Login
    Contents x
    Zeek
    • 25 Mar 2025
    • 2 Minutes to read
    • Print
    • Dark
      Light
    Contents

    Zeek

    • Updated on 25 Mar 2025
    • 2 Minutes to read
    • Print
    • Dark
      Light
    Article summary

    Zeek is a network security monitor (NSM) that can be used as a network intrusion detection system (NIDS) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. For more information, refer to Zeek's official website.

    Integration Method: AWS S3

    Tables: Detection Finding (2004), Authentication (3002), Network Activity (4001), HTTP Activity (4002), DNS Activity (4003), DHCP Activity (4004), RDP Activity (4005), SMB Activity (4006), SSH Activity (4007), FTP Activity (4008), Email Activity (4009)

    This integration supports the following events.

    Event

    Description

    conn.log

    Records details of all network connections observed.

    dns.log

    Records DNS queries and responses.

    http.log

    Records HTTP requests and responses.

    ssl.log

    Records SSL/TLS handshake details.

    files.log

    Records files seen in the network traffic.

    weird.log

    Records unusual or unexpected network events.

    notice.log

    Records significant alerts generated in the network.

    dhcp.log

    Records DHCP lease information.

    smtp.log

    Records SMTP email transactions.

    ftp.log

    Records FTP sessions and commands.

    dce_rpc.log

    Records Distributed Computing Environment(DCE)/Remote Procedure Calls(RPC) activity.

    kerberos.log

    Records Kerberos authentication transactions.

    ntlm.log

    Records NTLM(NT LAN Manager) authentication attempts.

    quic.log

    Records QUIC protocol activity including encrypted transport layer communications.

    smb_files.log

    Records file operations over SMB(Server Message Block) protocol.

    smb_mapping.log

    Records SMB share mappings and tree connections.

    smb_cmd.log

    Records SMB command details for debugging purposes.

    rdp.log

    Records Remote Desktop Protocol(RDP) connection details.

    ssh.log

    Records Secure She(SSH) session information.

    Note:

    Zeek doesn’t follow a traditional versioning system.

    Prerequisites

    DataBee Configuration

    Configure Data Feed

    1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
       

    2. Search for the Zeek and click it as shown below.
       

    3. Click on the AWS S3 option for collection method.
       

    4. In the configuration page, confirm the following:

      • Data Feed Name: an user-friendly name for the data feed.

      • Owner Name: enter a point of contact for the data feed

      • Owner E-mail: email address for the contact.

      • S3 Bucket Name: name of the bucket to ingest data from.

      • AWS Region: AWS region of the bucket.

      • Delete objects in the S3 bucket after read: if this field is checked, then the file will be deleted after ingesting the data.

      • Compression: indicates what type of decompression. Please choose gzip.

        A screenshot of a browser  AI-generated content may be incorrect.

      • Content Type: indicates how to parse the uncompressed content. Zeek logs will be in custom Zeek TSV format, choose Zeek TSV as content type for DataBee to process the log messages properly.
         

      • KMS Encryption Key: provide an optional KMS encryption key if the S3 bucket is encrypted.

      • Once you have entered the required information, click Next.
         

    Apply IAM and KMS policy

    1. Copy the IAM policy and save the policy that you want to apply to your AWS S3 bucket.

    2. If KMS is enabled, copy the KMS policy and save the policy you want to apply to your KMS key.

    3. Apply the recommended bucket policy to your source bucket, as described in the AWS documentation link provided at the bottom of the page.

    4. If KMS is enabled, apply the recommended KMS policy to the KMS key for your bucket.

    5. After entering the required information, click Next.
       

    Setup S3 Notification

    1. Configure your source bucket to emit object-create notifications to the DataBee SQS queue, as described in the AWS Documentation link provided at the bottom of the page.

    2. Once complete, click Submit to finalize and complete the configuration process.
       

    Troubleshooting Tips

    • Ensure the S3 bucket policy is pasted correctly.

    • Ensure the SQS Event notification has been set up correctly.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence