CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

CORE COLLECTION

Curated insights from the Zeek® community plus tools that lower TCO from Corelight.

 

 

 

core collection icon-4

DETECT CRYPTOMINING, PORT SCANS, AND MORE

The Core Collection provides threat detection for lateral movement, port scanning, cryptomining and more via analytics developed by the Zeek community. It also includes options to enrich the evidence generated by our Open NDR Platform with additional context and can help customers reduce their SIEM costs via platform data controls. Read more on the blog.

Corelight Collections are analytics included with your Corelight subscription and can be activated depending on your needs.

  • Fast investigations with standards like JA3(S) and Community ID
  • Lower SIEM data ingestion and related costs
  • Optimize sensor performance to do more with less

GET A DEMO

Detections

Lateral movement detection (MITRE BZAR)
Detect lateral movement techniques in MITRE ATT&CK® related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic.

Cryptomining detection
Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP.

HTTP stalling detection
Detect when a web client executes a resource exhaustion attack on a web server.

Long connections detection
Generate a notice when long running connections occur, providing early visibility into a possible attack in progress.

Port scanning detection
Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols.

Enrichments

Community ID
Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Arkime, Wireshark and more.

DNS hostname annotation
Derive hostnames from DNS traffic and automatically append them to Zeek's conn.log.

POST data capture in HTTP
Extract POST data sent by a client to a server and append it to Zeek's http.log.

URL extraction in SMTP
Automatically extract URLs found in email bodies and append them to Zeek's smtp.log.

Windows version identification
Identify Windows OS hosts using HTTP connection headers and append them to the software.log.

Data control

Data reduction
Configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%.

Traffic shunting
Configurable options to conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC.

How it works

Packages in the Core Collection can be enabled or disabled within the Corelight Sensor Management and Fleet Management user interfaces to enhance, enrich, and extend the Open NDR Platform.

core_screen

 

ANALYTICS

Corelight Collections

Collections are targeted categories of detections, inferences, and data transformation that provide deeper visibility into adversary activity. They cover encrypted trafficcommand and control activity, entity activity, and more. Detections are viewable through Corelight Investigator, or via a SIEM, XDR, or other analytics platform.

corelight-technology-diagram-1

 

Have questions?

Talk with one of our experts today.

CONTACT US