Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

VPNs are increasingly common - how much can you see?

By Vince Stoffer – March 24, 2022

New VPN Insights package shines the light on a growing blindspot VPN tunnels are like shipping containers in that they are widely used (especially as the pandemic has moved more of the workforce to remote work), and they can be used to carry traffic... Read more »

Know your environment: Tenable/Corelight integration for prioritized IDS alerts

By Alex Kirk – March 10, 2022

One of the major causes of alert fatigue for SOCs is a class of alerts that fall in between false positives and useful detections: when an actual attack has been launched, and the detection is working correctly, but the host on the receiving end is... Read more »

Situational awareness for CISA FECB playbooks

By Jean Schaffer – November 30, 2021

CISA recently released a set of playbooks for the Federal Civilian Executive Branch (FCEB) to provide improved cybersecurity incident response (IR) and vulnerability response. As was demonstrated by the SolarWinds SUNBURST attack in December 2020,... Read more »

Corelight & Microsoft Defender for IoT: Through an XDR lens

By Brian Dye – November 16, 2021

What is the XDR paradox? It’s the hottest term in security but there is no consensus yet on the right definition. Why is that? Many organizations have deployed EDR and are benefiting from it, but also looking to the gaps that EDR can’t address such... Read more »

Detecting CVE-2021-42292

By Corelight Labs Team – November 10, 2021

On its surface, CVE-2021-42292 doesn’t look like the kind of vulnerability that a network-based tool can find reliably. Marked by Microsoft as a local file format vulnerability, security veterans would expect that between encryption and encoding,... Read more »

Expanded Suricata detections with Dtection.io

By Alex Kirk – November 4, 2021

One of the most common questions that Corelight customers and prospects who are using our Suricata integration ask is “what signatures should I run?” While our answer has always started with the industry-standard Emerging Threats Pro feed, we... Read more »

Smart PCAP and threat detection in the cloud

By John Gamble – August 3, 2021

I am thrilled to publicly launch Corelight software version 22, which introduces a transformative new security product, Smart PCAP, and also enables threat detection in the cloud by extending Corelight’s Open NDR support for Suricata across... Read more »

Telegram Zeek, you’re my main notice

By Yacin Nadji – July 28, 2021

Notices in Zeek Zeek’s Notice Framework enables network operators to specify how potentially interesting network findings can be reported. This decoupling of detection and reporting highlights Zeek’s flexibility: a notice-worthy event in network A... Read more »

PrintNightmare, SMB3 encryption, and your network

By Corelight Labs Team – July 7, 2021

CVE-2021-1675, also tracked in CVE-2021-34527, is a remote code execution vulnerability that targets the Windows Print Spooler service. In a nutshell, there is a Distributed Computing Environment / Remote Procedure Call (DCE/RPC) that allows... Read more »

Detecting CVE-2021-31166 – HTTP vulnerability

By Ben Reardon – May 26, 2021

In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced many such responses over the last year (see Appendix A), and this one is a good demonstration... Read more »