Network data for humans.

You don't need more alerts, most of them crying wolf and wasting your time. And you don’t need packet upon packet dumped on you indiscriminately. What you need is a unifying foundation that gives you the right amount of data at the right time, organized into highly actionable logs. We needed it too. That’s why we founded Corelight.


Highlighted features from recent Corelight software releases.

The Core Collection: curated Zeek packages for out-of-the box insight.

All Corelight Sensors now come preloaded with the Core Collection, a set of Zeek packages curated and certified by Corelight for performance and stability that provide threat detection, data enrichment, and operational insight. Read more about the Core Collection

Detection packages
Cryptomining detection
Generates a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP.
SSL fingerprinting (JA3)
Creates a hash of every SSL/TLS client and server negotiation, which can be used for hunting or matched against threat intelligence feeds.
SSH fingerprinting (HASSH)
Creates a hash of every SSH client and server negotiation, which can be used for hunting or matched against threat intelligence feeds.
HTTP stalling detection
Detects when a web client executes a resource exhaustion attack on a web server.
Long connections detection
Generates a notice when long running connections occur, providing early visibility into a possible attack in progress.
Port scanning detection
Identifies port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols.
Data enrichment packages
URL extraction in SMTP
Automatically extracts URLs found in email bodies and appends them to Zeek's smtp.log.
POST data capture in HTTP
Extracts POST data sent by a client to a server, and appends it to Zeek's http.log.
DNS hostname annotation
Derives hostnames from DNS traffic and automatically appends it to Zeek's conn.log.
Operational packages
Data Reduction
A set of configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%.
SSL certificate monitoring
Provides visibility into local X.509 certificates seen over SSL/TLS that have expired or will expire soon.
Traffic shunting
Enables the conservation of sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC.
Windows Version Identification
Identifies Windows OS hosts using HTTP connection headers and appends it to the software.log.

Support for the Zeek Intelligence Framework.

Expand the power of Corelight Sensors:

  • Match known indicators of compromise to your network traffic
  • Easy integration with intel feeds like Anomali and ThreatConnect
  • Flag IPs, URLs, emails, hashes and more

Zeek, with a snappy UI.

15 minute Zeek deployment with a modern web app so you don't need knowledge of command-line configuration

  • At-a-glance status of your Corelight Sensor inputs and exporters
  • Dashboard with status and key metrics like interfaces, log rates and ports
  • Monitor key sensor health metrics like memory and CPU usage and system temperature
  • LDAP integration

Handle large "elephant flows" like massive datasets transferred over science DMZs with flow shunting.

The Sensor removes elephant flows from its processing jobs, extracting only the key information, which allows you to save on data processing costs and scale your Sensor beyond 25 Gbps.

Flow shunting (AP 3000 only)

  • Implementation via custom Zeek scripts
  • Runs in the Corelight NIC for high performance
  • Implementation assistance available from Corelight

Deploying a Zeek network monitoring sensor has never been faster or easier.

Click to configure
Data input options
Where is the data coming from?
Export targets
Where do you want the Zeek logs to go? (like Kafka, Amazon S3, Splunk, JSON, Syslog and which logs to include / exclude)
Log forking & filtering
Send full logs to storage and send separate, filtered stream to SIEM to save on processing costs.
Zeek packages
Which Corelight or custom Zeek packages do you want to run?
File extraction export
Set parameters and file destinations.

Corelight Sensors make running and managing Zeek simple and smooth.

Set up performance reporting options for your Corelight Sensor.
Update and maintain your Corelight Sensors from the GUI.
Automatic software updates
Phone home capability to ensure your Sensor is always up to date. Comprehensive API.
Optimized file extraction
Control which files are automatically extracted from network traffic and saved for later forensic analysis.
Custom scripts
Corelight Sensors support custom scripts. Add capabilities from existing scripts in GitHub or write your own to meet the needs of your organization.