Corelight

Performs deep packet inspection and protocol dissection on network traffic to extract granular details about communication patterns, application behavior, and protocol-level anomalies. Leverages Zeek's battle-tested engine to decode and analyze hundreds of network protocols.

Analyzes behavioral patterns in encrypted network traffic without decrypting payloads, extracting metadata such as certificate information, TLS versions, cipher suites, and communication patterns to identify suspicious encrypted connections.

Enables creation of custom detection rules using Zeek scripting language to identify specific threats, attack patterns, or policy violations. Supports deployment of custom rules to detect organization-specific threats.

Establishes baseline profiles of normal network behavior and enables comparison of current traffic against these baselines to identify deviations. Supports creation of organization-specific network behavior models.

Integrates external threat intelligence feeds with network analysis to automatically correlate observed network activity against known indicators of compromise, malicious IPs, and threat signatures.

Analyzes network traffic volume, bandwidth consumption, and performance metrics to identify capacity issues, traffic patterns, and potential DDoS or resource exhaustion attacks.

Integrates Corelight's network analysis capabilities with existing SIEM platforms, threat intelligence systems, and other security tools through standardized data formats and APIs.

Converts raw network traffic analysis into structured, machine-readable logs organized by connection type, application, and protocol. Generates standardized event records that integrate seamlessly with SIEM platforms and threat intelligence systems.

Provides detailed historical network activity records and metadata extraction capabilities to support incident investigation and forensic analysis. Enables security teams to reconstruct network events, identify attack paths, and gather evidence for incident response.

Enables security analysts to write and execute custom queries against network traffic data to hunt for specific threat indicators, suspicious patterns, or indicators of compromise. Supports iterative hypothesis testing and exploratory threat hunting workflows.

Identifies deviations from normal network communication patterns by analyzing connection characteristics, data volumes, timing patterns, and protocol usage. Detects unusual network behavior that may indicate compromise or malicious activity.

Automatically identifies and classifies applications running on the network by analyzing protocol signatures, communication patterns, and behavioral characteristics. Provides visibility into what applications are communicating across the network.

Identifies and extracts files transferred across the network from traffic analysis, enabling security teams to analyze suspicious files for malware or policy violations. Provides metadata about file transfers for investigation.

Provides detailed DNS query and response analysis including domain resolution patterns, DNS tunneling detection, and DNS-based threat indicators. Enables detection of DNS-based attacks and suspicious domain resolution activity.

Analyzes HTTP and HTTPS traffic to extract request/response metadata, headers, URIs, and behavioral patterns. Provides visibility into web-based communication and enables detection of web-based threats.