Zeek
  • 25 Mar 2025
  • 2 Minutes to read
  • Dark
    Light

Zeek

  • Dark
    Light

Article summary

Zeek is a network security monitor (NSM) that can be used as a network intrusion detection system (NIDS) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. For more information, refer to Zeek's official website.

Integration Method: AWS S3

Tables: Detection Finding (2004), Authentication (3002), Network Activity (4001), HTTP Activity (4002), DNS Activity (4003), DHCP Activity (4004), RDP Activity (4005), SMB Activity (4006), SSH Activity (4007), FTP Activity (4008), Email Activity (4009)

This integration supports the following events.

Event

Description

conn.log

Records details of all network connections observed.

dns.log

Records DNS queries and responses.

http.log

Records HTTP requests and responses.

ssl.log

Records SSL/TLS handshake details.

files.log

Records files seen in the network traffic.

weird.log

Records unusual or unexpected network events.

notice.log

Records significant alerts generated in the network.

dhcp.log

Records DHCP lease information.

smtp.log

Records SMTP email transactions.

ftp.log

Records FTP sessions and commands.

dce_rpc.log

Records Distributed Computing Environment(DCE)/Remote Procedure Calls(RPC) activity.

kerberos.log

Records Kerberos authentication transactions.

ntlm.log

Records NTLM(NT LAN Manager) authentication attempts.

quic.log

Records QUIC protocol activity including encrypted transport layer communications.

smb_files.log

Records file operations over SMB(Server Message Block) protocol.

smb_mapping.log

Records SMB share mappings and tree connections.

smb_cmd.log

Records SMB command details for debugging purposes.

rdp.log

Records Remote Desktop Protocol(RDP) connection details.

ssh.log

Records Secure She(SSH) session information.

Note:

Zeek doesn’t follow a traditional versioning system.

Prerequisites

DataBee Configuration

Configure Data Feed

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Zeek and click it as shown below.
     

  3. Click on the AWS S3 option for collection method.
     

  4. In the configuration page, confirm the following:

    • Data Feed Name: an user-friendly name for the data feed.

    • Owner Name: enter a point of contact for the data feed

    • Owner E-mail: email address for the contact.

    • S3 Bucket Name: name of the bucket to ingest data from.

    • AWS Region: AWS region of the bucket.

    • Delete objects in the S3 bucket after read: if this field is checked, then the file will be deleted after ingesting the data.

    • Compression: indicates what type of decompression. Please choose gzip.

      A screenshot of a browser  AI-generated content may be incorrect.

    • Content Type: indicates how to parse the uncompressed content. Zeek logs will be in custom Zeek TSV format, choose Zeek TSV as content type for DataBee to process the log messages properly.
       

    • KMS Encryption Key: provide an optional KMS encryption key if the S3 bucket is encrypted.

    • Once you have entered the required information, click Next.
       

Apply IAM and KMS policy

  1. Copy the IAM policy and save the policy that you want to apply to your AWS S3 bucket.

  2. If KMS is enabled, copy the KMS policy and save the policy you want to apply to your KMS key.

  3. Apply the recommended bucket policy to your source bucket, as described in the AWS documentation link provided at the bottom of the page.

  4. If KMS is enabled, apply the recommended KMS policy to the KMS key for your bucket.

  5. After entering the required information, click Next.
     

Setup S3 Notification

  1. Configure your source bucket to emit object-create notifications to the DataBee SQS queue, as described in the AWS Documentation link provided at the bottom of the page.

  2. Once complete, click Submit to finalize and complete the configuration process.
     

Troubleshooting Tips

  • Ensure the S3 bucket policy is pasted correctly.

  • Ensure the SQS Event notification has been set up correctly.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence