Corelight Open NDR – "Evidence-First" Network Detection & Response solution for modern SOC

In the context of increasingly sophisticated cyberattacks, organizations need not only alerts – they need evidence to investigate and respond accurately. Corelight Open NDR brings an evidence-first approach to Network Detection & Response, transforming all network traffic into high-quality telemetry and metadata for threat hunting and incident response.

Introduction to Corelight

Corelight is a cybersecurity company specializing in Network Detection & Response (NDR), focusing on transforming network data (on-premises and cloud) into evidence for investigation.

Corelight is built on the Zeek® platform (formerly Bro) – founded by Dr. Vern Paxson, co-founder of Corelight. Zeek has over 20 years of research and more than 10,000 global deployments.

Corelight brings Zeek and open-source components into a "packaged – operated – scalable" NDR platform for SOC.

Corelight Open NDR solution overview

Corelight Open NDR provides comprehensive network visibility for:

• On-prem environment

• Hybrid Cloud

• Multi-Cloud (AWS, Azure, GCP)

Combined solution:

• Zeek (Network Security Monitoring)

• Suricata IDS

• Proprietary Smart PCAP

• Static File Analysis (YARA)

• Threat Intelligence

• Detection & Analytics

The platform is designed following the model:

Open NDR Platform + Sensors + Detection Collections

Corelight Open NDR architecture

Open NDR Platform

Unified in one system:

• NSM (Network Security Monitoring)

• IDS (Suricata)

• PCAP

• Static file analysis (YARA)

• Detection & Analytics

Main components:

• Investigator (SaaS NDR): simplifies Tier-1 workflow with an evidence-first approach

• Zeek: traffic analysis and high-precision log generation

• Suricata IDS: rule-based detection

• Smart PCAP: selective packet capture for optimized storage

• YARA: malware detection by pattern

Sensors (Data collection sensors)

Flexible deployment:

Cloud Sensors (AWS/GCP/Azure)

• Transform cloud traffic into security evidence

• Enrich with cloud control plane data

• Support cloud-native detection

Software Sensor

• Install on existing infrastructure

• Suitable for positions without appliance deployment

Virtual Sensors (Hyper-V / VMware)

• Virtual traffic analysis

• Optimize log capacity

Appliance Sensors (Hardware)

• High performance for data centers

Flow Monitoring Sensor

• Standardize, correlate, and enrich flow logs

• Enhance multi-layer investigation efficiency

Detection Collections

Advanced detection modules:

• C2 Collection – Detecting command-and-control behavior according to MITRE ATT&CK

• Core Collection – Optimizing high-bandwidth environments

• Encrypted Traffic Collection – Analyze SSL/SSH/RDP (JA3…) without decryption

Key features of Corelight Open NDR

Open source

• Corelight manages Zeek – technology funded for over 20 years

• Support for custom Suricata rules

• More effective zero-day detection

Open data

• Export data to SIEM, XDR

• Raw data access

• Support generative AI through open data standards

Open platform

• Send data to any system

• Protect long-term investment

• Investigator supports direct investigation on the dashboard

Business benefits received

Complete Hybrid Cloud visibility

• Analyze all on-prem & cloud traffic

• Reduce cloud blind spots & shadow IT

• Detect encryption threats without decryption

Increase detection accuracy

Integration:

• Zeek + Suricata

• Machine Learning

• Phân tích hành vi

• Cloud & on-prem discovery

• Community signatures

Corelight provides transparent ML detection with feature-level scoring.

Accelerate incident response

• AI-assisted investigation

• GPT-explained alerts

• Natural language investigation guidance

• Reduce MTTR

• Reduce reliance on external IR

Increase SOC operational efficiency

• Unified NDR + IDS + PCAP

• No need for multiple separate sensors

• Reduce management costs

• No need to retrain the SOC team

• Increase employee retention capability

Ecosystem integration capability

Corelight Open NDR integrates deeply with:

CrowdStrike

• Falcon XDR

• Falcon LogScale

• Unified EDR + NDR

Google / Mandiant

• Google Cloud Security Operations integration

• Enriched with Mandiant Threat Intelligence

• Phân tích qua Chronicle

Microsoft

• Microsoft Sentinel integration

• Support resource-constrained SOCs

• Provides correlated logs for over 50 protocols

Splunk

• Splunk Enterprise Security integration

• Splunk SOAR support

• Universal Forwarder optimizes ingest

Third-party assessment

Corelight is recognized:

Leader – Gartner Magic Quadrant for Network Detection and Response 2025

Corelight Open NDR solution distributed in Vietnam by Sonic