Microsoft Defender for IoT is now integrated into Corelight

Nov 5, 2021, 10:04 PM EDT
3 mins read
Microsoft Defender for IoT is now integrated into Corelight

Corelight, a startup based in California, has integrated Microsoft Defender for IoT into its open network detection and response (NDR) platform.

Corelight has become the first Microsoft NDR partner to make use of Defender for IoT’s cross-industry integration capabilities, as announced at this week’s Microsoft Ignite 2021 virtual conference. Users of Corelight can transfer data from deployed sensors to Microsoft 365 Defender, and Defender for IoT can then utilize its behavioral analytics and machine-learning algorithms to locate and classify devices, as well as protect, detect, and respond to IoT attacks.


This also enables Defender for IoT to apply its global IoT and OT threat intelligence.

“The number of unmanaged systems on the internet is soaring, and this ever-expanding risk surface is already a target,” said Greg Bell, chief strategy officer for Corelight. “Unfortunately, most defenders lack the information they need about IoT and OT systems in their environment. Our integration combines best-in-class network evidence from Corelight, with the advanced vulnerability management, threat intelligence, and detection and response capabilities of Microsoft Defender for IoT. The result is more efficient incident response, and deeper insight into IoT footprint, behavior and risk.”

Corelight’s open NDR delivers complete network coverage of on-premise, cloud, and hybrid environments to assist security operations teams utilizing Defender for IoT in detecting and responding to attacks. Defender for IoT, as an open platform, may utilize network signals from Corelight sensors for asset discovery, inventory, risk assessment, detection, and mitigation.


“Corelight is leveraging our open platform to share data to further enrich Microsoft Defender for IoT,” said Nir Giller, Microsoft Defender for IoT group manager. “Customers who have deployed Corelight can secure their entire IoT and OT environments with Microsoft 365 Defender and Defender for IoT within minutes while adding more detections based on encrypted traffic analysis and complementing Microsoft’s Mitre ATT&CK coverage.”

Additional benefits from Corelight include:

  • NDR coverage for every device on the network: Understand and manage risk across the entire IoT and OT landscape including high-value assets, managed and unmanaged endpoints, IoT devices, and cloud environments.
  • Single platform for NDR: Corelight provides everything security operations teams need for detection and response, built on open standards including Zeek for telemetry, Suricata for alerts, and Smart PCap for packets.
  • Faster answers for analysts and hunters: Rich, structured network data from more than 35 protocols and over 400 data fields captured in real-time provides additional context for alerts, accelerating incident response, and expanding threat hunting capabilities.
  • Integration with existing SoC toolsets: Correlate rich network telemetry with threat intelligence feeds for sending to multiple destinations simultaneously, including Microsoft Sentinel, Splunk, and other analytic tools.
  • Deeper insights: Insights to hunt for attackers without compute-intensive practices that compromise privacy, find command-and-control (C2) activity with more than 50 insights that cover both known C2 toolkits and Mitre ATT&CK C2 techniques, and more.

Corelight support will be available with the November 30 public preview of Microsoft Defender for IoT.


Corelight offers network evidence to security teams, allowing them to secure vital organizations and businesses. Fortune 500 firms, big government organizations, and huge research colleges are among the customers. Corelight, based in San Francisco, is an open-source security firm formed by the inventors of Zeek network security technology.

Notify of
Inline Feedbacks
View all comments