Threat hunting
Identify the early stages of a ransomware attack
Use the rich evidence and detections Corelight generates around RDP, SSH, and SMB traffic to find early warning signs of ransomware, before encryption occurs.
Locate PCAP files needed for an investigation
Pivot from the logs of a Zeek®-parsed connection directly into connection packets in Moloch using the shared Community ID appended to the Zeek conn.log.
Incident response
Automate repetitive manual investigations
Turn manual data aggregation tasks into automated investigative playbooks in your SIEM. One SOC built a SOAR playbook around Corelight’s dns.log and reduced their average incident response times by 75%.
Locate PCAP files needed for an investigation
Pivot from the logs of a Corelight-parsed connection directly into the related packets in using precise timestamps and Zeek Community ID appended to Corelight’s conn.log.
Threat Hunting Guide
Learn how to use network traffic data to hunt for:
• Spearphishing attacks
• Automated exfiltration
• Lateral movement
And dozens more additional tactics and techniques.
Threat detection
Detect SSH client bruteforce attacks
Discover when a client attempts to authenticate beyond a pre-configured threshold and then successfully authenticates.
Detect hidden C2 server communications
Uncover live C2 communications via Zeek’s dpd.log when an attacker attempts to disguise their C2 traffic in a purported SSL connection.
Detect lateral movement
Detect lateral movement in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy. Stream Zeek logs to the Real Intelligence Threat Analytics (RITA) tool to create a daily report of potential beaconing activity.
Detect off-port protocol usage
Use Zeek’s deep protocol parsing capabilities to identify network services, such as HTTP or DNS, running on non-standard ports.
Investigate unauthorized SMB file access
Use Zeek’s SMB logs as a source of evidence to document end user access to a sensitive SMB file share without authorization.
Data enrichment
Enhance traffic monitoring with local context
Use the Zeek Input Framework to append internal server names and IT contact information fields to the conn.log to accelerate investigations and
remediation workflows.
Enhance DNS visibility
Use Zeek’s dns.log—which contains both queries and responses—to access forensic information server logs can’t provide, due to a lack of detail.
Investigate unauthorized SMB file access
Use Zeek’s SMB logs as a source of evidence to document end user access to a sensitive SMB file share without authorization.
Network operations
Monitor risky SSL certificates
Monitor self-signed and expired (or soon-to-expire) certificates via Zeek’s ssl.log.
Have questions?
Talk with one of our experts today.
