Why Zeek /Bro

So why do people use Zeek?

Zeek / Bro transforms raw traffic into actionable security visibility and insight, empowering analysts and analytics alike to move faster with expanded precision and capabilities.

Faster, more accurate incident response.

Reduce incident response time by up to 20x

Reduce incident reponse

A large international services organization used Corelight’s logs as a centralized source of truth to investigate and respond more rapidly to security incidents. Investigations like these weren’t possible before Corelight, because of a lack of security-relevant network data, or were painfully slow because of the need to gather evidence from multiple network data sources spread across business units. This improved their average incident response time from around 3 hours to under 10 minutes by creating a single, accessible source of network truth with Corelight’s network logs.

Filter out false positives more quickly

A national supermarket chain had an IR team that was overwhelmed by the number of alerts generated by their IDS. They used Corelight logs to examine, validate, and filter out a significant volume of false positive alerts. This increased their IR team’s throughput capacity to respond to relevant, serious incidents.

Diagnose attacks, understand context faster

A large research university used Corelight logs to identify interesting IOCs then quickly pivoted to the corresponding PCAP files for deeper investigation. The result was greater visibility into potential new IOCs plus the ability to target important connections in corresponding PCAP files.

More effective threat hunting

Expand threat hunting capabilities

Expand threat hunting capabilities

A large research university used Corelight logs to identify interesting IOCs then quickly pivoted to the corresponding PCAP files for deeper investigation. The result was greater visibility into potential new IOCs plus the ability to target important connections in corresponding PCAP files.

Generate and aggregate indicators of compromise

A large international services organization integrated Corelight’s IP and DNS logs with the AlphaSOC threat intelligence tool to flag suspicious/malicious IPs. They also used Corelight logs to aggregate and show the rare certificates used in their environment. This allowed them to focus their threat hunting activities around high-risk IOCs.

Proactively hunt for threats like ransomware

An MSSP used Zeek’s / Bro’s SMB logs and file analyzers to monitor specific file types and file writing events that create higher entropy files, which can potentially signal ransomware encrypting a network file share. They gained access to new IOCs to find potential ransomware attacks in progress.

Getting to the truth faster

Diagnose a load balancer problem

Diagnose a load balancer problem

A large P2P marketplace platform used Zeek / Bro logs to prove their commercial load balancer was having a problem that couldn’t be replicated in the lab. They were able to obtain the evidence they needed to prove their load balancer issue to the manufacturer and get the issue resolved.

Gain cases into rogue application deployment

Gain cases into rogue applications

A large international services organization imported Corelight logs into their SIEM to monitor east-west traffic and gain visibility into internal apps running in their environment. They can now quickly identify when new internal apps are introduced and used in their environment in different business units and can more effectively manage security risk.