Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

The evidence bank: leveraging security's most valuable asset

By Bernard Brantley – June 30, 2022

Editor's note: This is the fourth in a series of Corelight blog posts focusing on evidence-based security strategy. Catch up on all of the posts here. Read more »

Don’t trust. Verify with evidence.

By Brian Dye – April 7, 2022

Editor's note: This is the first in a series of Corelight blog posts focusing on evidence-based security strategy. Catch up on all of the posts here. What matters most in a criminal trial? Evidence. Everything depends on the quality and depth of... Read more »

Detecting Log4j exploits via Zeek when Java downloads Java

By Corelight Labs Team – December 18, 2021

We have published an initial blog on the Log4j exploit and a followup blog with a second detection method for detecting the first stage of exploits occurring over LDAP. Today, we will discuss a third detection method, this one focused on the... Read more »

Detecting Log4j via Zeek & LDAP traffic

By Corelight Labs Team – December 16, 2021

We recently discussed some methods for detecting the Log4j exploit, and we’ve now developed another method that everyone running Zeek® or a Corelight sensor can use. Our new approach is based on the rarity of legitimate downloads of Java via LDAP.... Read more »

Simplifying detection of Log4Shell

By Corelight Labs Team – December 14, 2021

Security workers across the world have been busy since last Friday dealing with CVE-2021-44228, the log4j 0-day known as Log4Shell, that is already being heavily exploited across the Internet. Given the huge number of systems that embed the... Read more »

Introducing the Corelight SSH Inference package

By Anthony Kasza – November 18, 2019

Corelight has recently released a new package, focusing on SSH inferences, as part of our Encrypted Traffic Collection. The package installs on sensors with a few clicks and provides network traffic analysis (NTA) inferences on live SSH traffic.... Read more »

A network engineer in a Zeek Week world

By Sarah Banks – November 4, 2019

With almost two decades of networking experience, I recently made my first foray into a security-centric user conference at Zeek Week, an annual conference for the user community of the open source network security monitoring platform known as Zeek... Read more »

Hello, my name is??

By Vince Stoffer – June 10, 2019

Corelight just released our v17 software release and it’s packed with a number of cool new features including the Input Framework, Community ID, and MITRE’s BZAR collection of detections for lateral movement. Let me share a few details about how... Read more »