- Key takeaways
- A brief history
- Visibility gaps traditional flow monitoring misses
- Comparison: Flow protocols overview
- Enriched network flow monitoring vs. raw NetFlow/IPFIX
- Reducing SIEM ingest costs through flow enrichment
- Top threat detection use cases enabled by enriched flow data
- Network flow monitoring across hybrid and cloud environments
- Conclusion
- FAQ
Learn how Zeek-enriched flow monitoring cuts SIEM ingest by 90%, trims noise, and speeds investigations across on-prem, hybrid, and multi-cloud networks.
Key takeaways
-
Network flow monitoring provides visibility into how data flows across your network, which is crucial for identifying anomalies, bottlenecks, and potential threats.
-
Traditional flow logs, such as NetFlow, IPFIX, and VPC Flow logs offer basic connection metadata but often lack the depth needed for confident threat investigations.
-
Enriching flow data with Zeek® insights turns raw logs into actionable network evidence.
-
Corelight’s enriched flow monitoring dramatically reduces SIEM ingest costs while improving detection fidelity.
A brief history: The origins and purpose of network flow monitoring
Long before network detection and response (NDR) tools existed, network administrators relied on network flow monitoring, features built into routers and switches, to understand how traffic moved through their environment. The primary benefit was summarizing massive amounts of packet data into compact flow records, which showed which hosts communicated, the amount of data exchanged, and over which protocols.
Early implementations focused on performance management and capacity planning, enabling teams to optimize bandwidth and identify misconfigurations. Later, security teams recognized that traffic flow patterns could reveal threats such as lateral movement, data exfiltration, or command-and-control (C2) activity.
What is network flow monitoring?
In almost any Fortune 500 network environment, on-premises or in the cloud, you'll likely find network flow monitoring enabled. Traditionally, flow monitoring has been used for network operations. Today, it's essential for network and security teams to understand what's really happening in their environments. Instead of capturing every packet and storing it in a data lake, flow monitoring provides a concise view of network activity. Formats vary by vendor or cloud provider, with common examples including NetFlow, IPFIX, and AWS VPC Flow Logs.
Network flow monitoring explained
In short, network flow monitoring is the process of collecting, analyzing, and visualizing flow records that summarize conversations between hosts. Designed as a lightweight alternative to full packet capture, flow monitoring helps answer key operational and security questions:
- What hosts are communicating?
- Over which ports and protocols?
- How much data is moving between them?
- When did the activity occur and for how long?
Visibility gaps traditional flow monitoring misses
While NetFlow, IPFIX, and cloud-native flow logs such as AWS VPC Flow Logs are foundational, they were never designed for in-depth security analysis. They capture metadata about network conversations, including source/destination IP addresses, ports, protocols, and byte counts, rather than the full packet content. This allows for scalable monitoring but limits context.
Key use cases by flow technology:
NetFlow: Ideal for troubleshooting and capacity planning, it helps identify bandwidth-intensive applications and performance bottlenecks.
IPFIX: Offers more extensibility and customization, often used for security monitoring, compliance, or detecting reconnaissance activity.
AWS VPC Flow Logs: Crucial in cloud environments for diagnosing restrictive security group rules and validating connectivity without requiring agents.
Typical flow record fields include the following:
-
Source/destination IP and port
-
Protocol (TCP, UDP, etc.)
-
Bytes and packets transferred
-
Start and end timestamps
Each log type also provides additional unique fields, but all focus primarily on network-level visibility. Traditional flows lack the cross-log correlation and depth necessary to distinguish between benign and malicious activity. Analysts often switch between SIEMs, EDR tools, and cloud consoles to validate a single alert, which slows investigations, increases noise, and drives up costs.
