drop corelight export bundle · parse zeek + suricata logs together · runs locally
corelight bundle · zeek + suricata · local only
heuristic screener · vendor schema varies · not definitive proof