Add Fleet-managed sensors

Corelight-update can use your Fleet Manager instance to collect an inventory of connected sensors, and deploy content to those sensors.

When Corelight-update is deploying content to Fleet-managed sensors, it uses the Fleet Manager API to authenticate and proxy input files to those sensors through the Fleet Manager instance. If a Fleet-managed sensor is disconnected from Fleet Manager during the content push, that sensor will not receive files until the next content push (assuming it is connected during the push).

Prerequisites

To configure Corelight-update to deploy content using Fleet Manager, you’ll require:

  • Network connectivity from the Corelight-update host to the Fleet Manager instance. Corelight-update does not require direct access to the Fleet-managed sensors.

  • The IP address or FQDN of the Fleet Manager instance.

  • A Fleet Manager administrator username and password.

  • The names of the Fleet Manager sensor, intel, and suricata policies you want Corelight-update to push content into.

    If the policy name in Corelight-update does not match the Fleet Manager sensor policy name, suricata policy name, and intel policy name, the respective Fleet Manager policy names must be specified in Corelight-update.

Configure the Fleet Manager connection

To enable Corelight-update to communicate with the Fleet instance, configure the fleet: section of the configuration file.

fleet:
  ip:                     # fleet address or fqdn
  username:               # fleet username
  password:               # fleet password, leave blank to use encrypted password
  encrypted_pass:         # use the 'encrypt' CLI command to encrypt a password before it's stored here
  ignore_tls:             true
  sensor_policy:          # the name of the sensor policy in Fleet Manager (required if different from the Corelight-update policy)
  suricata_policy:        # the name of the suricata policy in Fleet Manager (required if different from the Corelight-update policy)
  intel_policy:           # the name of the intel policy in Fleet Manager (required if different from the Corelight-update policy)
  yara_source_namespace:  # the namespace of the YARA source in Fleet Manager

Once connected, Corelight-update will collect a list of sensors for each Fleet Manager policy automatically.

If you have Fleet-managed sensors manually configured in the Corelight-update inventory, they can be removed from the inventory, or remain if set to fleet: true in the sensor details. This will cause Corelight-update to skip the sensor while it processes the rest of the policy inventory.

Deploying content to Fleet Manager

Suricata rulesets, Intel files, YARA files, and package bundles are uploaded directly to Fleet Manager and then:

  • For Intel files:

    • The Intel Policy in Fleet Manager is updated to use the latest intel file.

      • If it does not already exist, a new intel source named Corelight-update is created and updated with the latest intel file.

      • If the source already exists, it is updated with the latest intel file.

    • The Intel Policy can be associated with a Sensor Policy in Fleet Manager.

  • For YARA files:

    • A YARA Rules Source in Fleet Manager is updated to use the latest YARA file.

      • If it does not already exist, a new YARA Rules source named Corelight-update_<policyname> is created with the latest YARA file.

      • If the source already exists, it is updated with the latest YARA file.

    • The YARA source can be enabled or disabled using the Fleet Manager interface.

    • The YARA source can be associated with a YARA ruleset, and the YARA ruleset can be added to a Sensor Policy using Fleet Manager.

  • For Suricata rules files:

    • If Enable Suricata Automation is enabled in the Suricata Policy in Fleet Manager:

      • A Suricata Ruleset Source in the Suricata Policy is updated to use the new Suricata ruleset.

        • If it does not already exist, a new Suricata Ruleset source named Corelight-update is created with the new Suricata ruleset.

        • If the source already exists, it is updated with the new Suricata ruleset.

    • If Enable Suricata Automation is NOT enabled in the Suricata Policy in Fleet Manager:

      • The Suricata Policy in Fleet Manager is updated to use the new Suricata ruleset.

  • For Suricata configuration files:

    • The Suricata Policy in Fleet Manager is updated to use the new Suricata config files.

If Fleet Manager details are configured in the Corelight-update policy, new Suricata rulesets, Intel files, YARA files, and package bundles will be uploaded even if no sensors are connected to that policy in Fleet Manager. Once updated, Fleet Manager will handle pushing the new content to the connected sensors. Any offline sensors will receive their update once they reconnect to Fleet Manager.