Enhanced anomaly detection and east-west visibility improve evasive threat detection, reduce false positives, and help SOC teams focus on critical...
Enhanced anomaly detection and east-west visibility improve evasive threat detection, reduce false positives, and help SOC teams focus on critical...
Learn how to hunt F5 BIG-IP exploitation when no PoCs exist: spot Client Authentication Bypass, baseline incoming SSH, and detect SSH imposters.
Learn how Corelight data and the PEAK threat-hunting framework turn rich network evidence into a practical playbook for hunting Salt Typhoon.
Proactively defend against zero-days. Learn how with Cisco exploit lessons learned, warning signs from GreyNoise, F5 threats, and NDR.
Forrester recognized Corelight as a Leader in Network Analysis and Visibility (NAV) Solutions for innovation, flexibility, and transparency.
Corelight’s Flow Monitoring Sensor enriches AWS Flow Logs, expands VPC visibility, accelerates investigations, and cuts SIEM costs.
An AI-powered SOC must leverage exceptional best-in-class data quality to succeed. Corelight pursues three strategies to deliver it.
What stood out this year was the sheer volume of insecure application traffic. Corelight uncovered an unsecured corporate messaging app leaking...
Recapping our learnings from the Black Hat NOC, using packet captures and Zeek scripting to decode threat payloads.
From plaintext chat leaks to unencrypted SIP and LLM jailbreaks, the Black Hat USA 2025 NOC saw it all.
Speed up technical documentation with the open-source llm-styleguide-helper. It pairs Vale linting and AI to fix Microsoft Style Guide violations in...
Introducing the industry's first MCP server, enabling AI agents to securely query network data directly from your SIEM.
Accelerate alert analysis with Corelight’s LLM prompts for Suricata and Corelight data, featuring summaries, threat analysis, and next steps.
Optimize NDR performance and reduce costs with hardware-based deduplication, seamlessly integrated into your sensor workflow.
Learn how to use Open WebUI knowledge bases to enhance your LLMs with private, local cybersecurity data for better queries, analysis, and incident...
Learn how Corelight combines Zeek data, ML, and GenAI workflows to fuel threat hunting, accelerate incident response, and disrupt advanced network...
Even when installed correctly, EDR can be evaded. Learn how network-first visibility stops hidden threats with Corelight Open NDR.
Corelight has been ranked a Leader and Outperformer in the 2025 GigaOm Radar for Network Detection & Response. See what sets us apart.
Gartner just placed Corelight in the Leader quadrant for Network Detection and Response. See why 98% of customers recommend us.
Six hours a day of network threat hunting while jet-lagged? Yup, count me in. See how Corelight data helped me spot risks on the Black Hat Asia...
Four days in the Black Hat Asia 2025 NOC showed me why the network is “the source of truth”—and why even powerful tools need smart tuning to cut...
Recapping findings from the Black Hat Asia 2025 NOC: location data, plain text logins, and self-hosted apps without TLS.
Learn how to use NDR to detect Volt Typhoon attacks that evade EDR, closing blindspots to stop intrusions before they become breaches.
Attackers now exploit edge devices, bypass EDR defenses, and move laterally in under a minute. Learn why continuous network visibility is critical.
Corelight’s Microsoft vTAP integration brings cloud-native packet mirroring to Azure, with broader support for AWS, GCP, and third-party packet...
Bring high-fidelity network evidence to any SIEM—without compromise.
Learn how Corelight’s anomaly detection improves threat detection, reduces false positives, and enables proactive threat hunting.
Learn how Map-Reduce and LLMs can be used to efficiently analyze huge datasets and improve threat hunting, incident response, and forensic analysis.
Learn how metadata enables efficient, cost-effective compliance with FINRA's data archiving requirements while improving network security.
Learn how Corelight and Zeek streamline financial protocol tracking, improve network security, and simplify compliance.
SCinet’s massive, open network creates unique security challenges. Here's a recap of my experience threat hunting in this high-speed environment.
Learn how to run DeepSeek AI locally with Ollama and Open WebUI for secure Zeek script analysis.
Corelight's data aggregation reduces SIEM ingest by 50-80% compared to legacy network security monitoring tools.
Read how to identify C2 activities and agent downloads associated with MITRE Caldera agents using this Zeek Caldera detector via GitHub.
