Today, we are pleased to announce the launch of Corelight’s new AWS Flow Monitoring Sensor, a new addition to Corelight’s flow monitoring capabilities.
This new sensor was purpose-built to address the longstanding visibility challenges that have frustrated security teams running their most critical workloads in AWS.
AWS provides one of the world’s most popular cloud platforms, hosting applications and sensitive data for some of the largest organizations. Yet AWS’s native security monitoring capabilities have not kept pace with the complexity of today’s cloud environments. Visibility gaps inside a VPC often allow attackers to move laterally or exfiltrate data without ever being detected.
Currently, there are two methods for customers to monitor their AWS traffic, but each has its own caveats. Let’s look into each and see what they mean to customers with respect to the security of their VPC environments.
Traffic mirroring copies packets from the virtual network interfaces (VNIs) of EC2 instances to a storage device or third-party tool for analysis. This enables security teams to capture PCAPs, reconstitute files, and apply IDS/IPS signatures. But visibility stops at the EC2 boundary. Key AWS services such as ELB, Lambda functions, and gateway load balancers cannot be monitored this way, leaving significant blind spots in cloud environments where traffic mirroring is not available.
VPC Flow Logs provide telemetry for most components within a VPC. However, they were designed for diagnostics, not security. Their original purpose was to troubleshoot network and performance issues, not to monitor for cyber threats or data access risks.
A typical VPC Flow Log record contains:
This limited data makes it extremely difficult to extract meaningful insights for security investigations.
To make matters worse, enabling AWS Flow Logs generates massive, repetitive datasets that consume storage and overwhelm even next-gen SIEMs. Security teams can often face skyrocketing costs with little corresponding security value, which can result in incomplete visibility, high expenses, and lengthy investigations.
As a result, security teams are forced to choose between narrow but deep visibility (Traffic Mirroring) or broad but shallow visibility (VPC Flow Logs). Neither option fully enables security teams to have full security visibility across their AWS VPC environments.
Corelight takes a different approach to deliver unified telemetry across multi-cloud infrastructure. The new Corelight Flow Monitoring Sensor extends visibility beyond the EC2 boundary, where traffic mirroring is limited to VNI ports. By ingesting AWS VPC Flow Logs stored in a customer’s S3 bucket and enriching them into standard Zeek protocol logs, Corelight enables security teams to gain visibility into VPC components that were previously unmonitored.
Through intelligent filtering and deduplication, Corelight reduces redundant data, cutting log volumes by up to 90 percent. This not only helps control SIEM and storage costs but also ensures that the evidence retained is high-value and security-relevant. Furthermore, Corelight can ingest past VPC flow logs stored in AWS S3 buckets to allow security analysts to perform security and forensics analysis.
With Zeek-enriched logs, analysts can now pivot laterally across the VPC to track attacker movement, identify suspicious behaviors, or validate alerts, extending investigations well beyond EC2 instances. This expanded spotlight closes gaps where attackers might attempt to hide, exfiltrate data, or compromise critical services.
Corelight’s approach delivers a balanced visibility model: broad coverage through VPC Flow Logs, complemented by the deeper inspection available from sensors using traffic mirroring. Together, they provide the comprehensive visibility, accuracy, and context modern security operations require.
After deployment, customers can typically see the following:
The result is broad visibility across your entire VPC, deeper insight into attacker behavior, and evidence that is both cost-efficient and analyst-friendly. This approach provides the broad coverage of Flow Logs while layering on the depth and context of Zeek protocol metadata.
Customers who deploy Corelight Flow Monitoring Sensor can see several benefits that directly enable security teams to more comprehensively monitor the security in their AWS cloud environments.
Comprehensive VPC-Wide visibility
With Corelight, security teams expand visibility beyond EC2 instances to the entire VPC, closing critical blind spots where attackers often hide. From east-west lateral movement to data staging in overlooked services, teams now see what was previously invisible..
2X faster investigations
Zeek-enriched logs provide structured, human-readable evidence that analysts can pivot on quickly. What used to take hours of combing through cryptic flow logs can now be resolved in half the time, accelerating response and reducing dwell time..
Significant storage & SIEM savings
By deduplicating and normalizing logs, Corelight cuts ingestion and storage volumes by up to 90 percent. This relieves pressure on SIEM budgets while ensuring teams retain more meaningful security evidence for longer periods.
Corelight Flow Monitoring Sensor enables critical use-cases that can help security teams better secure their AWS cloud environments.
AWS delivers enormous benefits to organizations running applications and data in the cloud. However, significant gaps in security monitoring remain, preventing security teams from achieving the same level of visibility and protection they have on-premises. The Corelight Flow Monitoring Sensor closes these gaps by extending visibility across the entire AWS environment and enabling real-time monitoring of potential cyberattacks.
With the launch of the Corelight Flow Monitoring Sensor, organizations no longer need to choose between visibility, speed, and cost. Corelight delivers:
By transforming raw VPC Flow Logs into actionable evidence, Corelight empowers security teams to reconnect visibility across the entire AWS cloud, reducing risk, accelerating investigations, and making budgets go further.