Corelight Open NDR is a really powerful platform. Pairing up the sensors with Investigator, you are getting incredibly rich data, which we are also able to further enrich with additional feeds such as CrowdStrike or CISAIAS. We are getting really good intelligence on what is hitting networks, and it is a really good platform for diving extremely deep into that network traffic and doing analysis. We have been really impressed with the amount of features and continual development that Corelight has been putting into Investigator. On a regular basis, we are getting massive updates on both the machine learning detection modules that they have built in. This is obviously reducing our alert fatigue by having these machine learning processes identifying alerts or doing the triage for us. Additionally, we are getting access to more agentic processes within Investigator which further allows us to control, triage, and get access to the right information when we need it.

I appreciate the Fleet Manager feature of Corelight Open NDR, which allows me to manage the Suricata policy across my entire fleet of Corelight sensors. I also value the fact that Corelight has embraced the Suricata engine, giving me the benefits of an open-source platform and all that comes with that in terms of the open-source rule set that I can feed into the Suricata engine. I have a professional subscription, so I am getting some of the professional rules and all the open-source rules. The vast array of Suricata rules makes it an excellent model.

Corelight Open NDR has had a positive impact on my company. The benefits include visibility, as the Suricata engine can scan huge volumes of traffic. I feed it both north-south and east-west traffic, gaining scans of traffic that I typically do not get a lot of visibility into at a detailed level and seeing signatures in my traffic that I was not expecting. Most of which turn out to be false positives, but the awareness of them being there is very beneficial because they are often associated with old code or bad group policies that have not been cleaned up, leaving holes and exposures that need to be addressed. I can catch these with the Suricata alerts.

Corelight is low-cost and made on open-source, and the code is Zeek. It's an easy way for us to get visibility in a client's environment.

The tool helps us track the traffic easily. Additionally, the soft analysis is very easy to learn due to the simplicity of the engine. It can integrate with multiple threat and intelligence feeds. This empowers the solution more than its powerful. It's also easy to create additional dashboards specific to supporting specific tasks.

It is easy to deploy and easy to handle.

Corelight provides a insight, visibility and a lot of data. No matter if you need detection for proactive defense or you need data for forensics, Corelight is the primary source of information for cyber security. The deployment is very quick and you are using it from the very beginning.

The most valuable feature is the embedded IDS from Suricata.