Learn how robust network security monitoring, like Corelight’s Open NDR, can help you gain comprehensive visibility into Kubernetes clusters.
Working in the NOC at Black Hat Europe, we’re never quite sure what we’re going to see.
Step into the Black Hat NOC as I recount my first experience with real-time threat hunting.
Streamline alert triage and reduce alert fatigue with Corelight's Microsoft Defender integration, enabling faster, smarter decisions across your SOC.
As 2024 comes to a close, let’s take a look at the impactful product updates we delivered this year.
Corelight's YARA integration helps organizations increase detection rates, improve network visibility, and reduce false positives.
Together, NDR and YARA help SOC teams detect attackers at their point of entry and accelerate incident response.
Learn how network visibility and detection are critical to closing security gaps and detecting these attacks.
Recapping our learnings from the Network Operations Center (NOC) at Black Hat USA 2024. Using historical network logs to detect threats during the...
Detect Quasar RAT malware with Corelight’s open-source Zeek script, leveraging Quasar’s default TLS configuration.
Reduce time to triage by up to 50% with Corelight's new Guided Triage capability.
Corelight’s integration with SentinelOne is a game-changer for security teams looking to stay ahead of evolving cyber threats.
Announcing a new monthly update cycle to our custom Suricata ruleset, the Corelight Feed.
Learn how Corelight logs provide deep network visibility for incident response and threat hunting in the Black Hat NOC.
Together, Corelight and Mandiant enable defenders to achieve unparalleled visibility across their network environments.
Our seamless integration with VMware TCI empowers enterprise customers to secure their networks against sophisticated cyber threats.
A growing number of defenders use two SIEMs. This post explores why and whether XDR platforms will evolve to to become full threat hunting solutions.
A growing number of defenders use two SIEMs. This post explores why and whether XDR platforms will evolve to to become full threat hunting solutions.
Learn how to use Zeek to easily detect malicious use of NetSupport Manager.
With the rapid adoption of Secure Access Service Edge (SASE) and Security Service Edge (SSE) solutions, maintaining comprehensive visibility becomes...
CISA is trying to shake us all into action, but you have to go hunting for themes. Let's connect some dots across this year's advisories.
A growing number of defenders use two SIEMs. This post explores why and whether XDR platforms will evolve to to become full threat hunting solutions.
Our experience in the Black Hat NOC has made us into adherents for “Zero Trust…but verify.”
Corelight recognized for SaaS and Cloud Identity Applications Security and to deliver MDR services in the Gartner Competitive Landscape Report.
Our experience in the Black Hat NOC has made us into adherents for “Zero Trust…but verify.”
Learn how to detect Agent Tesla, which consistently trends at the top of Any.Run’s malware trends list
Fresh from Splunk .conf24, here are some of the key points from throughout the week.
RSA 2024 is a wrap. Here are the biggest takeaways from conversations with security leaders and partners.
This new feature empowers SOC analysts to isolate a host directly from Corelight Investigator.
In recent months STRRAT has become one of the top malware families submitted to Any.Run. Here's how to detect it.
RSA 2024 is a wrap. Here are the biggest takeaways from conversations with security leaders and partners.
Learn how Zeek’s metadata approach can help focus patching efforts for the SSH “Terrapin” attack.
Our Series E funding is an endorsement of both our strategy and opportunity.
Enhanced threat detection. Streamline your incident response with Corelight and CrowdStrike Falcon EDR
See how we used Corelight's Open NDR platform to take an evidence-based security approach at Blackhat Europe 2023.
Hunt of the Month: Detecting AsyncRAT Malware Over HTTPS
Learn how Zeek’s metadata approach can help focus patching efforts for the SSH “Terrapin” attack.
Learn why adding Corelight to your cybersecurity arsenal, alongside existing NGFWs, is a strategic necessity.
Learn how threat hunters can identify MITRE ATT&CK persistence techniques.
Learn how the kill web concept can be applied to cybersecurity, and how it addresses some of the concerns with the kill chain.
Recapping our learnings from being in the Black Hat NOC at Black Hat USA 2023
Learn how Corelight’s integration with CrowdStrike helps threat hunters detect signs of Initial Access, one of the tactics and techniques outlined in...
Learn how Corelight is using AI in its NDR products to help SOC teams be even more productive.
Here are my learnings from participating in NOCs at Black Hat Asia and Black Hat Las Vegas in 2023.
In this article we'll share some useful guidance for writing a real-world Zeek package in JavaScript or TypeScript.
Learn how the kill web concept can be applied to cybersecurity, and how it addresses some of the concerns with the kill chain.
Here are five lessons that me and my NOC teammates learned over the course of our week together at Black Hat NOC USA 2023.
Download the Corelight App for Splunk and see how easy it is to get Corelight data into Splunk.
Learn how Corelight’s Open NDR products and platforms help SOC teams identify ransomware blast radius.
Learn how the kill web concept can be applied to cybersecurity, and how it addresses some of the concerns with the kill chain.
Take a look at an incident we detected, investigated, triaged, and closed using Corelight at Black Hat Las Vegas 2023.
This article proposes ways that modern network-derived evidence applies to the kill chain.
I ran into a sample of the Gozi banking malware in the wild. This is how I developed an open source detection package to find it with Zeek.
Learn about detections and findings from the network operations center (NOC) at Black Hat Asia 2023.
Learn how to leverage Corelight evidence to detect and analyze activity related to Storm-0558.
As agencies and organizations continue the push to Zero Trust deadlines, we’ve all got some Trust issues to work on.
Learn how Corelight Smart PCAP helps customers streamline workflows and achieve incredible efficiency.
We're excited to announce the launch of our ICS/OT Collection to help extend foundational visibility.
Black Hat Asia 2023 NOC: Lessons in Deploying Corelight
We couldn’t be more proud to work with a strategic partner that shares our vision and passion for advanced network security.
Whether or not you made it to RSA 2023, check out this blog to learn about key themes from this year’s conference.
Corelight announces the release of a new detection package “Sliver”, which identifies and raises alerts related to the Sliver C2 framework.
Encrypted traffic and the security use case limitations of full packet capture vs. Corelight's Smart PCAP solution.
Corelight’s Open Network Detection and Response (NDR) solution has been chosen by the esteemed Black Hat Network Operations Center (NOC) to help...
Corelight's new LDAP analyzer helps detect and stop attacks that use LDAP as a transport mechanism.
Corelight Investigator adds new machine learning models, both supervised and deep learning, to further its commitment to evidence-first approach to...
The first in a 5-part blog series from Ed Amoroso of TAG Cyber, that examines the use of the Corelight platform in the context of the "everywhere...
Corelight Entity Collection, now available in v26 software release, features 3 new packages: Known Entities, Application Identification and Local...
Corelight v27 software release enhances the platform’s integrated Suricata IDS functionality, further integrating alerts with rich context.
A recap of the open-source work since the beginning of the Zeek collaboration with Microsoft. Originally posted on Zeek.org on Nov. 28, 2022.
Corelight Labs installed the last version of Boa in a lab environment and released a Zeek package to identify machines running a vulnerable Boa web...
Corelight Labs looks at three APT toolsets that have been linked to five threat actors, detecting each using relatively simple search logic.
Dr. Kelley Misata shares her thoughts on why she is excited to join Corelight to lead open source and the new opportunities this role will bring.
Corelight Federal CTO Jean Schaffer on how validating what asset management and vulnerability detection practices are producing is vital for BOD...
Corelight Investigator platform is engaged in attestation for GDPR to support customer threat hunting and incident response operations across Europe.
In this blog post, the Corelight Labs team shares some of the detection methods available for the Manjusaka C2 framework.
Corelight Labs reviewed a POC exploit for CVE-2022-30216 and wrote a Zeek-based detection and released the package on GitHub.
Federal CTO Jean Schaffer explores how evidence - not data - is critical to speed defenders’ knowledge and response capabilities.
Organizations often implement a data collection strategy out of fear, collecting everything “just in case.” I challenge the assumption.
We show how enriching Zeek® logs with cloud and container context makes it faster to tie interesting activity to the container or cloud asset...
In this post Corelight Labs reviewed a proof of concept exploit for this vulnerability and wrote a Zeek-based detection for it.
This post shows how a Microsoft NFS exploit (CVE-2022-26937) can be detected using Zeek.
This morning we announced Corelight Investigator, an open NDR platform that enables security teams with next-level evidence. Here is how it works.
In this post, we share simple ways to detect evidence of CVE-2022-22954 in Zeek logs, which can be adapted to other data stores (e.g., a SIEM).
Learn about the attributes of high-quality evidence. What should evidence look like, in order to be useful to defenders when the next security event...
The Corelight Labs team investigates CVE-2022-26809 and open-sources a Zeek package that detects attempts and successful exploitation in unencrypted...
Our new integration with AWS GWLB Endpoint simplifies network traffic monitoring & generates Corelight data in massively scaled-out public cloud...
We demonstrate how the visibility of network traffic passing between pods and containers within the K8s network can be utilized to detect a log4j...
What do I say if my team discovers a breach of our digital assets? This is a question that requires understanding “defensible disclosure.”
This blog post discusses Zeek detection packages for CVE-2022-24491 and CVE-2022-24497 developed by Corelight Labs.
Sniffing and mirroring network traffic from containers can be complicated. This post explores one approach to achieve this by injecting a sniffer...
Our new collaboration with CrowdStrike and Humio allows our customers and the community to experience the value of evidence.
This post explores the need, different approaches and pros and cons of monitor traffic in Kubernetes environments.
The most sophisticated cyber defense teams in the world have shifted their strategies towards the collection and analysis of high-quality evidence.
Corelight just shipped our latest software release (v24) which includes a brand new addition to our Encrypted Traffic Collection: VPN Insights.
Prioritizing alerts just got a little easier for SOC teams with Corelight's integration with Tenable.
A growing number of defenders use two SIEMs. This post explores why and whether XDR platforms will evolve to to become full threat hunting solutions.
This post explores the 4 key areas outlined in the CISA "Shields Up" memo and examines ways they can be detected with network data.
Application layer infrastructure visibility in IaaS using a recent Log4Shell example.
OMB’s new memorandum M-22-09 is changing this pattern, and setting deadlines for implementation across the government.
This blog presents an open source detection method that Corelight Labs is releasing to detect exploit attempts of CVE-2022-21907.
Here are four elements of the security strategy for the next Log4Shell.
The blog covers a third log4j detection method, this one focused on the second-stage download that happens after the first stage completes.
We recently discussed some methods for detecting the Log4j exploit, and we’ve developed another method that one running Zeek® or a Corelight sensor...
Simplify the detection of CVE-2021-44228 exploit (the log4j 0-day known as Log4Shell) with Corelight.
CISA recently released a set of playbooks for the Federal Civilian Executive Branch (FCEB). Here's why we are blogging about this.
What is the XDR paradox? It’s the hottest term in security but there is no consensus yet on the right definition. Why is that?
Learn how to detect the CVE-2021-42292 exploit, which relies on Excel fetching a second Excel file, through behavioral tricks.
Corelight offers a new core recommendation - Dtection.io - for customers using its Suricata integration.
Our new integration combines Corelight with the advanced vulnerability management, detection and response capabilities of Microsoft Defender for IoT.
Corelight invites blog readers to join capture the flag challenge with Splunk.
If you missed the Office of Management and Budget memo M-21-31, let me provide you the information that you need to know if you are in the federal...
Researchers at wiz.io found vulnerabilities in Windows OMI; Corelight has open-sourced a Zeek package for the most severe of these vulnerabilities.
Learn how to use Zeek script for detecting attempts to exercise the PetitPotam exploits.
In the spirit of our open-source heritage, Corelight has produced a document breaking down our ability to identify and detect these attackers’...
Corelight launches software version 22, which introduces a transformative new security product, Smart PCAP, and also enables threat detection in the...
I’ve created and released a Zeek package, zeek-notice-telegram. I’ll walk you through a simple example so you can write your own action.
As the first National Cyber Director settles into office, we are very hopeful this will be a turning point to solidify a true private/public...
CVE-2021-1675 is a vulnerability that targets the Windows Print Spooler service. Find out more about detecting the PrintNightmare vulnerability here.
Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” Here's how Corelight Sensors can detect the ChaChi RAT.
Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” Here's how Corelight Sensors can detect the ChaChi RAT.
In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability.
I highlight sections of the EO that federal agencies should study closely and offer my thoughts, drawing from more than 30 years of cybersecurity...
As we finished rolling out our v21 software release, I was reminded of when I’d first read the 2015 “100G Intrusion Detection” paper written at...
This package runs on Corelight Sensors and provides network traffic analysis (NTA) inferences on live RDP traffic.
I am excited to announce Corelight’s v21 release, which delivers dozens of powerful C2 detections, extends analyst visibility around RDP connections,...
