Scripts + Resources

Threat Hunting Guide


Threat Hunting Guide

Learn how to find dozens of adversary tactics and techniques using network data.



Open NDR for Dummies

Get your complimentary copy about Network Detection and Response.

Corelight Zeek cheatsheets poster


Zeek® cheatsheets poster

Download our cheatsheets poster, packed with a selection of Corelight and Zeek logs, plus our Encrypted Traffic Collection reference.

Zeek cheatsheets

Zeek cheatsheets

The most popular Zeek logs, alphabetized and formatted for printing and easy reference. Includes SMB logs for Microsoft® platforms.

ESG report about Open NDR

ESG report

Open Network Detection (Open NDR):
What It Is and Why It's Needed.


Intro to Zeek log formats

A practical guide to understanding Zeek log formats, authored by Richard Bejtlich.

Zeek packages / scripts

Corelight Sensors come pre-loaded with a set of the most popular and useful Zeek packages (a Zeek package is a script with metadata), to get you up and running in minutes. But sometimes you want to add extra functionality or customization. These Zeek scripts have been vetted and tested for performance by the Corelight team.
HTTP stalling detector script

Detects HTTP stalling DoS attacks, such as Slowloris.

Top DNS script

Logs the top DNS requests at a configurable interval (15 min. default).

JA3 script

Generates SSL client fingerprints and logs them as a new field in the ssl.log.

Unknown MIME type discovery script

Logs files without known MIME types.