{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"tool_corelight","slug":"corelight","name":"Corelight","type":"product","url":"https://www.corelight.com","page_url":"https://unfragile.ai/corelight","categories":["data-analysis","code-review-security"],"tags":[],"pricing":{"model":"paid","free":false,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"tool_corelight__cap_0","uri":"capability://security.protocol.level.network.traffic.analysis","name":"protocol-level network traffic analysis","description":"Performs deep packet inspection and protocol dissection on network traffic to extract granular details about communication patterns, application behavior, and protocol-level anomalies. Leverages Zeek's battle-tested engine to decode and analyze hundreds of network protocols.","intents":["I need to understand exactly what protocols are being used on my network","I want to see detailed breakdowns of application-layer communication","I need to identify protocol violations or unusual protocol behavior"],"best_for":["security operations centers","threat research teams","network forensics specialists"],"limitations":["requires significant compute resources for high-volume traffic","steep learning curve for teams unfamiliar with protocol analysis","encrypted payload contents cannot be inspected"],"requires":["network traffic access (SPAN/mirror ports or TAP)","Zeek protocol expertise","substantial compute infrastructure"],"input_types":["network packets","pcap files","live network streams"],"output_types":["structured protocol logs","metadata records","connection summaries"],"categories":["security","network-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_1","uri":"capability://security.encrypted.traffic.behavior.profiling","name":"encrypted traffic behavior profiling","description":"Analyzes behavioral patterns in encrypted network traffic without decrypting payloads, extracting metadata such as certificate information, TLS versions, cipher suites, and communication patterns to identify suspicious encrypted connections.","intents":["I need to detect threats hiding in encrypted traffic without decryption","I want to identify suspicious TLS/SSL certificate usage","I need to profile encrypted communication patterns to spot anomalies"],"best_for":["threat hunters","incident responders","SOC teams with encrypted traffic concerns"],"limitations":["cannot inspect encrypted payload contents","relies on metadata patterns which may have false positives","requires baseline of normal encrypted traffic patterns"],"requires":["network traffic visibility","understanding of TLS/SSL protocols","threat intelligence context"],"input_types":["encrypted network traffic","TLS handshake data"],"output_types":["certificate metadata","behavioral anomaly scores","threat indicators"],"categories":["security","threat-detection"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_10","uri":"capability://security.custom.detection.rule.development.and.deployment","name":"custom detection rule development and deployment","description":"Enables creation of custom detection rules using Zeek scripting language to identify specific threats, attack patterns, or policy violations. Supports deployment of custom rules to detect organization-specific threats.","intents":["I need to create custom detection rules for threats specific to my organization","I want to detect attack patterns that commercial rules don't cover","I need to implement custom security policies through network detection"],"best_for":["experienced security teams","organizations with custom threat models","teams with Zeek expertise"],"limitations":["steep learning curve for Zeek scripting","rule development is time-consuming","requires testing and tuning","limited out-of-the-box detection rules"],"requires":["Zeek scripting expertise","threat intelligence context","testing infrastructure","rule development methodology"],"input_types":["threat intelligence","attack patterns","Zeek script templates"],"output_types":["custom detection rules","rule documentation","detection results"],"categories":["security","threat-detection"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_11","uri":"capability://security.network.baseline.establishment.and.comparison","name":"network baseline establishment and comparison","description":"Establishes baseline profiles of normal network behavior and enables comparison of current traffic against these baselines to identify deviations. Supports creation of organization-specific network behavior models.","intents":["I need to establish what normal network behavior looks like for my organization","I want to compare current traffic against historical baselines","I need to identify when network behavior changes significantly"],"best_for":["SOC teams","network security teams","organizations with mature security programs"],"limitations":["requires substantial historical data collection","baseline creation is time-consuming","legitimate changes can trigger false positives"],"requires":["historical network traffic data","statistical analysis capability","domain expertise"],"input_types":["historical network traffic","connection metadata"],"output_types":["baseline profiles","deviation reports","behavioral