Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Splunk .conf24 reflections - Federated data, resilience, and a parade of fezzes

By Allen Marin – June 26, 2024

Fresh from the recent .conf24 user conference in fabulous Las Vegas, I thought I’d share what I thought were some of the key points throughout the week. Read more »

Simplify SOC analyst experience with the enhanced Corelight Splunk App

By Claudio Cruz – May 29, 2024

Security operations centers (SOCs) play a vital role in detection, containment and mitigation of today’s advanced cyber attacks. SoC teams are also responsible for proactively hunting for threats, and improving the organization’s overall security... Read more »

Enhance your search experience within Splunk by using the Corelight App

By James Schweitzer – October 11, 2023

The Corelight App for Splunk provides the foundation for organizations to boost SOC effectiveness and productivity by using Corelight data in Splunk. In this blog, I’ll walk through how the Corelight App leverages Splunk’s Common Information Model... Read more »

The best cybersecurity defense is great evidence

By Jean Schaffer – July 19, 2022

Editor's note: This is the fifth in a series of Corelight blog posts focusing on evidence-based security strategy. Catch up on all of the posts here. Read more »

Detecting Log4j exploits via Zeek when Java downloads Java

By Corelight Labs Team – December 18, 2021

We have published an initial blog on the Log4j exploit and a followup blog with a second detection method for detecting the first stage of exploits occurring over LDAP. Today, we will discuss a third detection method, this one focused on the... Read more »

Detecting Log4j via Zeek & LDAP traffic

By Corelight Labs Team – December 16, 2021

We recently discussed some methods for detecting the Log4j exploit, and we’ve now developed another method that everyone running Zeek® or a Corelight sensor can use. Our new approach is based on the rarity of legitimate downloads of Java via LDAP.... Read more »

Simplifying detection of Log4Shell

By Corelight Labs Team – December 14, 2021

Security workers across the world have been busy since last Friday dealing with CVE-2021-44228, the log4j 0-day known as Log4Shell, that is already being heavily exploited across the Internet. Given the huge number of systems that embed the... Read more »

Maximize your Splunk ES investment with Corelight

By Roger Cheeks – March 16, 2021

Are you looking to threat hunt but lack sufficient network and IDS data? Have you tried to accelerate your incident response process with better data, but run into dead ends that require data scientists or significant data model modification? Maybe... Read more »

Translating query into action

By Vince Stoffer – March 14, 2021

One of the most important aspects of threat hunting is having a place to start. A question, a theory, or a hunch often begins the hunt. Where you end up may not be where you first intended, but a good hunt will always reveal new information about... Read more »

Finding SUNBURST backdoor with Zeek logs & Corelight

By John Gamble – December 14, 2020

UPDATE 12-16-20: Corelight Resources Read more »