Corelight Core Collection is an analytics package included with Corelight subscriptions that extends the Open NDR Platform with threat detection capabilities and data optimization features. The collection provides analytics developed by the Zeek community for detecting lateral movement, port scanning, cryptomining, HTTP stalling attacks, and long-running connections. The product includes enrichment capabilities that add context to network evidence, such as Community ID hashing for connection correlation across tools, DNS hostname annotation in connection logs, POST data capture in HTTP logs, URL extraction from email bodies, and Windows version identification from HTTP headers. Data control features help optimize SIEM performance and costs through configurable data reduction options that can shrink export volumes by up to 30% by filtering data of minimal security value from connection, HTTP, DNS, and SSL logs. Traffic shunting capabilities allow organizations to conserve sensor processing bandwidth by filtering unwanted traffic flows at the network interface card level. The lateral movement detection component implements MITRE BZAR analytics to identify techniques related to SMB and DCE-RPC traffic, including indicators targeting Windows Admin Shares and Remote File Copy. The collection can be enabled or disabled through Corelight Sensor Management and Fleet Management interfaces.