models"],"categories":["security","analytics"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_12","uri":"capability://security.threat.intelligence.feed.integration","name":"threat intelligence feed integration","description":"Integrates external threat intelligence feeds with network analysis to automatically correlate observed network activity against known indicators of compromise, malicious IPs, and threat signatures.","intents":["I want to automatically check network traffic against known threat indicators","I need to correlate my network data with external threat intelligence","I want to detect known malicious IPs and domains in my traffic"],"best_for":["SOC teams","organizations with threat intelligence programs","teams using multiple threat feeds"],"limitations":["requires subscription to threat intelligence feeds","feed quality varies significantly","false positives from low-quality feeds"],"requires":["threat intelligence feed subscriptions","feed integration capability","threat intelligence management platform"],"input_types":["threat intelligence feeds","network traffic data"],"output_types":["threat correlation results","indicator matches","threat reports"],"categories":["security","threat-intelligence"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_13","uri":"capability://security.network.traffic.volume.and.performance.analytics","name":"network traffic volume and performance analytics","description":"Analyzes network traffic volume, bandwidth consumption, and performance metrics to identify capacity issues, traffic patterns, and potential DDoS or resource exhaustion attacks.","intents":["I need to understand network traffic volume and bandwidth patterns","I want to detect DDoS attacks or resource exhaustion","I need to identify performance bottlenecks in network traffic"],"best_for":["network operations teams","SOC teams","organizations with performance concerns"],"limitations":["requires baseline for comparison","high-volume traffic analysis is resource-intensive","may miss sophisticated low-volume attacks"],"requires":["network traffic data","performance baseline","analytics capability"],"input_types":["network traffic metrics","connection statistics"],"output_types":["traffic volume reports","bandwidth analysis","performance metrics"],"categories":["security","network-operations"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_14","uri":"capability://security.siem.and.security.tool.ecosystem.integration","name":"siem and security tool ecosystem integration","description":"Integrates Corelight's network analysis capabilities with existing SIEM platforms, threat intelligence systems, and other security tools through standardized data formats and APIs.","intents":["I need to integrate network data into my existing SIEM platform","I want to correlate network events with other security data sources","I need to automate security workflows using network data"],"best_for":["SOC teams with existing security infrastructure","organizations with mature security tool ecosystems","teams managing multiple security platforms"],"limitations":["requires SIEM platform compatibility","integration complexity depends on existing tools","may require custom development"],"requires":["SIEM platform or log aggregation system","API access","integration expertise"],"input_types":["structured network logs","security events"],"output_types":["SIEM-compatible events","API responses","integrated alerts"],"categories":["security","data-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_2","uri":"capability://security.structured.security.event.log.generation","name":"structured security event log generation","description":"Converts raw network traffic analysis into structured, machine-readable logs organized by connection type, application, and protocol. Generates standardized event records that integrate seamlessly with SIEM platforms and threat intelligence systems.","intents":["I need to feed network security data into my SIEM platform","I want structured logs that my security tools can automatically parse","I need to correlate network events with other security data sources"],"best_for":["SOC teams with existing SIEM infrastructure","security teams integrating multiple data sources","organizations with automated threat detection workflows"],"limitations":["requires SIEM platform compatibility","log volume can be substantial requiring storage planning","custom field mappings may be needed for specific SIEM platforms"],"requires":["SIEM platform or log aggregation system","network traffic analysis data","log schema understanding"],"input_types":["protocol analysis results","connection metadata"],"output_types":["structured JSON logs","CEF/syslog formatted events","SIEM-compatible records"],"categories":["security","data-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_3","uri":"capability://security.network.forensics.investigation.support","name":"network forensics investigation support","description":"Provides detailed historical network activity records and metadata extraction capabilities to support incident investigation and forensic analysis. Enables security teams to reconstruct network events, identify attack paths, and gather evidence for incident response.","intents":["I need to reconstruct what happened during a