Platform module

Performance and Asset Visibility

Name: Performance and Asset Visibility | Corelight Open NDR
Brand: Corelight, Inc.
Rating: 4.8 (120 reviews)

Open NDR Sensors passively classify every network asset and surface threshold-based performance alerts from traffic you're already collecting, giving security and network operations teams a shared source of truth from a single deployment.

Watch video

Performance--asset-visibility--HeroIllustration-1

Visibility into actively exploited devices

Open NDR Sensors passively discover and classify every device by analyzing protocol fingerprints to identify device type, OS, manufacturer, and network role. When a threat is detected, asset context such as device type, OS, and network role appears in the same log entry as the alert.

Read datasheet

Prove "it's not the network" in minutes, not hours

Open NDR generates domain-aware alerts correlated to actual service names: DNS query names, TLS, QUIC traffic, SNI, and HTTP Host headers. The anomaly-first architecture fires only when configurable thresholds are crossed, instantly answering in a single log entry which side of the sensor is the problem. Every performance alert includes a direct forensic pivot to the exact connection that triggered the threshold.

Read the blog

One sensor, one truth for SecOps and NetOps

Extract high-fidelity, anomaly-first performance signals from traffic already flowing through your Open NDR Sensors. No additional hardware, no active polling agents, no dedicated NetOps vendor bloat. Both teams work from the same evidence layer without tool-switching. Your Open NDR platform investment delivers value to both security and network operations from a single deployment.

Explore network evidence

Select

Network evidence
Threat detection
Incident response

Network evidence

Enrich log entries with device identity and performance context with asset_classification.log and net_perf.log integrated directly with the Open NDR evidence layer. Both logs share the same UIDs that link every Open NDR log type, making asset and performance data natively queryable in your SIEM.

Explore network evidence

Threat detection

Asset classification enables detection prioritization by device criticality and role. An alert on a domain controller triggers a different response than one on a guest Wi-Fi laptop. That context comes from asset_classification.log, without a CMDB query or manual lookup.

Explore threat detection

Incident response

During an investigation, asset classification identifies exactly what you're investigating: device type, OS, manufacturer, and network role, enriched directly into the alert. For incidents involving unmanaged and IoT devices, network-derived asset identity is the only available source of information.

Explore incident response

Network monitoring with Zeek

Network performance capability is built into Corelight's Zeek® pipeline. Its placement-aware latency decomposition is available only on Open NDR sensors, not in open-source Zeek deployments.

Explore network monitoring

Agentic Triage

Agentic Triage automatically identifies the role and type of every entity in an investigation through asset classification. An alerted host resolves to a managed server, an IoT camera, or an unmanaged endpoint, giving Agentic Triage the device context it needs to write an accurate investigation summary.

Explore Agentic Triage

Threat intelligence

Threat intelligence IOC matches gain role and criticality context from asset classification. A C2 beacon from a database server in a regulated segment carries more urgency than the same indicator from a guest laptop, and asset data makes that prioritization automatic at ingestion.

Explore threat intelligence

Build your platform

Performance and asset visibility is included in both the Open NDR Sensor and Investigator bundles at no additional cost. Asset classification is available as an add-on SKU.

Talk to a solution architect

What is the Performance and Asset Visibility module, and what does it do?

Performance and Asset Visibility is a Corelight Open NDR module that extracts two operational intelligence streams from your existing sensors: passive asset classification via asset_classification.log and network performance telemetry via net_perf.log. No additional hardware, active polling agents, or dedicated NetOps tools required. Both capabilities run from traffic you're already collecting.

How does network performance monitoring work, and why does it only alert when something is wrong?

Net-perf uses an anomaly-first architecture. It aggregates session-level TCP RTT measurements across a configurable time window and generates a net_perf.log entry only when a threshold is crossed, not as a continuous telemetry stream. VantageTime, a Open NDR-sensor-only capability, delivers placement-aware decomposition of latency into client-side (cli_rtt) and server-side (svr_rtt). Every alert includes the UID of the first connection that triggered it, so analysts pivot directly to the exact conn.log entry for investigation.

How does asset classification work?

Open NDR passively fingerprints devices by analyzing protocol signatures captured in traffic. Every asset is classified by device type, OS, manufacturer, model, and network role. Classification happens continuously as traffic is observed, covering unmanaged endpoints, IoT, and shadow IT that bypass traditional inventory tools.