NETWORK ASSET DISCOVERY AND INVENTORY
Asset inventory management is notoriously difficult in large enterprise environments, where an ever-changing inventory of unknown, unmanaged entities traverse the network. The Corelight Entity Collection, part of the Open NDR Platform, gives security teams powerful identification capabilities for applications, devices, services, certs, hosts, and more. This helps them more comprehensively map and defend their environment—learn more on the blog.
The Entity Collection delivers visibility around specific entity activity, for example, revealing all hosts that have used SSH in the past 24 hours. This capability helps your team understand if high value assets have been compromised by insider threats or adversaries leveraging stolen SSH credentials. Read our blog post about detecting vulnerable Boa servers.
Corelight Collections are detection sets included with every Corelight subscription and can be activated depending on your needs.
- Identify known apps and new local subnets
- Discover activity related to hosts, devices, services, names, certs, domains, and users
- See current entity activity and track it over time
- See also: Encrypted Traffic Collection
How it works
The Corelight Entity Collection identifies 80+ different applications (e.g., BitTorrent, Gmail traffic, TeamViewer) and writes them to a new connection log field, ensuring that analysts have easy access to connection context in order to accurately identify traffic, reducing need for additional pivots and lookups. Corelight also generates a notice.log every hour summarizing the local subnets observed, allowing for evidence and analytics by giving security teams the knowledge needed to correct local network settings.
Corelight also generates logs that summarize activity over time specific to different entity types such as hosts, devices, and services. This pre-aggregation of entity activity in a single log format saves analysts considerable time that would otherwise be spent manually querying larger datasets to arrive at those same insights.
Collections are targeted categories of detections, inferences, and data transformation that provide deeper visibility into adversary activity. They cover encrypted traffic, command and control activity, entity activity, and more. Detections are viewable through Corelight Investigator, or via a SIEM, XDR, or other analytics platform.