Products - Appliance Sensors

Corelight AP 5002 Sensor

100 Gbps+ monitored traffic
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

100 Gbps+ monitored traffic
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

Plug-and-play

2 QSFP28 modules

Configure in minutes

Automatic updates

Simple to deploy and integrate with security tools, the AP 5002 Sensor transforms 100+ Gbps of network traffic into rich, interlinked Zeek log data with embedded Suricata alerts and selectively captured packets for incident response, intrusion detection and more. The AP 5002 Sensor was designed for high-throughput analysis, from data centers to science DMZs.

Find a Reseller

Next level analytics

Behavioral analysis, machine learning, and signatures deliver comprehensive detection coverage across network vulnerabilities and attacks, powered by continuous detection engineering from Corelight Labs and open source communities.

Monitoring interface

2 QSFP28 modules with support for optical modules at 8 x 10G (via breakout cables), 2x 40G or 2 x 100G

Software

Minimalist, custom OS based on the Linux kernel optimized for secure operation

Performance

Zeek-based traffic analysis up to 100 Gbps and beyond. Enabling additional analysis workloads on the sensor like Suricata reduces throughput speed and performance will vary depending on traffic.

Export compatibility

Zeek log and Suricata alert export to Kafka, Splunk, Elastic Search, syslog, Amazon Kinesis, Apache Avro, SIEMs, and SFTP

Operational mode

Out-of-band, fed by tap, span, or packet broker

Management interface

2 x 1G ports
4 x 10G SFP28 ports

External connector

VGA, USB

Size and weight

1U rackmount, (17.1 x 29 x 1.75 inches), 47.4 lbs

Maintenance

Automatic updates and feature enhancements

Support

World-class support from the Zeek experts, standard-level support plan included. Learn more about our support programs

Hardware details

Power
SAS HBA Controller*
Monitoring port - port 2 (QSFP28)
Monitoring port - port 1 (QSFP28)
Management port - eth0 (10/100/1000 copper)
Management port - eth2 (SFP28)
Management port - eth3 (SFP28)
Management port - eth4 (SFP28)
Management port - eth5 (SFP28)
iDRAC port (10/100/1000 copper)
USB ports
VGA port (display)

* Not currently supported

Corelight AP 3100 Sensor

35 Gbps+ monitored traffic*
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

35 Gbps+ monitored traffic*
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

Plug-and-play

4 SFP/SFP+ interfaces OR 2 QSFP+ interfaces

Configure in minutes

Automatic updates

Simple to deploy and integrate with existing analysis tools, the AP 3100 Sensor transforms 35+ Gbps of network traffic into rich, interlinked Zeek data with embedded Suricata alerts and selectively captured packets for incident response, intrusion detection and more. The AP 3100 Sensor was designed for security pros by security pros to generate rich, actionable data and insights.

Find a Reseller

Next level analytics

Monitoring interface

Four 1G/10G SFP/SFP+ interfaces OR two 40G QSFP+ interfaces in a powerful, specialized NIC. Support for copper and optical modules at 1G and 10G or 40G

Software

Minimalist, custom OS based on the Linux kernel optimized for secure operation

Performance

*Up to 35 Gbps of Zeek-only traffic monitoring, with speeds over 35 Gbps possible with shunting (additional analysis workloads like Suricata reduce throughput speed, performance may vary depending on traffic)

Compatibility

Zeek log and Suricata alert export to Kafka, Splunk, Elastic Search, syslog, Amazon Kinesis, Apache Avro, SIEMs, and SFTP

Operational mode

Out-of-band, fed by tap, span, or packet broker

Management interface

2 x 1G ports
4 x 10G SFP+ ports

External connector

VGA, USB

Size and weight

1U rackmount (19 x 31.85 x 1.7 inches), 48 lbs

Maintenance

Automatic updates and feature enhancements

Support

World-class support from the definitive Zeek experts, standard-level support plan included, support programs available

Hardware details

Power
Monitoring port - port 4 (SFP28)
Monitoring port - port 3 (SFP28)
Monitoring port - port 2 (SFP28)
Monitoring port - port 1 (SFP28)
Management port - eth0 (10/100/1000 copper)
Management port - eth2 (SFP+ 10G)
Management port - eth3 (SFP+ 10G)
Management port - eth4 (SFP+ 10G)
Management port - eth5 (SFP+ 10G)
iDRAC port (10/100/1000 copper)
USB ports (keyboard)
VGA port (display)

ig-corelight-ap-3100-sensor-straight-on-back-with-callouts

* Enhanced 4x 10G NIC option shown. If you ordered an appliance with the enhanced 2x40G QSFP + NIC, there will be 2 monitoring ports instead of 4, with port 1 on the right and port 2 on the left.

Corelight AP 1100 Sensor

Up to 20 Gbps monitored traffic*
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

Up to 20 Gbps monitored traffic*
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

Plug-and-play

4 SFP/SFP+ interfaces

Configure in minutes

Automatic updates

Simple to deploy and integrate with existing analysis tools, the AP 1100 Sensor transforms up to 20 Gbps of network traffic into rich, interlinked Zeek data with embedded Suricata alerts for incident response, intrusion detection, forensics and more. The AP 1100 Sensor was designed for security professionals by security professionals to generate rich, actionable data and insights.

Find a Reseller

Next level analytics

Monitoring interface

Four 1G/10G SFP/SFP+ interfaces in a powerful, specialized NIC. Support for copper and optical modules at 1G and 10G

Software

Minimalist, custom OS based on the Linux kernel optimized for secure operation

Performance

*Up to 20 Gbps of Zeek-only traffic monitoring (additional analysis workloads like Suricata reduce throughput speed, performance may vary depending on traffic)

Compatibility

Zeek log and Suricata alert export to Kafka, Splunk, Elastic Search, syslog, Amazon Kinesis, Apache Avro, SIEMs, and SFTP

Operational mode

Out-of-band, fed by tap, span, or packet broker

Management interface

2 x 1G ports
4 x 10G SFP+ ports

External connector

VGA, USB

Size and weight

1U rackmount, (19 x 31.85 x 1.7 inches), 48lbs

Maintenance

Automatic updates and feature enhancements

Support

World-class support from the definitive Zeek experts, standard-level support plan included, support programs available

Hardware details

Power
Monitoring port - port 4 (SFP28)
Monitoring port - port 3 (SFP28)
Monitoring port - port 2 (SFP28)
Monitoring port - port 1 (SFP28)
Management port - eth0 (10/100/1000 copper)
Management port - eth2 (SFP+ 10G)
Management port - eth3 (SFP+ 10G)
Management port - eth4 (SFP+ 10G)
Management port - eth5 (SFP+ 10G)
iDRAC port (10/100/1000 copper)
USB ports (keyboard)
VGA port (display)

ig-corelight-ap-1100-sensor-straight-on-back-with-callouts

Corelight AP 200 Sensor

Up to 2 Gbps monitored traffic*
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

Up to 2 Gbps monitored traffic*
Supports Suricata + Zeek
Supports Smart PCAP
15 minute out-of-band deployment

Download specifications

Plug-and-play

4 SFP interfaces

Configure in minutes

Automatic updates

Simple to deploy and integrate with existing analysis tools, the AP 200 Sensor transforms up to 2 Gbps of network traffic into rich, interlinked Zeek data with embedded Suricata alerts for incident response, intrusion detection, forensics and more. The AP 200 Sensor was designed for security professionals by security professionals to generate rich, actionable data and insights.

Find a Reseller

Next level analytics

Monitoring interface

Four 1G SFP interfaces in a powerful, specialized NIC. Support for copper and optical modules at 100M & 1G.

Software

Minimalist, custom OS based on the Linux kernel optimized for secure operation

Performance

*Up to 2 Gbps of Zeek-only traffic monitoring (additional analysis workloads like Suricata reduce throughput speed, performance may vary depending on traffic)

Compatibility

Zeek log and Suricata alert export to Kafka, Splunk, Elastic Search, syslog, Amazon Kinesis, Apache Avro, SIEMs, and SFT

Operational mode

Out-of-band, fed by tap, span, or packet broker

Management interface

One 10/100/1000 copper ethernet port

External connector

VGA, USB

Size and weight

1U half-depth rackmount (19 x 14.5 x 1.75 inches), 17 lbs

Maintenance

Automatic updates and feature enhancements

Support

World-class support from the definitive Zeek experts, standard-level support plan included, support programs available

Hardware details

Power
USB ports (keyboard)
Management port - eth0 (1000Mbps copper)
VGA port (display)
Monitoring port - port 4 (SFP/SFP+ 1G)*
Monitoring port - port 3 (SFP/SFP+ 1G)*
Monitoring port - port 2 (SFP/SFP+ 1G)*
Monitoring port - port 1 (SFP/SFP+ 1G)*

* Enhanced 4x 1G NIC shown.

Recent release features

Find Lateral Movement with MITRE BZAR

Corelight Sensors now ship with the MITRE BZAR package in the Core Collection, which detects lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy. It can also extract detection-related files to enable investigations of suspicious traffic.

Quickly investigate with Community ID

Community ID is an industry flow-identification standard that creates a common hash of the 5-tuple and appends it to Corelight’s conn.log so analysts can quickly investigate from a connection in Corelight. Access and pivot seamlessly across related logs using the community ID within your existing SIEM and correlated with existing security stack events.

Appliance Sensors

Next-level results from your SIEM

Deploy in minutes

Questions? Talk to sales:

Recent release features

Find Lateral Movement with MITRE BZAR

Quickly investigate with Community ID