Learn how Corelight Collections transform raw network data into actionable intelligence. Accelerate threat hunting with specialized detections for C2, encrypted traffic, and ICS.
In the SOC, the ability to detect and hunt for threats with speed and accuracy is everything. You need more than just raw data—you need focused, actionable intelligence that pinpoints malicious activity and enriches data to support deeper investigations. Corelight Collections are designed not just to provide precise detections, but to systematically enhance network data for threat hunting, transforming routine logs into the rich, investigative evidence you need to accelerate response and take decisive action. The Core Collection can also reduce data volume, shunting unnecessary logs to improve SIEM performance and lower costs.
A Corelight Collection is a curated package of threat detection, log enrichment, and analytical scripts designed to run on Corelight Sensors. Each Collection targets a specific security challenge—like identifying command and control (C2) activity or detecting encrypted traffic threats—and is purpose-built to enhance raw network data for advanced threat hunting, alongside delivering precise detections. These packages are more than just rules; they are sophisticated detection engines powered by Zeek, the world's leading open-source network security monitoring framework, that transform routine events into rich, investigative evidence you can use.
At their core, Collections are composed of advanced Zeek scripts, proprietary signatures, and analytical models. This combination allows them to analyze your network traffic with exceptional precision, transforming raw data into high-fidelity detections and enrichments that empower you and your team to act with confidence.
Indicators of Compromise (IOCs)
These are the static "fingerprints" of an attack—the known-bad artifacts like malicious IP addresses, file hashes, or domain names. Collections use proprietary signatures and curated threat intelligence to scan network traffic for these IOCs, providing a rapid first line of defense against established threats. Think of it as matching a suspect to a photograph.
Tactics, Techniques, and Procedures (TTPs)
This is where Collections truly demonstrate their power. Instead of just looking for what is bad, they analyze how attackers operate. TTPs describe the behavioral patterns of adversaries. For example, a Collection might not know a specific C2 server's IP address, but it can recognize the subtle, tell-tale communication patterns of a C2 channel. By focusing on behavior, Collections can unmask novel and emerging threats that have no known IOCs, helping you transition to a more proactive defense.
This dual strategy allows Collections to cast a wide net, catching both known threats with high efficiency and unknown threats with TTP-based behavioral analysis.
Enhancing Network Detection and Response (NDR)
Corelight Collections are a force multiplier for any Network Detection and Response (NDR) deployment. They help to bridge the gap between having network data and having actionable network evidence.
When a Collection identifies a threat, it doesn't just raise another generic flag; Corelight Investigator can generate a detailed detection notification that is enriched with comprehensive network evidence. This is the crucial context you need to validate, investigate, and remediate a threat without the headache. Because Corelight provides the complete underlying data from Zeek, Suricata, and Smart PCAP, you can pivot directly from a detection to the exact network traffic that triggered it.
For environments using Security Information and Event Management (SIEM) to ingest Corelight data, the SIEM generates an alert based on logged detections and notifies the relevant stakeholders. Notifications can take various forms, such as: email alerts, SMS, or push notifications, dashboard updates within the SIEM interface, and/or integration with ticketing systems (e.g., ServiceNow, Jira) to create an incident ticket. The SIEM may correlate the triggered alert with other events to provide context. For example, it might link the alert to related activities, such as a sequence of failed logins followed by a successful one, or lateral movement within the network. The SIEM may also assign a severity level to the alert (e.g., low, medium, high, critical) based on the potential impact and risk. This helps security teams prioritize their response efforts.
This integrated approach eliminates the time-consuming process of manually hunting for corroborating data across different tools. It accelerates the entire incident response lifecycle, from initial detection to final resolution, enabling your team to neutralize threats before they can cause significant damage.
The six Corelight Collections
Corelight offers a suite of specialized Collections, each engineered to address a critical area of network security. Beyond detection, many Collections—such as the Core Collection, Entity Collection, and ICS/OT Collection—are designed to enrich raw network data and provide insights, transforming data into detailed, contextualized evidence that accelerates both investigations and incident response.
For example, the Core Collection doesn’t just flag suspicious activity; it enhances your baseline logs with valuable context about users, devices, and applications, making every alert more actionable. The Entity Collection goes a step further, mapping observed network behavior back to individual assets and users, which brings clarity to complex environments and streamlines your workflow. The ICS/OT Collection enriches traditional logs with industrial control system context, decoding protocols unique to operational technology and providing vital insights for securing critical infrastructure.
By enriching the underlying data, these Collections deliver comprehensive, correlated network evidence—giving you a clear, investigative starting point, exposing relationships between assets, and supporting a fast, confident response. This advanced enrichment ensures every detection is supported by deep, easily accessible context, transforming routine network data into the kind of high-value evidence that drives security outcomes.
1. Core Collection
The Core Collection is the foundational package included with every Corelight Sensor. It provides threat detection for lateral movement, port scanning, cryptomining and more to identify a wide range of common threats and suspicious activities, serving as an essential security baseline. The Core Collection works by using analytics developed by the Zeek community. It also includes options to enrich the evidence generated by our Open NDR Platform with additional context and can help customers reduce their SIEM costs via platform data controls.
