Core Collection

The Core Collection combines proprietary Corelight packages that help sensors scale in high-throughput environments with curated insights from the Zeek® community.


Lateral movement detection (MITRE BZAR)
Detect lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic
Cryptomining detection
Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP
HTTP stalling detection
Detect when a web client executes a resource exhaustion attack on a web server
Long connections detection
Generate a notice when long running connections occur, providing early visibility into a possible attack in progress
Port scanning detection
Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols

Data enrichment packages


Community ID
Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more
DNS hostname annotation
Derive hostnames from DNS traffic and automatically append them to Zeek's conn.log
POST data capture in HTTP
Extract POST data sent by a client to a server and append it to Zeek's http.log
URL extraction in SMTP
Automatically extract URLs found in email bodies and append them to Zeek's smtp.log
Windows version identification
Identify Windows OS hosts using HTTP connection headers and append them to the software.log

Operational packages

Corelight Data Control

Data reduction
Configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%
Traffic shunting
Configurable options to conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC