Quickstart¶
These topics help you get started with Corelight Investigator.
Before you start¶
Make sure that all the Corelight Sensors that you want to connect to Investigator meet these requirements and are configured to export to Investigator.
You must use hardware, virtual (VMware or Hyper-V), or cloud (EC2 or Azure) sensors.
Your sensors must be running software release v25 or later.
Your sensors must have Corelight Cloud Services enabled.
Run
corelight-client configuration update --remote.enable 1–or–
Go to .
Your sensors must have external network connectivity (north/south).
We recommend Chrome for the best web experience.
Log in for the first time¶
Once Corelight creates your Investigator account, the system sends you a confirmation email welcoming you to the platform. You also receive an account registration email containing your username and a temporary password. Use these credentials to complete your account registration and log in for the first time.
To register your account
Click the Go to Investigator link in the account registration email to activate your account.
A welcome screen appears.
Click Start.
Enter the username and password provided in the account registration email and click Register now.
Review the Corelight privacy policy and click Continue.
When you click Continue, you acknowledge the Corelight privacy policy and agree to the processing of data in accordance with the policy.
Create a secure password that meets the requirements. Confirm your new password and click Next.
Open an authenticator app (such as Google Authenticator) on your phone and add a new account.
Scan the provided QR code to connect your app to Investigator.
Enter the one-time password (OTP) from your app in Investigator.
Click Verify OTP to log into Investigator.
Click Login.
Your account is set up and active. Enter your login details again to get started.
Next, enable and configure Corelight Investigator on your sensor.
Configure your sensors¶
If you are an admin user and your Investigator account is not connected to a sensor, you are prompted to add sensors and import logs after your initial login. Your Investigator license determines what logs are imported. For details, see Find details in the logs.
Tip
You can also perform these steps from the Sensor Monitoring page in System Settings.
To configure your sensors
Click Configure Sensor.
Enter your Investigator credentials and click Confirm.
Confirm your OTP code and click Verify.
Click View Sensor Information.
Note the Access Key, Secret Key, Region, and Stream Name specified by Investigator.
You can use the copy button to easily get the values and you can download the values as a CSV file.
Outside of Investigator, enable export to Corelight Investigator for your sensors, either through the sensor interface or through Fleet Manager.
Web interface
From your sensor or policy configuration, go to Export and turn on Export to Investigator.
Enter the Access Key, Secret Key, Region, and Stream Name specified by Investigator.
Optionally, select Zeek logs to exclude and use the Corelight filter language to define a log filter.
Click Apply Changes.
Repeat this step for all sensors that you want to connect to Investigator.
See Investigator export in the Corelight Sensor User Guide for more details.
corelight-client
corelight-client configuration update --bro.export.investigator.enable 1 \ --bro.export.investigator.access_key=<access_key> \ --bro.export.investigator.secret_access_key=<secret_key> \ --bro.export.investigator.region=<region> \ --bro.export.investigator.stream=<stream>
In Investigator, click Close.
The Sensor Monitoring dashboard shows the imported activity.
Note
If needed, update your firewall to allow external HTTPS traffic to the regional Kinesis service endpoint from the sensor. For regional endpoint details, see the AWS help topic Amazon Kinesis Data Streams endpoints and quotas - AWS General Reference.
If you experience problems logging in or connecting your sensors, read through the topics in this help system. If you can’t resolve your issue, contact Corelight Support.