CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

USE CASES

Reduce risk, accelerate hunting and investigation, and consolidate existing toolsets with Corelight's complete range of on-prem, cloud, and SaaS-based solutions.

 
 
 
threat-hunting

Threat hunting

 

Replace a standalone IDS with Corelight’s Open NDR Platform

Replace a standalone IDS with Corelight's Open NDR Platform, which delivers IDS alerts integrated with the evidence needed to investigate them. 

Identify the early stages of a ransomware attack

Use the rich evidence and detections Corelight generates around RDP, SSH, and SMB traffic to find early warning signs of ransomware, before encryption occurs. 

DOWNLOAD WHITE PAPER

Fingerprint encrypted connections

Fingerprint SSL or SSH connections via the JA3/HASH packages so analysts can identify and track attacker movements across encrypted channels.

Assess the scope of a malware attack

Pivot off a malware hash in Corelight’s files.log to immediately see all hosts that have downloaded the malicious file and then prioritize additional response work such as agent deployment.

 

Locate PCAP files needed for an investigation

Pivot from the logs of a Zeek®-parsed connection directly into connection packets in Moloch using the shared Community ID appended to the Zeek conn.log.

BLOG POST

Verify containment and remediation

Use Zeek's network logs for conducting post-breach monitoring to look for the recurrence of malware beaconing.

 

Improve defensibility

Use Zeek's continuous logging across protocols to establish the "ground truth" of what happened historically, minimizing both legal expenses and the scope of disclosure.

Get insights into SSH connections without decryption

Investigate a suspicious SSH connection and see evidence of file transfers and human keystroke activity via insights from Corelight’s Encrypted Traffic Collection.

 

Find ATT&CKs with Corelight

Corelight's alerts and network evidence help you uncover a wide range of adversary tactics, techniques, and procedures (TTPs) within the MITRE ATT&CK® framework.

find-ATT&CKs

 

 
 
 
incident-response

Incident response

 

Get insights into SSH connections without decryption

Investigate a suspicious SSH connection and see evidence of file transfers and human keystroke activity via insights from Corelight’s Encrypted Traffic Collection.

Assess the scope of a malware attack

Pivot off a malware hash in Corelight’s files.log to immediately see all hosts that have downloaded the malicious file and then prioritize additional response work such as agent deployment.

 

Automate repetitive manual investigations

Turn manual data aggregation tasks into automated investigative playbooks in your SIEM. One SOC built a SOAR playbook around Corelight’s dns.log and reduced their average incident response times by 75%.

CASE STUDY

Locate PCAP files needed for an investigation

Pivot from the logs of a Corelight-parsed connection directly into the related packets in using precise timestamps and Zeek Community ID appended to Corelight’s conn.log. 

BLOG POST

 

Threat Hunting Guide

Learn how to use network traffic data to hunt for:

    •    Spearphishing attacks
    •    Automated exfiltration
    •    Lateral movement

And dozens more additional tactics and techniques.

DOWNLOAD GUIDE

threat-hunting-guide

 

 
 
 
threat-detection

Threat detection

 

Detect SSH client bruteforce attacks

Discover when a client attempts to authenticate beyond a pre-configured threshold and then successfully authenticates. 

LEARN MORE

Detect hidden C2 server communications

Uncover live C2 communications via Zeek’s dpd.log when an attacker attempts to disguise their C2 traffic in a purported SSL connection.

WATCH VIDEO

Detect lateral movement

Detect lateral movement in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy. Stream Zeek logs to the Real Intelligence Threat Analytics (RITA) tool to create a daily report of potential beaconing activity. 

WATCH VIDEO

Detect off-port protocol usage

Use Zeek’s deep protocol parsing capabilities to identify network services, such as HTTP or DNS, running on non-standard ports.

WATCH VIDEO

Fingerprint connections for fraud detection

Create custom Zeek logs to fingerprint connections and identify issues like API fraud and account takeovers.

Investigate unauthorized SMB file access

Use Zeek’s SMB logs as a source of evidence to document end user access to a sensitive SMB file share without authorization.

CASE STUDY
data-enrichment

Data enrichment

 

Enhance traffic monitoring with local context

Use the Zeek Input Framework to append internal server names and IT contact information fields to the conn.log to accelerate investigations and 
remediation workflows.

LEARN MORE

Enhance DNS visibility

Use Zeek’s dns.log—which contains both queries and responses—to access forensic information server logs can’t provide, due to a lack of detail.

LEARN MORE

Identify vulnerable software

Use Zeek’s software.log to identify outdated or vulnerable software, such as Java or Flash, running in an environment. 

Flag Cyrillic keyboard usage

Monitor Zeek’s rdp.log to identify the use of Russian character set keyboards in an environment, which could signal unusual behavior.

Fingerprint connections for fraud detection

Create custom Zeek logs to fingerprint connections and identify issues like API fraud and account takeovers.

Investigate unauthorized SMB file access

Use Zeek’s SMB logs as a source of evidence to document end user access to a sensitive SMB file share without authorization.

CASE STUDY

network-operations

Network operations

 

Create inventories of connected devices

Inventory network-connected devices and their services without needing to install host agents, and use Zeek’s software.log to monitor BYO software used by employees.

Monitor risky SSL certificates

Monitor self-signed and expired (or soon-to-expire) certificates via Zeek’s ssl.log.

WATCH VIDEO

Troubleshoot a load balancer issue

Diagnose a load balancer performance problem that is difficult or impossible to replicate in a lab environment via evidence gathered from Zeek’s network logs and end finger pointing between security and network operations teams.

 

 

 

Have questions?

Talk with one of our experts today.

CONTACT US