Press releases Corelight Announces Full Support for Elastic Common Schema for Simplified Search and Analytics Capabilities

New Corelight ECS Mapping applies to visualizations, dashboards, alerts, and machine learning

San Francisco, Calif.—Jan. 28, 2020—Corelight, provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity, today reinforced its support for the Elastic Common Schema (ECS), a specification that provides a consistent and customizable way to structure log data from a variety of diverse sources in Elasticsearch. Using Corelight ECS Mapping streamlines the implementation of automated analysis methods on Zeek logs, including machine learning-based anomaly detection and alerting.

“Corelight was one of the first Elastic partners to test ECS when it was launched in 2019. Our support for ECS underscores a mutual focus on providing customers with a standardized approach on how to collect, ingest and understand their data,” said Allen Male, director of strategic alliances and partnerships for Corelight. “These efforts help customers make use of enhanced capabilities that reduce their security risk without additional analyst effort.”

ECS facilitates the unified analysis of data from diverse sources so that content such as dashboards and machine learning jobs can be applied more broadly, searches can be crafted and shared more efficiently, and field names can be recalled by analysts more easily.

“The Elastic Common Schema provides a shared language for our community of users to understand their data, collaborate to develop resources across the Elastic Stack, and more quickly drill down to identify a potential attacker or determine the root cause of an operational issue,” said Mike Paquette, director of product, Elastic SIEM. “Mapping to ECS makes it easier for users to visualize, search, drill down, and pivot through their Zeek log data, and enables easy sharing of analysis content amongst the Zeek user community.”

ECS streamlines the development of analytics content. Instead of creating new searches and dashboards each time an organization adds a data source with a new format, users can continue leveraging ECS-aware searches and dashboards. ECS also makes it far easier for organizations to directly adopt analytics content from other parties that use ECS, whether Elastic, a partner, or an open source project.

Corelight ECS mapping supports Corelight data as well as open-source Zeek and is available on Github.

For more information on ECS check out the “Introducing Elastic Common Schema” post on the Elastic blog.

Corelight product marketing has also described the benefits of Corelight ECS Mapping in its “Corelight ECS Mapping: Unified Zeek data for more efficient analytics” post now available on the Corelight blog.

About Corelight

Corelight makes powerful network traffic analysis (NTA) solutions that transform network traffic into rich logs, extracted files, and security insights for more effective incident response, threat hunting, and forensics. Corelight Sensors run on Zeek (formerly called “Bro”), the open-source network security monitoring tool used by thousands of organizations. Corelight Sensors simplify Zeek deployment and expand its performance and capabilities. Corelight’s global customers include Fortune 500 companies, major government agencies, and large research universities. Corelight is based in San Francisco, Calif. For more information, visit or follow @corelight_inc.

Media and Analyst Contact:

Kylie Heintz
Senior Director of Corporate Communications

+1 408-505-1078

Follow us on Twitter: @corelight_inc