What it does
Uses a combination of behavioral analysis and IOC-based detection to uncover C2 activity, including that from prominent frameworks like Cobalt Strike and Sliver.
Benefits
Enables you to find active compromises quickly. By cutting off an attacker's ability to issue commands and exfiltrate data, you can stop a breach before it escalates.
2. Command and Control (C2) Collection
This Collection is laser-focused on identifying the communication channels that attackers use to control compromised systems within your network. Detecting C2 is critical for disrupting attacks in progress.
What it does
Uses a combination of behavioral analysis and IOC-based detection to uncover C2 activity, including that from prominent frameworks like Cobalt Strike and Sliver.
Benefits
Enables you to find active compromises quickly. By cutting off an attacker's ability to issue commands and exfiltrate data, you can stop a breach before it escalates.
3. Encrypted Traffic Collection
While the use of TLS and SSH generally improves security hygiene, with most web and other traffic now encrypted, attackers increasingly use TLS and SSH to hide their activities. This Collection is specifically designed to find threats hiding in plain sight within encrypted tunnels, without requiring decryption.
What it does
Analyzes metadata, handshake properties, and behavioral characteristics of encrypted traffic to detect threats like C2, malware, and unusual data transfers.
Benefits
Enables visibility into the encrypted channel, allowing you to detect malicious activity that would otherwise be invisible. It provides a powerful security capability while respecting data privacy and avoiding the performance overhead of decryption.
4. Entity Collection
The Entity Collection is engineered to bring deep clarity to network activity by correlating events and behaviors to specific entities such as users, devices, and critical assets. It creates a dynamic map of your network’s key players, turning complex data streams into actionable intelligence.
What it does
Enriches standard network logs with entity attribution, mapping behaviors to usernames, device IDs, and asset groups. It enables visibility into lateral movement, privilege escalation, and changes in asset behavior.
Benefits
Accelerates your investigations by clearly showing “who did what, where, and when,” simplifying root cause analysis and enabling rapid, targeted threat response. The added context helps you prioritize risk and uncover patterns that generic logs might miss.
5. ICS/OT Collection
Tailored for industrial control systems (ICS) and operational technology (OT) environments, the ICS/OT Collection delivers essential visibility and protection for critical infrastructure. It transforms opaque industrial protocols into clear, actionable network evidence.
What it does
Decodes and analyzes a wide range of ICS/OT-specific protocols, detects policy violations, and identifies both known and novel threats relevant to industrial networks. It enriches logs with context unique to supervisory control systems and automation equipment.
Benefits
Provides defenders with the network evidence needed to protect essential services and reduce operational risk. By bridging the gap between IT and OT security, this collection makes it possible to spot threats that target the unique workflows and systems driving industrial operations.
6. Analyzers Collection
The Analyzers Collection offers expanded visibility for over ten network protocols. This collection helps to remove security blind spots in the network environment by identifying and monitoring specific network protocols, and equipping security teams to defend against threats hiding in this traffic. The covered protocols facilitate secure communication, device discovery, remote access, logging, messaging, and resource sharing across networks, each tailored for specific use cases like VPNs (OpenVPN, WireGuard, IPsec), directory services (LDAP), file sharing (SMB), or event notifications (SSDP, GENA). With the Analyzers Collection, SOC teams can react more quickly to risks by identifying protocol-based network traffic anomalies in real time.
What it does
Identifies and creates enriched logs for specific network protocols, including LDAP, IPsec, SMB, and more.
Benefits
Discover activity related to lateral movement in administrative, security, and file sharing traffic. Visibility ensures that only authorized devices and users are utilizing specific protocols, reducing the risk of unauthorized access to sensitive resources like LDAP directories or SMB shares.
How it works
Packages in each of the Collections can be enabled or disabled within the Corelight Sensor Management and Fleet Management user interfaces to enhance, enrich, and extend the Open NDR Platform. Collections employ Zeek® to analyze behavioral characteristics of network traffic and integrate the results into Corelight’s comprehensive suite of evidence. Corelight Collections are enrichment and detection sets included with your Corelight subscription and can be activated depending on your needs.
The foundation: open-source data for irrefutable evidence
The true strength of Corelight Collections lies in the evidence that backs every detection. Corelight's platform is built on Zeek, which transforms raw, unstructured network packets into rich, comprehensive, and query-able log data.
This means that for every detection a Collection generates, you have the complete, corresponding network evidence at your fingertips. Whether it's the full connection log, details from a file transfer, or the specifics of a DNS query, the data is there. Corelight provides the ground truth of what happened on your network. This level of detail is indispensable for incident response, threat hunting, and forensic analysis, giving you the power to not only see a threat but to understand it completely.
Ready to transform your network data into decisive action? Explore how Corelight’s Open NDR Platform can empower your security team.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization mitigate cybersecurity risk.