- 25 Mar 2025
- 2 Minutes to read
- Print
- DarkLight
Zeek
- Updated on 25 Mar 2025
- 2 Minutes to read
- Print
- DarkLight
Zeek is a network security monitor (NSM) that can be used as a network intrusion detection system (NIDS) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. For more information, refer to Zeek's official website.
Integration Method: AWS S3
Tables: Detection Finding (2004), Authentication (3002), Network Activity (4001), HTTP Activity (4002), DNS Activity (4003), DHCP Activity (4004), RDP Activity (4005), SMB Activity (4006), SSH Activity (4007), FTP Activity (4008), Email Activity (4009)
This integration supports the following events.
Event | Description |
---|---|
conn.log | Records details of all network connections observed. |
dns.log | Records DNS queries and responses. |
http.log | Records HTTP requests and responses. |
ssl.log | Records SSL/TLS handshake details. |
files.log | Records files seen in the network traffic. |
weird.log | Records unusual or unexpected network events. |
notice.log | Records significant alerts generated in the network. |
dhcp.log | Records DHCP lease information. |
smtp.log | Records SMTP email transactions. |
ftp.log | Records FTP sessions and commands. |
dce_rpc.log | Records Distributed Computing Environment(DCE)/Remote Procedure Calls(RPC) activity. |
kerberos.log | Records Kerberos authentication transactions. |
ntlm.log | Records NTLM(NT LAN Manager) authentication attempts. |
quic.log | Records QUIC protocol activity including encrypted transport layer communications. |
smb_files.log | Records file operations over SMB(Server Message Block) protocol. |
smb_mapping.log | Records SMB share mappings and tree connections. |
smb_cmd.log | Records SMB command details for debugging purposes. |
rdp.log | Records Remote Desktop Protocol(RDP) connection details. |
ssh.log | Records Secure She(SSH) session information. |
Note:
Zeek doesn’t follow a traditional versioning system.
Prerequisites
The user should have permission to update your S3 bucket’s Access Policy and Event notification settings.
The user should have access to the DataBee console.
DataBee Configuration
Configure Data Feed
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Zeek and click it as shown below.
Click on the AWS S3 option for collection method.
In the configuration page, confirm the following:
Data Feed Name: an user-friendly name for the data feed.
Owner Name: enter a point of contact for the data feed
Owner E-mail: email address for the contact.
S3 Bucket Name: name of the bucket to ingest data from.
AWS Region: AWS region of the bucket.
Delete objects in the S3 bucket after read: if this field is checked, then the file will be deleted after ingesting the data.
Compression: indicates what type of decompression. Please choose gzip.
Content Type: indicates how to parse the uncompressed content. Zeek logs will be in custom Zeek TSV format, choose Zeek TSV as content type for DataBee to process the log messages properly.
KMS Encryption Key: provide an optional KMS encryption key if the S3 bucket is encrypted.
Once you have entered the required information, click Next.
Apply IAM and KMS policy
Copy the IAM policy and save the policy that you want to apply to your AWS S3 bucket.
If KMS is enabled, copy the KMS policy and save the policy you want to apply to your KMS key.
Apply the recommended bucket policy to your source bucket, as described in the AWS documentation link provided at the bottom of the page.
If KMS is enabled, apply the recommended KMS policy to the KMS key for your bucket.
After entering the required information, click Next.
Setup S3 Notification
Configure your source bucket to emit object-create notifications to the DataBee SQS queue, as described in the AWS Documentation link provided at the bottom of the page.
Once complete, click Submit to finalize and complete the configuration process.
Troubleshooting Tips
Ensure the S3 bucket policy is pasted correctly.
Ensure the SQS Event notification has been set up correctly.