Core Collection

Core Collection

The Core Collection combines proprietary Corelight packages that help sensors scale in high-throughput environments with curated insights from the Zeek® community.

Core Collection

Detections

Lateral movement detection (MITRE BZAR)

Detect lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic

Cryptomining detection

Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP

HTTP stalling detection

Detect when a web client executes a resource exhaustion attack on a web server

Long connections detection

Generate a notice when long running connections occur, providing early visibility into a possible attack in progress

Port scanning detection

Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols

Lateral movement detection (MITRE BZAR)

Detect lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic

Cryptomining detection

Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP

HTTP stalling detection

Detect when a web client executes a resource exhaustion attack on a web server

Long connections detection

Generate a notice when long running connections occur, providing early visibility into a possible attack in progress

Port scanning detection

Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols

Enrichments

Community ID

Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more

DNS hostname annotation

Derive hostnames from DNS traffic and automatically append them to Zeek's conn.log

POST data capture in HTTP

Extract POST data sent by a client to a server and append it to Zeek's http.log

URL extraction in SMTP

Automatically extract URLs found in email bodies and append them to Zeek's smtp.log

Windows version identification

Identify Windows OS hosts using HTTP connection headers and append them to the software.log

Community ID

Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more

DNS hostname annotation

Derive hostnames from DNS traffic and automatically append them to Zeek's conn.log

POST data capture in HTTP

Extract POST data sent by a client to a server and append it to Zeek's http.log

URL extraction in SMTP

Automatically extract URLs found in email bodies and append them to Zeek's smtp.log

Windows version identification

Identify Windows OS hosts using HTTP connection headers and append them to the software.log

Corelight Data Control

Data reduction

Configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%

Traffic shunting

Configurable options to conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC

Data reduction

Configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%

Traffic shunting

Configurable options to conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC