For years, SOC analysts have lived in a world of swivel-chair analysis. When an alert fires in an endpoint tool, the next step is almost always a manual pivot to a network console to see if the network reality matches the host behavior.
This manual back-and-forth isn't just tiring; it’s a window of opportunity for attackers. Corelight is excited to highlight a new integration with CrowdStrike® Charlotte AI™. By turning Corelight Investigator into a member of the agentic investigation team, we are moving from manual data retrieval to automated, collaborative investigation that spans the security ecosystem.
How the integration works: From natural language to network truth
At its heart, this integration is about solving the manual analysis problem. Instead of an analyst manually hunting for network telemetry to investigate an alert, the integration enables Charlotte AI’s Response Agent and Corelight Investigator to talk to one another.
The flow works through a policy-guarded process that translates analyst questions into precise technical queries:
- Understanding intent: The workflow uses robust logic and Charlotte AI reasoning to identify questions with network intent and to extract critical indicators, such as IPs and threat identifiers.
- Dynamic query generation: The integration allows Corelight Investigator to automatically decide the best path, whether to look at event-focused alerts or incident-focused detections. It then generates the precise GraphQL queries needed to pull that data.
- Automated evidence retrieval: Corelight provides the network ground truth (the details of what actually happened on the wire). This evidence is fed back into the Charlotte AI Response Agent’s canvas as grounded findings with recommended next steps.
The perfect complement: Network ground truth meets endpoint visibility
This isn't about one tool replacing another; it's about the power of combining complementary, cross-domain evidence to accelerate and improve investigations with complete context. Endpoint data provides detailed insights into host behavior. Corelight's network evidence provides the other half: a semantic understanding of network traffic and protocol-level transaction details that serve as ground truth for any investigation.
When an AI agent like Charlotte AI’s Response Agent has access to both sources, the result is a more complete and accurate picture of what happened.
Data quality matters here more than most people realize. As Greg Bell, Corelight Co-Founder and Chief Strategy Officer, wrote in a recent post on AI in the SOC: "In a world that focuses so heavily on frontier models, it's critical to remember that every model will fail when starved of rich data." Corelight’s structured, context-rich network data is grounded in open-source standards that are already understood by LLMs, and designed to feed seamlessly into SIEMs and AI / ML pipelines out of the box. The result is structured, high-fidelity network evidence that AI agents can interpret and reason over effectively, without requiring custom training or fine-tuning.
Real-world use cases: Speed and consistency
This integration is designed to deliver instant value across the SOC by automating the "toil" out of the investigation process:
| Persona | Situation | The "Agentic" outcome |
|---|---|---|
| SOC Analyst | Validating host behavior against network reality. | Charlotte AI asks the network-related question, and Corelight Investigator automatically answers—reducing the manual steps required to corroborate a finding. |
| Incident Responder | Triaging a high volume of lateral movement alerts. | The workflow handles the API calls and data formatting, freeing the responder to focus on analysis and remediation. |
Reliable by design
For AI to be useful in a security context, it must be consistent and controlled. This integration includes guardrails and state management to ensure repeatable results. To achieve this, queries follow a standardized validation path, and built-in controls prevent redundant data retrieval and investigation relevance and completeness. The goal is a triage process that analysts can trust to behave the same way every time.
The path forward
This Charlotte AI integration is one part of a broader investment Corelight is making in the AI-powered SOC. We are pursuing three complementary strategies, all grounded in the quality of our network evidence:
- AI-driven investigations: Using a range of AI techniques to analyze, correlate, and deliver accurate, actionable detections with low false-positive rates.
- AI-powered workflow enhancements: Infusing our platform with capabilities that make investigations faster and more efficient.
- AI ecosystem integrations: Making Corelight data and agentic tools available within the platforms and workflows our customers already use. The Charlotte AI integration is an example of this pillar in action.
By making Corelight's network evidence a native, agentic part of the CrowdStrike experience, we're helping SOC teams work more effectively, ensuring their primary investigation console has access to high-fidelity network context alongside endpoint telemetry. It's a more complete and unified way to defend the enterprise.