Move at the speed of attack.

Corelight transforms raw network traffic into rich logs, extracted files, and custom insights. Our comprehensive logs let security analysts make sense of traffic fast and keep up with malicious activity like lateral movement, and attacker techniques and tactics like those documented in MITRE ATT&CK.

Why Zeek?

Zeek transforms raw traffic into actionable security visibility and insight, empowering analysts and analytics alike to move faster with expanded precision and capabilities. So why do people use Zeek?

Faster, more accurate incident response.

Reduce incident response time by up to 20x

A large international services organization used Corelight’s logs as a centralized source of truth to investigate and respond more rapidly to security incidents. Investigations like these weren’t possible before Corelight, because of a lack of security-relevant network data, or were painfully slow because of the need to gather evidence from multiple network data sources spread across business units. This improved their average incident response time from around 3 hours to under 10 minutes by creating a single, accessible source of network truth with Corelight’s network logs.

A large international services organization used Corelight’s logs as a centralized source of truth to investigate and respond more rapidly to security incidents. Investigations like these weren’t possible before Corelight, because of a lack of security-relevant network data, or were painfully slow because of the need to gather evidence from multiple network data sources spread across business units. This improved their average incident response time from around 3 hours to under 10 minutes by creating a single, accessible source of network truth with Corelight’s network logs.

Filter out false positives more quickly

A national supermarket chain had an IR team that was overwhelmed by the number of alerts generated by their IDS. They used Corelight logs to examine, validate, and filter out a significant volume of false positive alerts. This increased their IR team’s throughput capacity to respond to relevant, serious incidents.

Diagnose attacks, understand context faster

A large research university used Corelight logs to diagnose a suspected DDoS attack flagged by their IDS. Corelight logs demonstrated that the IDS had the direction of the attack wrong & that it was in fact the University’s system which was infected, talking out to China. They corrected the misinformation provided by their IDS & resolved the incident.

More effective threat hunting

Expand threat hunting capabilities

A large research university used Corelight logs to manually identify interesting/risky IOCs and then quickly pivoted from those logs to the corresponding PCAP files for deeper investigation. They gained visibility into new potential IOCs and the ability to easily target the important connections in corresponding PCAP files.

A large research university used Corelight logs to manually identify interesting/risky IOCs and then quickly pivoted from those logs to the corresponding PCAP files for deeper investigation. They gained visibility into new potential IOCs and the ability to easily target the important connections in corresponding PCAP files.

Generate and aggregate indicators of compromise

A large international services organization integrated Corelight’s IP and DNS logs with the AlphaSOC threat intelligence tool to flag suspicious/malicious IPs. They also used Corelight logs to aggregate and show the rare certificates used in their environment. This allowed them to focus their threat hunting activities around high-risk IOCs.

Proactively hunt for threats like ransomware

An MSSP used Zeek’s SMB logs and file analyzers to monitor specific file types and file writing events that create higher entropy files, which can potentially signal ransomware encrypting a network file share. They gained access to new IOCs to find potential ransomware attacks in progress.

Getting to the truth faster

Diagnose a load balancer problem

A large P2P marketplace platform used Zeek logs to prove their commercial load balancer was having a problem that couldn’t be replicated in the lab. They were able to obtain the evidence they needed to prove their load balancer issue to the manufacturer and get the issue resolved.

A large P2P marketplace platform used Zeek logs to prove their commercial load balancer was having a problem that couldn’t be replicated in the lab. They were able to obtain the evidence they needed to prove their load balancer issue to the manufacturer and get the issue resolved.

Gain cases into rogue application deployment

A large international services organization imported Corelight logs into their SIEM to monitor east-west traffic and gain visibility into internal apps running in their environment. They can now quickly identify when new internal apps are introduced and used in their environment in different business units and can more effectively manage security risk.

A large international services organization imported Corelight logs into their SIEM to monitor east-west traffic and gain visibility into internal apps running in their environment. They can now quickly identify when new internal apps are introduced and used in their environment in different business units and can more effectively manage security risk.