| Protocol | Primary Purpose | Strengths | Limitations | Best Fit For |
|---|---|---|---|---|
|
NetFlow v5 |
Basic traffic accounting |
Lightweight, ubiquitous | Fixed fields, minimal context | Legacy networks, bandwidth tracking |
|
NetFlow v9 |
Flexible flow export |
Template-based, extensible | Inconsistent vendor support | Modern enterprise routing/switching |
|
IPFIX |
Standards-based flow export |
Vendor-neutral, customizable | Still lacks application metadata | Multi-vendor, service-provider networks |
|
sFlow |
High-speed sampling |
Scales extremely well, low overhead | Sampling reduces accuracy | Large data centers, cloud fabrics |
|
AWS / Azure / GCP Flow Logs |
Cloud visibility |
Easy to enable, cloud-native | Incomplete, lacks deep context |
Cloud-only or hybrid deployments |
|
Firewall / Router Native Flows |
Policy-aware visibility |
Includes App-ID or user fields | Vendor-specific, limited depth | Policy enforcement & compliance |
|
Zeek-Enriched Flow Logs (Corelight) |
Security-centric visibility |
Full protocol metadata, high fidelity | Requires sensor or NSI integration | Detection, IR, forensics, SIEM cost control |
Enriched network flow monitoring vs. raw NetFlow/IPFIX
Zeek-enriched flow monitoring bridges the gap between lightweight flow records and full packet capture. Zeek (formerly Bro) is an open network security monitoring framework that extracts detailed metadata from thousands of network events, including DNS queries, HTTP requests, SSL handshakes, SSH sessions, and much more.
When Corelight enriches raw flow logs with Zeek intelligence, the result is evidence-grade telemetry that shows analysts what actually happened, without requiring full packet capture.
Feature comparison
| Feature | Raw Flow Logs | Zeek-Enriched Flow Logs (Corelight) |
|---|---|---|
|
Data volume
|
High | 5–10× reduction |
|
Context
|
Limited (5-tuple) | Application + protocol metadata |
|
Detection fidelity
|
Basic | Advanced, behavioral + entity-based |
|
Use cases
|
Performance monitoring | Threat detection, IR, forensics |
|
SIEM cost impact
|
High | Significantly reduced |
By converting raw flows into Zeek-enriched evidence, Corelight maintains visibility, speeds investigations, and reduces SIEM ingest by up to 90 percent. Corelight extracts unidirectional flows from customer flow logs and stitches bidirectional flows, enabling aggregation across thousands of native flow records, reducing the number of logs and making security investigations easier to perform.
Reducing SIEM ingest costs through flow enrichment
Raw telemetry is expensive to store and process. Many organizations that deploy in AWS do not use VPC Flow Logs for security analysis due to the difficulty and expense of ingesting raw VPC Flow Logs, which are incredibly voluminous, and the costs of SIEM ingestion exceed the value they provide.
Corelight Flow Sensor circumvents these obstacles by applying Zeek-based enrichment, normalization, and deduplication before the data reaches the SIEM. This delivers:
- Up to 90 percent data reduction through normalization and event summarization
- Cost avoidance by bypassing CloudWatch/Kinesis and reading directly from an AWS S3 bucket
- Evidence prioritization, so only high-value flow data is retained or forwarded
Now, the telemetry that was spread across volumes of logs can be reduced by up to 90 percent while maintaining security fidelity. For a security practitioner, it becomes much more economical to then load Zeek logs into their SIEM for security analysis. For all practical purposes, the ingested Zeek logs contain the exact same information as raw flow monitoring, but are stored in a much more concise manner. Since Zeek logs contain a UID that stitches transactions across multiple logs, threat correlation and post-security analysis are much easier and faster.
Top threat detection use cases enabled by enriched flow data
Flow monitoring, especially when enriched with Corelight Zeek metadata, gives security teams a powerful foundation for early threat detection and rapid investigation. Because flows capture who communicated, when the activity occurred, how much data was transferred, and how the session behaved, they provide a clear picture of what is happening across the environment. When Zeek enrichment is added, this picture becomes significantly clearer and more security-focused. Key use cases include:
Command and control detection
Flows enable the identification of beaconing patterns, unusual connection intervals, and other indicators of persistent external communication. When enriched with Zeek metadata, analysts can determine whether traffic used suspicious protocols or attempted to hide inside encrypted channels.
