Network Detection
          Partners
          Get Started
          Get Started

          Why Corelight

          Corelight’s network data makes your SOC more efficient and powerful.

          Zeek vs. the other data

          • Netflow data is useful but thin.
          • Packets were never designed for people to read.
          • Solving security incidents requires aggregating data from many sources.
          • Network performance management (NPM) data wasn’t built for security teams.
          • Different data souces and logs are often in different formats with different time stamps.
          • PCAP files are too large to store beyond a few days or weeks.

          Corelight vs. OS Zeek

          • Zeek logs provide over 400 fields of data about dozens of protocols.
          • Zeeklogs are designed for security analysts and fast search.
          • Corelight automatically collects the data you need from the network.
          • Corelight data is precisely time-stamped and interlinked for easy, fast pivots.
          • Corelight logs are 1/100th PCAP’s size and can be stored for years.
          WHITE PAPER

          5 ways Corelight data is better.

          Understanding exactly why Zeek is so much more poweful than what you're using now can be complex. This white paper illustrates five examples that show specifically how and why Corelight lets you resolve issues that can't be resolved using traditional methods like Netflow and PCAP.

          Download the white paper

          5 ways Corelight data is better

          Learn about Corelight’s powerful network logs.

          Meet the connection.log

          Like Netflow, on steroids. The master connection record with a UID so you can pivot effortlessly across all protocol activity associated with a given connection.

          Meet the dns.log

          You wish your DNS server records gave you this much detail. The full five tuple and DNS query? They’re included in Corelight’s DNS log, along with many more useful DNS fields for security operations.

          Meet the SSL.log

          Think encrypted traffic yields no secrets? False. Corelight’s encrypted traffic parsing capabilities allow you to fingerprint SSL connections for blacklisting and whitelisting, discover self-signed and expired certificates, and much more.

          Meet the files.log

          Every file that crosses the network gets its own log. File type doesn’t match the MIME type? You’ll see that in this log. Hashes for malware lookups? They’re included too. Corelight can also reassemble and extract all files that cross the network for additional downstream analysis.

          Meet the software.log

          See every unique piece of software used by a client or server on your network. Track BYO software use and outdated software versions to assist your vulnerability management program.