Meet the connection.log
Like Netflow, on steroids. The master connection record with a UID so you can pivot effortlessly across all protocol activity associated with a given connection.
Move at the speed of attack.
Corelight transforms raw network traffic into rich logs, extracted files, and custom insights. Our comprehensive logs let security analysts make sense of traffic fast and keep up with malicious activity like lateral movement, and attacker techniques and tactics like those documented in MITRE ATT&CK.
Why Corelight?
Corelight’s network data is ‘rocket fuel’, making your SOC more efficient and powerful.
Zeek vs. the other data
- Netflow data is useful but thin.
- Packets were never designed for people to read.
- Solving security incidents requires aggregating data from many sources.
- Network performance management (NPM) data wasn’t built for security teams.
- Different data souces and logs are often in different formats with different time stamps.
- PCAP files are too large to store beyond a few days or weeks.
Corelight vs. OS Zeek
- Zeek logs provide over 400 fields of data about dozens of protocols.
- Zeek logs are designed for security analysts and fast search.
- Corelight automatically collects the data you need from the network.
- Corelight data is precisely time-stamped and interlinked for easy, fast pivots.
- Corelight logs are 1/100th PCAP’s size and can be stored for years.
5 ways Corelight data is better.
Understanding exactly why Zeek is so much more poweful than what you're using now can be complex. This white paper illustrates five examples that show specifically how and why Corelight lets you resolve issues that can't be resolved using traditional methods like Netflow and PCAP.
Learn about Corelight’s powerful network logs.
Meet the dns.log
You wish your DNS server records gave you this much detail. The full five tuple and DNS query? They’re included in Corelight’s DNS log, along with many more useful DNS fields for security operations.
Meet the SSL.log
Think encrypted traffic yields no secrets? False. Corelight’s encrypted traffic parsing capabilities allow you to fingerprint SSL connections for blacklisting and whitelisting, discover self-signed and expired certificates, and much more.
Meet the files.log
Every file that crosses the network gets its own log. File type doesn’t match the MIME type? You’ll see that in this log. Hashes for malware lookups? They’re included too. Corelight can also reassemble and extract all files that cross the network for additional downstream analysis.
Meet the software.log
See every unique piece of software used by a client or server on your network. Track BYO software use and outdated software versions to assist your vulnerability management program.