Data exfiltration detection
Abnormal transfers to untrusted destinations, cloud storage services, or external networks are clearly evident in flow data. Enrichment adds valuable details such as the application involved and relevant protocol metadata, allowing analysts to confirm whether a transfer represents normal business activity or malicious intent.
Lateral movement identification
Unauthorized internal access often appears as unexpected communications between systems that do not normally interact. Flow data highlights unusual patterns such as repeated authentication attempts or unexpected service access. Zeek metadata adds context about the protocols used, helping analysts validate whether access was legitimate.
Malware propagation tracking
Malware often spreads through predictable communication patterns such as anomalous SMB activity, peer-to-peer exchanges, or attempts to scan internal subnets. These behaviors generate distinctive flow signatures that can be identified quickly, even without packet-level inspection.
Cloud misconfiguration discovery
Cloud environments introduce risks through permissive security groups, exposed endpoints, or incorrectly routed traffic. Cloud flow logs reveal these issues early, and enriched flows provide additional context that helps teams validate exposure and prioritize fixes.
These insights enable analysts to progress through investigations with confidence, supported by structured, evidence-ready telemetry that reduces guesswork and enhances accuracy.
Network flow monitoring across hybrid and cloud environments
As organizations move workloads to public cloud platforms, visibility naturally becomes fragmented. Each cloud provider uses a different flow log standard, and on-premises systems often rely on separate formats. Without normalization, it is difficult for analysts to correlate events, validate alerts, or maintain consistent detection coverage across environments.
Corelight Open NDR Platform brings these sources together into a single visibility layer that spans on-premises networks, hybrid deployments, and multi-cloud architectures. By normalizing flow logs into a common Zeek-based structure that is connected through a UID number, Corelight supports critical security outcomes such as:
Attack surface management
Organizations can identify exposed services, unusual external communications, and unexpected access patterns across all environments.
Multi-cloud compliance support
Consistent flow visibility helps enforce internal policies and regulatory requirements, even when infrastructure spans multiple providers.
Centralized NDR and SOC workflows
A unified flow layer simplifies alerting, threat hunting, and investigations, enabling analysts to use a single, consistent source of evidence.
Because Zeek generates a consistent, unique identifier across all logs, analysts can easily connect related activity and build an accurate sequence of events. This reduces investigation time, simplifies everyday workflows, and improves incident response speed.
Conclusion
Enterprise IT environments have grown increasingly complex, with networks now distributed across data centers, edge environments, and multiple cloud providers. Each produces its own type of flow telemetry, creating challenges for analysts who need a consistent and reliable view of activity. Corelight’s Open NDR Platform provides a unified layer that normalizes flow data through Zeek, producing a common evidence-ready standard across all environments. This approach accelerates investigations, enhances analyst confidence, and enables more efficient security operations by leveraging clear, structured network evidence. Learn more about how Corelight does this through its Open NDR Platform.
What insights can you gain from network flow monitoring?
Network flow monitoring reveals how systems communicate, how much data moves between them, and which connections stand out as abnormal. It helps surface signs of command and control activity, data movement that may signal exfiltration, unusual lateral access, cloud misconfigurations, and other behaviors that indicate elevated risk.
How can enriched flows reduce SIEM storage costs?
Because enriched flows concentrate the most important context into a compact record, they reduce the need to forward large volumes of raw logs or full packet data to a SIEM. This leads to fewer events sent to the SIEM, lower storage requirements, and lower costs for retaining information that provides little analytic value.
Can flow monitoring replace full packet capture?
Flow monitoring does not fully replace packet capture, since packets contain full content that may be required for advanced forensics or precise reconstruction. However, enriched flows capture the vast majority of day to day investigative context at a fraction of the cost and volume, making them the preferred source for detection, triage, and routine response while reserving packet data for targeted deep dives.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization mitigate cybersecurity risk.