Your SIEM success depends on the data you feed it. Stop sending Netflow and other low quality, “side-effect” network logs to your SIEM and replace them with Corelight’s rich, protocol-comprehensive logs that accelerate incident response and threat hunting workflows in your SIEM. Export Corelight’s Zeek / Bro logs to Splunk, Elastic, QRadar, Spark or just about any data tool of your choice in a matter of minutes.
Corelight Sensors now ship with the MITRE BZAR package in the Core Collection, which detects lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy. It can also extract detection-related files to enable investigations of suspicious traffic.
Community ID is an industry flow-identification standard that creates a common hash of the 5-tuple and appends it to Corelight’s conn.log so analysts can quickly pivot on a connection in Corelight to and from equivalent flows in tools such as Suricata, Elastic, Moloch and more.
