Press releases

Corelight Enhances Detection Capability with Support for MITRE ATT&CK Package

New product features include data fusion capabilities for greater log customization and integration with existing network security environments

San Francisco, Calif.—June 11, 2019—Corelight, providers of the most powerful network visibility solution for cybersecurity, today launched version 17 of its software, with powerful enhancements to the full Corelight Sensor portfolio, including new features designed to provide broader customization, better integration of Corelight Sensors with customers’ existing security technologies, and expanded threat detection capabilities with support for the MITRE BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) package.

Corelight’s new data fusion capabilities enable easier integration of Corelight Sensors into existing security infrastructure. Customers can now take advantage of the Zeek “Community ID,” an open standard for hashing network flows with a common identifier, making it possible to investigate incidents more effectively. For example, a Suricata alert can be directly linked to the Corelight logs and then to Elasticsearch (through Elastic Beats) for other network events, allowing a defender to correlate attacker activity across different security technologies.

In addition, Corelight Sensors will now support the Zeek Input Framework to allow users to fuse data from a variety of sources and tools into Zeek logs. Merging external data with Zeek logs makes the job of incident response easier by adding more context (such as asset or location information from a CMDB), control options (like organization specific parameters), or precision in security analytics (through whitelists for example). The Input Framework also enables many types of closed-loop automation, both directly (whitelisting alerts for automatic case creation) or indirectly (for playbooks built with security orchestration and automation platforms).

“Our new data fusion capabilities allow analysts to make better decisions about what connections are occurring across the network and investigate more effectively across multiple security technologies,” said Brian Dye, chief product officer at Corelight. “For example, analysts can seamlessly pivot from security alerts to an investigation in Corelight data, with visibility to asset and organizational information immediately at their fingertips. This saves responders precious time and the hassle of chasing down information manually across data sources. The ways in which the Community ID and Input framework can be used within the sensor are nearly boundless.”

Finally, MITRE BZAR is a Zeek package that helps detect and investigate threats based on the ATT&CK framework. The Corelight Sensors leverage MITRE BZAR by raising alerts based on unusual lateral movement activity detected on the network, using SMB, DCE-RPC and file activity. Corelight Sensors can detect several types of activity including:

  • Lateral movement: Detecting unusual activity moving between systems
  • Credential access: Distinguishing unauthorized credentials
  • Defense evasion: Indicators of evasive file techniques such as deletion, hidden files and directories, side-loaded files and applications, indirect file execution, and port knocking
  • Execution: Identification of script execution, control panel automation, API access, or module load indicators
  • Persistence: Flagging repeated indicators of anomalous or atypical behavior on the network over time

“MITRE’s leadership and capability across security domains is well known, and their BZAR package will help organizations around the world detect and respond to key threats identified from the ATT&CK framework,” said Dye. “Their work on BZAR is a great example of the power of an open-core based approach, where the contributions of the community support many defenders, who in turn contribute their ideas, creating a virtuous cycle of defensive effectiveness for everyone in the Zeek community.”


New data fusion capabilities as well as support for the MITRE BZAR package is now available in Corelight Sensor version 17. More information on today’s launch can be found on the Corelight products page. The Corelight product team has also described the new features on the Corelight blog.

About Corelight
Corelight delivers the most powerful network visibility solutions for information security professionals, helping them understand network traffic and defend their organizations more effectively. Corelight solutions are built on the Zeek framework (formerly known as “Bro”), the powerful and widely-used open source network analysis framework that generates actionable, real-time data for thousands of security teams worldwide. Zeek data has become the ‘gold standard’ for incident response, threat hunting, and forensics in large enterprises and government agencies worldwide. Corelight makes a family of network sensors — both physical and virtual, at every scale — that take the pain out of deploying open-source Zeek by adding integrations and capabilities large organizations need. The Zeek project was initially developed at Lawrence Berkeley National Laboratory (LBNL), and has been supported by the US Department of Energy (DOE), the National Science Foundation (NSF), and the International Computer Science Institute (ICSI). Corelight is based in San Francisco, Calif. For more information, visit or follow @corelight_inc.

Media and Analyst Contact:

Kylie Heintz
Senior Director of Corporate Communications
+1 408-505-1078

Follow us on Twitter: @corelight_inc