In cybersecurity, no single tool delivers complete protection in isolation—success is built on interoperability, insight, and collaboration. That belief is at the heart of the upcoming C4 initiative (Consortium, Corelight, Cribl, and CrowdStrike) on June 12th, 2025, which showcases how these platforms combine to deliver exceptional detection outcomes.

In preparing for C4, our team at Consortium partnered closely with Corelight to validate and optimize the integration across our lab environment. What began as a routine simulation using Corelight sensors and Cribl to forward telemetry into CrowdStrike Next-Gen SIEM (NG SIEM) turned into a valuable discovery—and ultimately, an opportunity to improve the ecosystem for everyone.


Discovery Through Collaboration

During Breach and Attack Simulation (BAS) testing within our lab, one of our technical resources at Corelight noticed an unexpected gap: certain Suricata alerts were not appearing in NG SIEM’s Detection dashboard. With the majority of alerts flowing through normally, this missing subset stood out.

We then began a joint investigation with our Corelight partner to figure out exactly why, and their expertise proved instrumental. Together, we determined that these "missing" alerts shared a common trait: they lacked the event.severity field, which is essential for NG SIEM to prioritize and visualize detections.

Digging Deeper: A Parser Detail

The root of the issue resided within the default corelight-ids parser. The C4 team observed that when alerts were missing MITRE ATT&CK technique IDs (Vendor.mitre_technique_id), the parser’s enrichment logic didn’t complete—leaving event.severity unpopulated.  The parser used a case/match logic to correlate MITRE technique IDs to enrich the alert with metadata like severity. However, alerts without a MITRE mapping weren’t just skipping enrichment—they were silently omitted from severity assignment altogether.

This subtle behavior meant certain high-value alerts were being generated but not prioritized—simply because they didn't meet a specific metadata condition which has since been updated for all CrowdStrike customers. C4 netted real world results helping our customers.

A Fast and Thoughtful Fix

Once identified, Corelight quickly collaborated with Consortium and CrowdStrike to confirm the behavior and implement a solution. Consortium technical resources found a straightforward enhancement—a fall-through logic addition—ensures that even if MITRE IDs are absent, critical parsing logic (including severity tagging) is preserved. This fall-through logic condition was simple, it was placed within the case-statement that was performing that match, and it simply tests if the MITRE ID was present, and if it was not, it skipped the match statement. In this way we ensured that the parsing was completed instead of being dropped.

A Fast and Thoughtful Fix

NOTE: This screenshot is for instructional purposes only and is of the now deprecated parser.

After identifying the fix, we passed it on to CrowdStrike’s parser team to update the parser, ensuring a consistent and stable experience across environments. They worked hand in hand with Corelight to update the parser, and they recently released it for the general public.

This fix has already shown measurable benefits in our lab environment: alerts that previously lacked visibility are now appearing in NG SIEM with complete metadata, enabling more accurate detection and faster response.

How to Check Your Environment

If you're using the Corelight integration with CrowdStrike NG SIEM, you can validate your environment with the following refined query:

#Vendor="corelight" | Vendor._path="suricata_corelight" | Vendor.mitre_technique_id != * | event.severity != * | @rawstring!=/signature_severity:Unknown/

If this returns results, you may benefit from using the updated parser logic available within the newly released parser. If not, your deployment is already in great shape and the parser is updated.

Why This Matters

What began as a lab prep exercise became a textbook case of how open communication and shared expertise lead to stronger outcomes. Corelight’s responsiveness and technical leadership, paired with Consortium’s commitment to transparency and validation, ensured a rapid resolution—and a better product experience for all.

Key Takeaways

  • Visibility drives security: Alerts missing event.severity weren’t being surfaced in NG SIEM dashboards.
  • Root cause traced to enrichment logic: Absence of MITRE technique IDs halted downstream parsing.
  • Small fix, big impact: A single line of fallback logic restored visibility and fidelity.
  • Partners in progress: This issue was identified, triaged, and resolved through active collaboration between Consortium, Corelight, and CrowdStrike.

At Consortium, we believe security is stronger when we work together—and this is just one of the many reasons we’re excited to highlight our ongoing collaboration in the C4 initiative.

Join us at our upcoming webinar on June 12th, 2025 where we'll share more insights, lessons learned, and stories from the field that demonstrate how the right tools—and the right partnerships—can raise the bar for security operations everywhere.