Long gone are the days where usernames were all you needed to secure a network. The same is true for your Security Operations Center (SOC) analysts trying to investigate a threat. "Who is jdoe05 and why are they logging into this server?" is a critical question to answer during an investigation, one that neither NDR (Network Detection and Response) nor EDR (Endpoint Detection and Response) can answer directly. Enter the Identity Provider (IdP).
Identity Provider is a more modern term, but the technologies to authorize and authenticate users have always been the central pillar of computer networks. Microsoft Active Directory, “Log in with Google/Facebook” and the Apple Ecosystem are now common systems to manage and share your identity for authorized access to all types of online services. With the proliferation of remote work and cloud environments, the challenges with securing those identities have changed:
Corelight's network visibility, both on-prem and in the cloud, remains critical in the age of the identity perimeter. The network doesn't lie; the identity layer tells you who is allowed to act, but the network layer records what they actually did. Regardless of a user’s authenticated identity, the network records every connection, data transfer, and action. This gives analysts an independent, tamper-resistant, and undeniable view of activity across the environment.
Network data excels at tracking and highlighting anomalous behavior: a new unidentified device, a massive data transfer at an odd hour, or a never-seen-before set of user agents. However, it often lacks the identity context. For example, "An IP address is associated with an alert" is far less insightful than "An alert fired on a device Jane Smith, a junior accounting analyst, connected to at 2 a.m." That level of useful context requires bridging the gap between network telemetry and identity.
In April, we released two new enhancements to Corelight Investigator's identity integrations with Microsoft Entra ID and CrowdStrike Falcon® Next-Gen Identity Security. Combining with EDR telemetry from our partners Microsoft and CrowdStrike, analysts using Corelight Investigator will now have the full picture they need to respond quickly and confidently.
Both integrations enrich the user login history already visible in Investigator, turning an anonymous username like "jdoe05" into a real person with a display name, job title, and organizational context. No more opening a separate directory tool to figure out who triggered an alert. The Falcon Next-Gen Identity Security integration additionally surfaces active identity-based alerts alongside network detections in a single unified view. The Microsoft Entra ID integration goes further, enabling analysts to take immediate remediation actions, including forcing a logout, resetting a password, disabling an account, or flagging it as high risk.
The identity perimeter is real, and it's under sustained attack. But identity tools and network tools have historically operated in silos, forcing analysts to manually correlate signals across platforms and leaving gaps that attackers are happy to exploit.
Corelight Investigator's additional identity integrations are designed to close that gap further, not by replacing your identity tools, but by bringing the most relevant signals and response actions into the workflow where your analysts already live.