We’re excited to announce that the Command and Control (C2) Collection is now available with today’s launch of version 21 of the Corelight software.
Can you be sure attackers aren’t hiding in your encrypted traffic? It’s a fundamental question in enterprise security. Why? Imagine these two shops.
We’d just upgraded our glibc package from 2.32 to 2.33, when we noticed some peculiar behavior. Here's how we tracked down a glibc regression.
This blog will introduce a method of detecting the Pingback malware in which attackers often hide their communications in ping message payloads.
The CrowdStrike + Corelight partnership lets customers incorporate threat intelligence into Corelight Sensors to generate alerts and network evidence.
A very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. Here are a few points about this...
Visibility is challenging in a cloud environment. Security teams have long relied on network monitoring to complement application level visibility.
Are you looking to threat hunt but lack sufficient network and IDS data? Maximize your Splunk ES investment with Corelight.
The new Microsoft Exchange vulnerabilities disclosed earlier this month highlight the importance of architecting for security visibility on the...
Sigma is an open-source project that provides a generic signature format for SIEMs. Here are the benefits of Sigma, and how to get these threat...
In this blog post, we’ll look at some tips and tricks for how you can get more out of your Network Intrusion Detection Systems (NIDS).
Learn how you can use Zeek to detect this level of cunning evasion tactics in your own retrospective hunts and forensic investigations.
FireEye’s threat research team has discovered a troubling new supply chain attack targeting SolarWind’s Orion IT monitoring and management platform.
Visibility is paramount in securing your cloud environment. Today we announce Corelight’s Cloud Sensor for GCP.
Corelight is excited to announce the Corelight@Home program, bringing Corelight’s enterprise-class Network Detection and Response to home networks.
Zeek has been the darling of security defenders looking to get deep visibility into network traffic. Today, we are excited to announce the Software...
This blog is a brief story of a few points that occurred to me during the less than 24 hours it took to turn around this package from dev to testing.
Corelight data enables immediate SOC improvements. Here's a walkthrough of initial playbooks.
The past few weeks have seen several developments around Community ID and support for Wireshark. I’d like to summarize them in this blog post.
In this post I am going to walk you through the process I used to develop a package called “my_stats” that pulls memory information from a running...
To assist in detecting Zerologon (CVE-2020-1472), we’ve open sourced a Zeek package that detects both attempted and successful exploits.
We hosted a virtual CTF tournament where hundreds of players raced to solve security challenges using Zeek data in Splunk and Elastic. Here are the...
This post contains a warning and a solution for anyone using BPF syntax when filtering traffic for network security monitoring.
I love this quote by John Lambert. It perfectly describes the impact network defenders can achieve by pooling resources, insights, and techniques.
Corelight can improve operational excellence, performance, reliability, cost effectiveness, and security results in the AWS cloud.
We’ve just open sourced a Zeek package that detects exploit attempts and successes. This package demonstrates a couple of aspects that are worth...
We are pleased to launch our newest installment of the Corelight App for Splunk (Corelight App) and the Corelight Technical Add-on (TA).
This blog post explains three levels of analysis and how encryption has affected NSM, demonstrating that NSM remains relevant, despite encryption.
Today we are open sourcing a Zeek package that passively detects the presence of some of the tell-tale signs that Treck devices can exhibit.
Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma.
In this post, we’ll explore DNS over TLS (DoT) and DNS over HTTPS (DoH). Before examining DoT and DoH, it’s important to take a quick look at DNS...
We are proud to announce that in our v19 software release we have delivered a sensor that combines and integrates Zeek and Suricata with three key...
We are excited to announce the expansion of our ETC. In this post, I will provide some further details and what the research team is working on next!
Find a technical description of the bug, how it can be detected in network traffic, and how a short Zeek script can detect vulnerable servers.
By allowing the attacker to essentially force a connection to an arbitrary URL, CallStranger can be used in these three key ways.
Open source Zeek is capable of analyzing RDP connections and does a fantastic job handling the many options and configurations the RDP protocol...
Richard shared his thoughts on our blog on why the overarching role of the network and election infrastructure is worthy of a deep assessment right...
Here's how to instrument and enable network security monitoring for a small office – home office (SOHO) environment.
Learn about the benefits of Corelight DNS logs, and how Splunk Enterprise Security can reach a new level of functionality through integration with...