security incident","I want to identify the source and destination of suspicious traffic","I need to gather forensic evidence for incident investigation"],"best_for":["incident response teams","forensic investigators","threat research teams"],"limitations":["requires historical traffic data retention","analysis is time-consuming for large datasets","encrypted content cannot be analyzed"],"requires":["network traffic capture/retention","forensic analysis expertise","timeline correlation tools"],"input_types":["pcap files","historical network logs","connection records"],"output_types":["forensic timelines","connection graphs","evidence summaries","attack path reconstructions"],"categories":["security","forensics"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_4","uri":"capability://security.threat.hunting.query.execution","name":"threat hunting query execution","description":"Enables security analysts to write and execute custom queries against network traffic data to hunt for specific threat indicators, suspicious patterns, or indicators of compromise. Supports iterative hypothesis testing and exploratory threat hunting workflows.","intents":["I want to search for specific indicators of compromise in my network","I need to test hypotheses about potential threats","I want to hunt for known attack patterns in historical traffic"],"best_for":["threat hunters","experienced security analysts","teams with Zeek scripting knowledge"],"limitations":["steep learning curve for Zeek query language","query performance depends on data volume and complexity","requires expertise to write effective hunting queries"],"requires":["Zeek scripting knowledge","threat intelligence context","network traffic data","query optimization skills"],"input_types":["Zeek logs","custom query scripts","threat indicators"],"output_types":["query results","matching connection records","threat indicators"],"categories":["security","threat-hunting"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_5","uri":"capability://security.anomalous.network.behavior.detection","name":"anomalous network behavior detection","description":"Identifies deviations from normal network communication patterns by analyzing connection characteristics, data volumes, timing patterns, and protocol usage. Detects unusual network behavior that may indicate compromise or malicious activity.","intents":["I need to spot unusual network activity that doesn't match normal patterns","I want to detect data exfiltration or command-and-control communication","I need to identify lateral movement or reconnaissance activity"],"best_for":["SOC teams","threat hunters","organizations with mature network baselines"],"limitations":["requires established baseline of normal behavior","high false positive rates without proper tuning","behavioral changes may be legitimate"],"requires":["historical baseline data","network behavior understanding","custom tuning and threshold configuration"],"input_types":["network traffic data","connection metadata","baseline profiles"],"output_types":["anomaly scores","behavioral alerts","deviation reports"],"categories":["security","anomaly-detection"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_6","uri":"capability://security.application.identification.and.classification","name":"application identification and classification","description":"Automatically identifies and classifies applications running on the network by analyzing protocol signatures, communication patterns, and behavioral characteristics. Provides visibility into what applications are communicating across the network.","intents":["I need to know what applications are running on my network","I want to identify shadow IT or unauthorized applications","I need to classify traffic by application type for policy enforcement"],"best_for":["network administrators","SOC teams","organizations managing application inventory"],"limitations":["encrypted applications are harder to identify","new or custom applications may not be recognized","classification accuracy depends on traffic patterns"],"requires":["network traffic visibility","application signature database","protocol analysis capability"],"input_types":["network traffic","protocol metadata"],"output_types":["application inventory","classification reports","application-based traffic summaries"],"categories":["security","network-visibility"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_7","uri":"capability://security.file.extraction.and.analysis.support","name":"file extraction and analysis support","description":"Identifies and extracts files transferred across the network from traffic analysis, enabling security teams to analyze suspicious files for malware or policy violations. Provides metadata about file transfers for investigation.","intents":["I need to identify files being transferred across my network","I want to extract suspicious files for malware analysis","I need to detect policy violations related to file transfers"],"best_for":["SOC teams","incident responders","organizations with strict data transfer policies"],"limitations":["cannot extract from encrypted traffic","large file transfers may impact performance","requires downstream malware analysis tools"],"requires":["network traffic capture","file analysis