Staying ahead of sophisticated attackers requires a security platform that evolves at the speed of the threat landscape. Today’s attackers are AI-enabled, increasing the number of attacks and targeting vulnerabilities more quickly than ever. That's why we are excited to announce the Corelight Sensor v.29 release, a significant step forward in our mission to provide critical detections backed by the world's best network evidence. This update modernizes threat detection by introducing new, powerful machine learning capabilities, enhanced detections, and foundational upgrades to give your security team the advantage.
This release focuses on delivering advanced analytics and smarter detections directly from the sensor. We're bringing new ML-powered insights, greater visibility into evasive traffic, and important updates to the open source engines at the heart of Corelight. Let's explore the key highlights that will help you find and stop threats faster.
New anomaly detection for VPN and tunneling
In their efforts to evade detection, attackers frequently use VPNs and other tunneling protocols to hide their activities, creating blind spots for security teams. The v.29 release directly addresses this challenge with two new machine learning-based anomaly detection engines designed to illuminate this evasive traffic.
These engines expand on our robust suite of existing anomaly detections, adding specialized coverage for VPN and tunneling behaviors. They analyze patterns in VPN and tunneling activity to identify behaviors that deviate from the norm. By learning your network's unique baseline, the models can flag suspicious connections, unusual data transfers, or other indicators of compromise that might otherwise go unnoticed. This provides critical, early-warning signals of potential command-and-control (C2) channels or data exfiltration attempts.
Enhanced ML tuning for precision detection
We understand that every network is different. A one-size-fits-all approach to machine learning can lead to noise and false positives. To solve this, v.29 introduces significant enhancements to our ML tuning capabilities, giving you greater control over your detections.
These new controls allow your team to specify reference exclusions and fine-tune the sensitivity of ML models, aligning them more closely with your organization's specific risk tolerance and operational needs. By customizing the ML analytics, you can reduce alert fatigue, focus on the most relevant threats, and increase your team's efficiency without sacrificing detection efficacy.
New detections for brute force and credential dumping
Credential-based attacks remain a primary vector for initial access and lateral movement. Corelight v.29 strengthens your defense against these common techniques with new, high-fidelity detections for brute force attacks and credential dumping.
These detections are engineered to identify the subtle but distinct patterns associated with these attacks. Corelight provides immediate, actionable alerts, backed by network evidence by recognizing the specific components of these attacks. This includes repeated login failures, password spraying, exposed services, attacks across accounts, and other characteristics of a brute force attempt, or the specific network traffic generated by attacker tools like Mimikatz during a credential dumping event. These alerts enable rapid response before a compromise escalates.
Identify GenAI and scanner applications
The modern network is filled with a growing number of applications, including generative AI tools and legitimate scanning software. While not always malicious, understanding their presence is crucial for policy enforcement and risk assessment. The v.29 release expands our application identification library to include popular GenAI and network scanner applications.
This enhanced visibility allows you to track the usage of these tools across your environment. With this knowledge, you can create policies to manage or block specific applications, monitor for unauthorized scanning activity, shadow AI usage, and gain a more complete picture of what is running on your network.
Upgrades to Zeek® 8 and Suricata® 8
At the foundation of Corelight's power are the industry-leading open source projects Zeek and Suricata. The v.29 release incorporates major version upgrades to Zeek 8 and Suricata 8, bringing a wealth of new features, performance improvements, and protocol parsers.
These upgrades directly translate to better detection capabilities. With expanded protocol support, you gain deeper visibility into more types of network traffic. Performance optimizations ensure that your sensors can keep up with increasing network speeds, while new features in both engines enhance the quality and context of the evidence Corelight produces. This commitment to the open source core ensures our platform remains at the cutting edge of network security monitoring.
Embracing the future of threat detection
The Corelight Sensor v.29 release is more than just an update; it's a commitment to empowering your security team with smarter, more efficient, and more comprehensive threat detection. By integrating advanced machine learning across all sensor types and targeting the most critical attack techniques, we are helping you modernize your security operations.
We invite you to explore these new capabilities and see how they can transform your ability to hunt, detect, and respond to threats. Your network holds the evidence; v.29 helps you find it faster and with greater clarity than ever before.
Learn more about all of Corelight’s threat detection capabilities.