TALK TO AN EXPERT
ad-images-nav_0001_SANs thumb

SANS Protects: The Network

DOWNLOAD WHITE PAPER

ad-images-nav_0009_Threat-hunting-guide

Threat hunting guide

GET THE GUIDE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

ad-images-nav_0000_Thinking-like-a-threat-actor

Thinking like a Threat Actor: Hunting the Ghost in the Machine

WATCH THE WEBCAST

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

ad-nav-video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

DISCOVER ZEEK DATA

Zeek® transforms traffic into complete, rich, structured metadata and files. Find out what makes it so powerful.

DOWNLOAD CHEATSHEETS

zeek data top hero image

PUT EVERYTHING IN CONTEXT

For decades, the world's best defenders have relied on Zeek network data. Comprised of dozens of logs for varied protocols, plus extracted files, Zeek data is a vital resource for evidence-based defenders as they seek to speed response, amplify hunting, and more, across on-prem, hybrid, and cloud environments. 

Corelight has merged the power of Zeek with a suite of enterprise features that dramatically improve Zeek usability, like an intuitive management UI, sensor health metrics, fleet management, and automated data export to Splunk, Elastic, Kafka, Syslog, and S3. Take Zeek on prem, to the cloud, and beyond with Corelight Sensors.

MicrosoftTeams-image (3)

 

Complete, connected, customizable

Fittingly, Zeek’s superpower is connection. As it monitors and records network activity, Zeek assigns a unique connection ID (UID) that links all the logs associated with each connection, while its Community ID connects network flows across data sets, regardless of the tool that produced them.

Zeek is open source and gives you an exceptional amount of control over what you monitor, and where that data goes. You can even write your own parsers, with help from Corelight.  

View Zeek data

conn.log

Zeek's conn.log provides foundational data about every connection on your network—the who, what, when, and where of your packets. It allows network and security teams to find unusual flows, unexpected protocols, policy-prohibited connections, and more, and it includes a UID for pivoting straight into the Layer 7 details. Watch conn.log video.

 

ig-conn-log-example-outlines-570x570-e021783uid
A unique identifier created on a per-connection basis that serves as a pivot key directly into all associated Layer 7 logs

service
The Layer 7 protocol detected on the connection—based on packet payload instead of port mappings

orig_bytes/resp_bytes
How much data was sent and received on the connection

duration
How long the connection remained alive

 

WATCH VIDEO

dns.log

Zeek's dns.log makes a much bigger impact than typical DNS logs—providing not just the query string and type, but also the returned addresses and server status code. The level of detail in the dns.log allows for easy follow-up on suspicious queries, without having to pivot to another data set.

 

ig-dns-log-example-outlines-570x570-2e12d20

answers
A list of all domain names and/or IP addresses sent back by the DNS server

qtype_name
Type of query being issued—IPv4, IPv6, mail, CNAME, etc

query
The name being looked up by your monitored device

rcode_name
Human-readable server respose codes, such as NXDOMAIN or NOERROR

 

WATCH VIDEO

corelight_suricata.log

The corelight_suricata.log gives you a full breakdown of IDS signatures that alert in your environment. They're directly integrated with Zeek metadata by way of the UID, which allows analysts to get all the evidence they need to evaluate alerts in a single pivot.

 

ig-suricata-log-example-outlines-570x570-a3e19c1

alert_signature
Description of what the signature is detecting

alert.metadata
Details about the signature, including age, deployment recommendations, impacted software, etc

alert.category
Type of activity being detected, such as administrator account compromise, known malware, or policy violation

alert.signature_id
Numeric ID to identify the source of the signature and pivot to its detection criteria for validation

 

WATCH VIDEO

Have questions?

Talk with one of our experts today.

CONTACT US