tools","malware analysis capability"],"input_types":["network traffic","file transfer protocols"],"output_types":["extracted files","file metadata","transfer summaries"],"categories":["security","malware-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_8","uri":"capability://security.dns.activity.monitoring.and.analysis","name":"dns activity monitoring and analysis","description":"Provides detailed DNS query and response analysis including domain resolution patterns, DNS tunneling detection, and DNS-based threat indicators. Enables detection of DNS-based attacks and suspicious domain resolution activity.","intents":["I need to detect DNS-based attacks or data exfiltration","I want to identify suspicious domain resolution patterns","I need to monitor for DNS tunneling or DNS-based C2 communication"],"best_for":["SOC teams","threat hunters","organizations with DNS-based threat concerns"],"limitations":["DNS over HTTPS/TLS cannot be analyzed","requires threat intelligence for domain reputation","high volume of DNS queries can be overwhelming"],"requires":["DNS traffic visibility","threat intelligence feeds","DNS analysis expertise"],"input_types":["DNS queries and responses","network traffic"],"output_types":["DNS activity logs","suspicious domain indicators","DNS pattern analysis"],"categories":["security","threat-detection"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__cap_9","uri":"capability://security.http.https.activity.tracking.and.analysis","name":"http/https activity tracking and analysis","description":"Analyzes HTTP and HTTPS traffic to extract request/response metadata, headers, URIs, and behavioral patterns. Provides visibility into web-based communication and enables detection of web-based threats.","intents":["I need to see what websites and web services are being accessed","I want to detect web-based attacks or malicious web traffic","I need to identify suspicious HTTP/HTTPS communication patterns"],"best_for":["SOC teams","web security teams","organizations with web-based threat concerns"],"limitations":["HTTPS payload cannot be inspected without decryption","high volume of HTTP traffic can be overwhelming","requires threat intelligence for malicious URL detection"],"requires":["HTTP/HTTPS traffic visibility","threat intelligence feeds","web security expertise"],"input_types":["HTTP/HTTPS traffic","network packets"],"output_types":["HTTP activity logs","URI summaries","suspicious web indicators"],"categories":["security","web-security"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"tool_corelight__headline","uri":"capability://data.processing.analysis.advanced.network.detection.and.response.solution","name":"advanced network detection and response solution","description":"Corelight is an advanced network detection and response solution that leverages Zeek for deep network forensics, providing unmatched visibility and actionable insights for security operations.","intents":["best network detection tools","network forensics solutions for threat hunting","top Zeek-based security platforms","network security analytics for SOC teams","advanced threat detection for enterprises"],"best_for":["Security operations centers","threat research teams"],"limitations":["Steep learning curve","Requires significant compute resources"],"requires":["Expertise in Zeek and network protocols"],"input_types":["Network traffic data"],"output_types":["Alerts","Evidence-backed summaries"],"categories":["data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":48,"verified":false,"data_access_risk":"high","permissions":["network traffic access (SPAN/mirror ports or TAP)","Zeek protocol expertise","substantial compute infrastructure","network traffic visibility","understanding of TLS/SSL protocols","threat intelligence context","Zeek scripting expertise","testing infrastructure","rule development methodology","historical network traffic data"],"failure_modes":["requires significant compute resources for high-volume traffic","steep learning curve for teams unfamiliar with protocol analysis","encrypted payload contents cannot be inspected","cannot inspect encrypted payload contents","relies on metadata patterns which may have false positives","requires baseline of normal encrypted traffic patterns","steep learning curve for Zeek scripting","rule development is time-consuming","requires testing and tuning","limited out-of-the-box detection rules","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.43333333333333335,"quality":0.86,"ecosystem":0.35000000000000003,"match_graph":0.25,"freshness":0.75,"weights":{"adoption":0.25,"quality":0.25,"ecosystem":0.1,"match_graph":0.35,"freshness":0.05}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-05-24T12:16:30.282Z","last_scraped_at":"2026-04-05T13:23:42.537Z","last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=corelight","compare_url":"https://unfragile.ai/compare?artifact=corelight"}},"signature":"wW3ImhxOWTG+VX6Ka4fpXZs567lDcIIOKFtUa23Ac4IKwQOOk1CjQshAQyptxPdqT6fPgfOJHRg4E+c/Mi2ZAA==","signedAt":"2026-06-21T17:19:05.575Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/corelight","artifact":"https://unfragile.ai/corelight","verify":"https://unfragile.ai/api/v1/verify?slug=corelight","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}