Export alerts to Elastic SIEM

Important

The Corelight Investigator alert export feature is currently not compatible with Elastic Datastreams. You must use a standard Elastic index as the destination to prevent export failures.

Integrate Corelight Investigator (Investigator) with your Elastic instance to send network security alerts directly to an Elastic index. This allows for centralized monitoring, search, and analysis of Corelight data within your existing Elastic environment.

Prerequisites

Before you begin, ensure you have the following:

  • An active Elastic Cloud account or a self-managed Elastic Stack deployment.

  • An operational Corelight Investigator instance.

  • Firewall configuration: If your firewall restricts inbound traffic, you need to create a rule to allow HTTPS (port 443) traffic from the Corelight Investigator source IP address for your region. This rule allows Investigator to successfully export alerts and data to your systems.

    Add the IP address that corresponds to your region to your firewall’s allowlist:

    • North America (us-west-2): 35.81.184.144

    • Europe (eu-central-1): 35.157.240.249

    • Middle East (me-south-1): 40.172.28.44

    • Asia Pacific (ap-southeast-2): 3.25.53.116

  • Permissions:

    • In Elastic: A username and password with permission to ingest data into the target index.

    • In Investigator: Administrator privileges are required to configure alert exports. Analyst-level users can only view existing configurations.

Important

  • Alert duplication: If you have already configured log exports from Corelight Sensors managed by this Investigator instance, be aware that exporting alerts directly from Investigator may result in duplicate notice and Suricata alerts in Elastic.

  • The Elastic user interface and configuration steps are subject to change by Elastic. This guide is based on the interface at the time of publication.

Step 1: Configure an endpoint in Elastic

First, you need to prepare your Elastic instance to receive the alerts.

  1. Within your Elastic environment, set up a data ingestion endpoint. This can be a connector or an HTTP input.

  2. From your Elastic configuration, you’ll need to note three key pieces of information for the next step:

    1. The data ingestion URL.

    2. The Username and Password for authentication.

    3. The destination Index name where the alerts will be stored.

See the Elastic documentation for the most current instructions on creating data ingestion endpoints.

Step 2: Configure the alert exporter in Investigator

Next, use the details from Elastic to configure the connection in Investigator.

  1. In the Investigator UI, navigate to System Settings | Integrations.

  2. Click the Alert Exports tab.

  3. Click the Elastic tile to open the Elastic Exporter configuration panel.

  4. Toggle the Enabled switch to the On position.

  5. Provide a descriptive Name for the exporter.

  6. Enter the URL, Username, Password, and Index from your Elastic instance.

  7. Optionally, enable Verify SSL (recommended). This ensures a secure connection by verifying the certificate and hostname provided by the exporter. If you enable this option, the certificate must be current, issued by a trusted issuer, and the hostname must be present in the certificate.

  8. Click Save.

Step 3: Verify the connection

Confirm alerts are sent successfully from Investigator to Elastic.

  1. Wait for a new alert to be generated in Investigator.

  2. In the Elastic UI, navigate to the Discover tab.

  3. Choose the data view corresponding to the index you configured.

  4. Use the search bar and time filter to locate the new alert.

If the alert appears in your Elastic index, the integration is working correctly. It may take 5-10 minutes for the data to initially appear in dashboards.

Step 4: Use the data in Elastic

Once alert data is successfully flowing into your Elastic index, use Elastic’s native tools to analyze the data.