top of page

Corelight Launches Smart PCAP to Give Security Teams Immediate Access to the Right Network Evidence

Corelight, provider of the industry’s leading open network detection and response (NDR) platform, today launched Smart PCAP for its Corelight AP 3000 Sensor. With Smart PCAP, defenders can capture just the packets needed for investigations and retrieve them with a single click from their SIEM.

“One of the questions we are most often asked is how to know whether you are gaining access to the right data for effective investigations, and many organizations default to full packet capture in order to make sure they have ‘everything,’” said Sarah Banks, senior director of product management for Corelight. “The problem with this approach is that in most circumstances, very little of the full packet is used. Ultimately, full capture significantly limits the analyst lookback window due to storage costs and generally does not integrate well into SIEM investigative workflows.

“With Smart PCAP, we are dramatically boosting that lookback window to aid investigations by giving analysts the ability to choose the packet evidence they collect and make it retrievable via the SIEM,” Banks continued.

Smart PCAP is a new licensed feature that offers a cost-effective alternative to full packet capture, delivering weeks to months of packet visibility interlinked with Corelight logs, extracted files, and security insights for fast pivots and investigation. Unlike other solutions that offer selective PCAP capabilities, Corelight Smart PCAP is encryption-aware, tracks protocol activity across ports, and directly integrates with the security gold standard for network evidence, Zeek. With Corelight, analysts can configure and selectively capture packets based on:

  • Protocols

  • Detections

  • Anomalous traffic activity

  • And more...

Corelight began offering Suricata integration with Zeek in its Corelight AP 3000 Sensor in June 2020, and today the company also announced it is extending Suricata-based threat detection to Corelight Virtual Sensors and also to AWS, GCP, and Azure environments via the Corelight Cloud Sensor. This unique integration of Corelight’s licensed Suricata feature fuses the resulting alerts with Corelight’s log evidence to simplify investigations and data export to SIEM.

“When we announced our integration with Suricata last year, we promised to deliver this design pattern in a commercial offering, not simply as a pair of great but separate open source technologies, but as a more deeply integrated system that works better together than the sum of the parts,” said Banks. “Today we take the next step to deliver on this promise with Suricata-based support for both virtual and cloud environments. This integration opens a new architectural door for security analysts by enabling a single data source for unlocking advanced analysis capabilities regardless of form factor.”


Corelight Smart PCAP and Suricata-based support for Corelight Virtual Sensors and cloud environments is now available in software version 22. More information on today’s news can be found in the products section on the Corelight website.



bottom of page