Skip to content

Zeek Network Security Monitor

Overview

This article explains how to ingest your Zeek logs to Hunters. Hunters supports logs from both open source Zeek deployments, as well as managed Zeek solutions such as Corelight.


Hunters' Ingestion

For Hunters to integrate with your Zeek logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Logs Format

The expected log format is JSON, which is configurable as part of the Zeek solution.

Here is an example of a currently supported log line:

{"ts":"2021-10-01T00:00:00.249343Z","uid":"C1XbRDwee226Prvv3","id.orig_h":"192.168.1.1","id.orig_p":51001,"id.resp_h":"192.168.1.2","id.resp_p":139,"proto":"tcp","note":"EternalSafety::ViolationPidMid","msg":"Possible compromised SMBv1 server 192.168.1.2:139/tcp (srv sent new PID/MID - protocol violation)","src":"192.168.1.1","dst":"192.168.1.2","p":139,"peer_descr":"","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0}