
Rule ID	alert_info.content_id

Example: Grouping alerts in Splunk

The following search counts the raw alerts associated with each unique combination of a source IP and rule ID.

sourcetype="corelight-investigator" | stats count by alert_entity.entity_name, alert_info.content_id

• sourcetype="corelight-investigator": Starts with your Corelight data.

• | stats count: Uses the stats command to count the number of events.

• by alert_entity.entity_name, alert_info.content_id: Groups the counts by the Source IP and Rule ID fields.

Pivot from your SIEM back to Investigator

Every exported alert includes a powerful workflow feature: the alert-to-detection-url field. This is a direct link from the raw alert in your SIEM back to the full, correlated detection in the Corelight Investigator UI. By making this URL a clickable link in your SIEM, an analyst can instantly pivot from a single piece of evidence to the complete investigative picture.

Explore data with dashboards and reports

The exported data is structured and includes rich metadata like source/destination IPs, ports, and MITRE ATT&CK® tactics. Use these fields in your SIEM to build dashboards, reports, and visualizations to track trends and security posture. Many integrations, like the one for CrowdStrike Falcon Next-Gen SIEM, automatically populate pre-built Corelight dashboards for you.

Manage alert exports

As an admin user, you have full control over alert exports on the Integrations page. Analyst users can view configured exports but cannot make changes.

Admins can:

• Configure one or more exporters: You can export alerts to multiple destinations, including multiple instances of the same platform (for example, a test and a production Splunk instance).

• Edit, disable, or delete an exporter: Once an exporter is configured, click its name to open a side panel with management options.

Important

Potential for duplicate alerts

If you have already configured log exports directly on one or more of your Corelight Sensors, be aware that exporting alerts from Investigator will duplicate some notice and Suricata alerts.

Set up an alert export

To set up an alert export, select one of the following guides. Each guide provides step-by-step instructions for connecting Investigator to a specific platform.

Once configured, you can use the data to power SIEM dashboards, correlate Corelight findings with other security events, and create a unified triage workflow.

• Export alerts to CrowdStrike Next-Gen SIEM
• Export alerts to Elastic SIEM
• Export alerts to Splunk HEC SIEM
• Export alerts using the generic HTTP exporter