Get Started

          Core Collection

          Core Collection

          The Core Collection combines proprietary Corelight packages that help sensors scale in high-throughput environments with curated insights from the Zeek® community.

          Core Collection

          Detections

          Lateral movement detection (MITRE BZAR)

          Detect lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic

          Cryptomining detection

          Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP

          HTTP stalling detection

          Detect when a web client executes a resource exhaustion attack on a web server

          Long connections detection

          Generate a notice when long running connections occur, providing early visibility into a possible attack in progress

          Port scanning detection

          Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols

          Lateral movement detection (MITRE BZAR)

          Detect lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic

          Cryptomining detection

          Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP

          HTTP stalling detection

          Detect when a web client executes a resource exhaustion attack on a web server

          Long connections detection

          Generate a notice when long running connections occur, providing early visibility into a possible attack in progress

          Port scanning detection

          Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols

          Enrichments

          Community ID

          Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more

          DNS hostname annotation

          Derive hostnames from DNS traffic and automatically append them to Zeek's conn.log

          POST data capture in HTTP

          Extract POST data sent by a client to a server and append it to Zeek's http.log

          URL extraction in SMTP

          Automatically extract URLs found in email bodies and append them to Zeek's smtp.log

          Windows version identification

          Identify Windows OS hosts using HTTP connection headers and append them to the software.log

          Community ID

          Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more

          DNS hostname annotation

          Derive hostnames from DNS traffic and automatically append them to Zeek's conn.log

          POST data capture in HTTP

          Extract POST data sent by a client to a server and append it to Zeek's http.log

          URL extraction in SMTP

          Automatically extract URLs found in email bodies and append them to Zeek's smtp.log

          Windows version identification

          Identify Windows OS hosts using HTTP connection headers and append them to the software.log

          Corelight Data Control

          Data reduction

          Configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%

          Traffic shunting

          Configurable options to conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC

          Data reduction

          Configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%

          Traffic shunting

          Configurable options to conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC