Get Started

          Incident response

          Get insights into SSH connections related to an incident without decryption

          Investigate a suspicious SSH connection and see evidence of file transfers and human keystroke activity via insights from Corelight’s Encrypted Traffic Collection.

          Assess the scope of a malware attack

          Pivot off a malware hash in Corelight’s files.log to immediately see all hosts that have downloaded the malicious file and then prioritize additional response work such as agent deployment.

          Automate repetitive manual investigations

          Turn manual data aggregation tasks into automated investigative playbooks in your SIEM. One SOC built a SOAR playbook around Corelight’s dns.log and reduced their average incident response times by 75%. Download case study

          Locate PCAP files needed for an investigation

          Pivot from the logs of a Corelight-parsed connection directly into the related packets in using precise timestamps and Zeek Community ID appended to Corelight’s conn.log. Read how in this blog post.

          Threat hunting

          Identify the early stages of a ransomware attack

          Use Corelight's rich evidence and detections around RDP, SSH, and SMB traffic to find early warning signs of ransomware, before encryption occurs. Download paper

          Fingerprint encrypted connections

          Fingerprint SSL or SSH connections via the JA3/HASSH packages so analysts can identify and track attacker movements across encrypted channels

          Assessing the scope of a malware attack

          Pivot off a malware hash in Zeek's files.log to immediately see all other hosts in an environment that have downloaded the malicious file and then prioritize additional incident response work such as agent deployment. Learn more.

          Locating PCAP files needed for an investigation

          Pivot from the logs of a Zeek-parsed connection directly into connection packets in Moloch using the shared Community ID appended to the Zeek conn.log. Learn more.

          Verifying containment and remediation

          Use Zeek's network logs for conducting post-breach monitoring to look for the recurrence of malware beaconing.

          Improving defensibility

          Use Zeek's continuous logging across protocols to establish the "ground truth" of what happened historically, minimizing both legal expenses and the scope of disclosure

          Get insights into SSH connections related to an incident without decryption

          Investigate a suspicious SSH connection and see evidence of file transfers and human keystroke activity via insights from Corelight’s Encrypted Traffic Collection.

          Threat detection

          Detecting SSH client bruteforce attacks

          Discover when a client attempts to authenticate beyond a pre-configured threshold and then successfully authenticates. Learn more.

          Detecting hidden C2 server communications

          Uncover live C2 communications via Zeek’s dpd.log when an attacker attempts to disguise their C2 traffic in a purported SSL connection. Watch video.

          close dpd log

          Lateral movement detection

          Detect lateral movement in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy or stream Zeek logs to the Real Intelligence Threat Analytics (RITA) tool to create a daily report of potential beaconing activity. Watch Video.

          Detecting off-port protocol usage

          Use Zeek’s deep protocol parsing capabilities to identify network services, such as HTTP or DNS, running on non-standard ports. Watch video.

          Fingerprinting connections for fraud detection

          Create custom Zeek logs to fingerprint connections and identify issues like API fraud and account takeovers.

          Investigating unauthorized SMB file access

          Use Zeek’s SMB logs as a source of evidence to document end user access to a sensitive SMB file share without authorization. Download case study.

          Data enrichment

          Enhance traffic monitoring with local context

          Use the Zeek Input Framework to append internal server names and IT contact information fields to the conn.log to accelerate investigations and remediation workflows. Learn more.

          Enhancing DNS visibility

          Use Zeek’s dns.log—which contains both queries and responses—to access forensic information server logs can’t provide, due to a lack of detail. Learn more.

          close dns log

          Identifying vulnerable software

          Use Zeek’s software.log to identify outdated or vulnerable software, such as Java or Flash, running in an environment. Watch video.

          close software log

          Flagging Cyrillic keyboard usage

          Monitor Zeek’s rdp.log to identify the use of Russian character set keyboards in an environment, which could signal unusual behavior.

          close rdp log

          Verifying that sensitive connections use strong encryption

          Verify via Zeek’s ssl.log that all TLS sessions for sensitive connections use appropriately strong ciphers, and prompt security ops staff to take remedial action if less secure ciphers are detected. Watch video.

          close ssl log

          Network operations

          Creating inventories of connected devices

          Inventory network-connected devices and their services without needing to install host agents, and use Zeek’s software.log to monitor BYO software used by employees. Watch video.

          Monitoring risky SSL certificates

          Monitor self-signed and expired, or soon-to-expire, certificates via Zeek’s ssl.log. Watch video.

          Troubleshooting a load balancer issue

          Diagnose a load balancer performance problem that is difficult or impossible to replicate in a lab environment via evidence gathered from Zeek’s network logs and end finger pointing between security and network operations teams.