Zeek Logs
Connecting Zeek logs to your Panther Console
Overview
Panther supports ingesting Zeek logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Zeek logs to Panther
To pull these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Zeek to push logs to the Data Transport source.
See Zeek's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Zeek.CaptureLoss
Zeek CaptureLoss logs evidence regarding the degree to which the packet capture process suffers from measurement loss.
Reference: Capture Loss
schema: Zeek.CaptureLoss
description: Zeek CaptureLoss. It logs evidence regarding the degree to which the packet capture process suffers from measurement loss
referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/capture-loss.zeek.html
fields:
- name: acks
required: true
type: bigint
- name: gaps
required: true
type: bigint
- name: peer
required: true
type: string
- name: percent_lost
required: true
type: float
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: ts_delta
required: true
type: floatZeek.Conn
Reference: conn.log
schema: Zeek.Conn
description: Zeek Conn
referenceURL: https://docs.zeek.org/en/master/logs/conn.html
fields:
- name: service
type: string
- name: duration
type: float
- name: orig_bytes
type: bigint
- name: resp_bytes
type: bigint
- name: history
type: string
- name: conn_state
required: true
type: string
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: local_orig
required: true
type: boolean
- name: local_resp
required: true
type: boolean
- name: missed_bytes
required: true
type: bigint
- name: orig_ip_bytes
required: true
type: bigint
- name: orig_pkts
required: true
type: bigint
- name: proto
required: true
type: string
- name: resp_ip_bytes
required: true
type: bigint
- name: resp_pkts
required: true
type: bigint
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: uid2
type: string
indicators:
- trace_idZeek.DHCP
Reference: dhcp.log
schema: Zeek.DHCP
description: Zeek DHCP
referenceURL: https://docs.zeek.org/en/master/logs/dhcp.html
fields:
- name: host_name
type: string
indicators:
- domain
- name: requested_addr
type: string
indicators:
- ip
- name: duration
required: true
type: float
- name: mac
required: true
type: string
indicators:
- mac
- name: msg_types
required: true
type: array
element:
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uids
required: true
type: array
element:
type: string
indicators:
- trace_idZeek.DNS
Zeek DNS activity
Reference: Zeek documentation - DNS::info
schema: Zeek.DNS
description: Zeek DNS activity
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
fields:
- name: ts
required: true
description: The earliest time at which a DNS protocol message over the associated connection is observed.
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
description: A unique identifier of the connection over which DNS messages are being transferred.
type: string
- name: id.orig_h
required: true
description: The originator’s IP address.
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: The originator’s port number.
type: int
- name: id.resp_h
required: true
description: The responder’s IP address.
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: The responder’s port number.
type: int
- name: proto
required: true
description: The transport layer protocol of the connection.
type: string
- name: trans_id
description: A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries.
type: int
- name: query
description: The domain name that is the subject of the DNS query.
type: string
indicators:
- domain
- name: qclass
description: The QCLASS value specifying the class of the query.
type: bigint
- name: qclass_name
description: A descriptive name for the class of the query.
type: string
- name: qtype
description: A QTYPE value specifying the type of the query.
type: bigint
- name: qtype_name
description: A descriptive name for the type of the query.
type: string
- name: rcode
description: The response code value in DNS response messages.
type: bigint
- name: rcode_name
description: A descriptive name for the response code value.
type: string
- name: AA
description: The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
type: boolean
- name: TC
description: The Truncation bit specifies that the message was truncated.
type: boolean
- name: RD
description: The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
type: boolean
- name: RA
description: The Recursion Available bit in a response message indicates that the name server supports recursive queries.
type: boolean
- name: Z
description: A reserved field that is usually zero in queries and responses.
type: bigint
- name: answers
description: The set of resource descriptions in the query answer.
type: array
element:
type: string
indicators:
- hostname
- name: TTLs
description: The caching intervals (measured in seconds) of the associated RRs described by the answers field.
type: array
element:
type: float
- name: rejected
description: The DNS query was rejected by the server.
type: booleanZeek.DPD
Zeek Dynamic Protocol Detection.
Reference: dpd.log
schema: Zeek.DPD
description: Zeek Dynamic Protocol Detection
referenceURL: https://docs.zeek.org/en/master/logs/dpd.html
fields:
- name: analyzer
required: true
type: string
- name: failure_reason
required: true
type: string
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: proto
required: true
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_idZeek.Files
Reference: files.log
schema: Zeek.Files
description: Zeek Files
referenceURL: https://docs.zeek.org/en/master/logs/files.html
fields:
- name: analyzers
required: true
type: array
element:
type: string
- name: conn_uids
required: true
type: array
element:
type: string
indicators:
- trace_id
- name: depth
required: true
type: bigint
- name: duration
required: true
type: float
- name: fuid
required: true
type: string
indicators:
- trace_id
- name: is_orig
required: true
type: boolean
- name: local_orig
required: true
type: boolean
- name: md5
required: true
type: string
indicators:
- md5
- name: mime_type
type: string
- name: missing_bytes
required: true
type: bigint
- name: overflow_bytes
required: true
type: bigint
- name: rx_hosts
required: true
type: array
element:
type: string
indicators:
- ip
- name: seen_bytes
required: true
type: bigint
- name: sha1
required: true
type: string
indicators:
- sha1
- name: source
required: true
type: string
- name: timedout
required: true
type: boolean
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: tx_hosts
required: true
type: array
element:
type: string
indicators:
- ipZeek.HTTP
Reference: http.log
schema: Zeek.HTTP
description: Zeek HTTP activity
referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
fields:
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: trans_depth
required: true
type: bigint
- name: method
type: string
- name: host
type: string
indicators:
- domain
- name: uri
type: string
- name: referrer
type: string
- name: version
type: string
- name: user_agent
type: string
- name: origin
type: string
- name: request_body_len
type: bigint
- name: response_body_len
type: bigint
- name: status_code
type: bigint
- name: status_msg
type: string
- name: info_code
type: bigint
- name: info_msg
type: string
- name: tags
required: true
type: json
- name: username
type: string
- name: password
type: string
- name: capture_password
type: boolean
- name: proxied
type: array
element:
type: string
- name: range_request
type: boolean
- name: orig_fuids
type: array
element:
type: string
indicators:
- trace_id
- name: orig_filenames
type: array
element:
type: string
- name: orig_mime_types
type: array
element:
type: string
- name: resp_fuids
type: array
element:
type: string
indicators:
- trace_id
- name: resp_filenames
type: array
element:
type: string
- name: resp_mime_types
type: array
element:
type: string
- name: current_entity
type: json
- name: orig_mime_depth
type: bigint
- name: resp_mime_depth
type: bigint
- name: client_header_names
type: array
element:
type: string
- name: server_header_names
type: array
element:
type: string
- name: omniture
type: boolean
- name: flash_version
type: string
- name: cookie_vars
type: array
element:
type: string
- name: uri_vars
type: array
element:
type: stringZeek.Notice
Reference: notice.log
schema: Zeek.Notice
description: Zeek Notice activities
referenceURL: https://docs.zeek.org/en/master/frameworks/notice.html
fields:
- name: actions
required: true
type: array
element:
type: string
- name: email_dest
type: array
element:
type: string
- name: dst
type: string
indicators:
- ip
- name: fuid
type: string
indicators:
- trace_id
- name: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
type: bigint
- name: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
type: bigint
- name: msg
required: true
type: string
- name: note
required: true
type: string
- name: p
type: bigint
- name: proto
type: string
- name: src
type: string
indicators:
- ip
- name: sub
type: string
- name: suppress_for
required: true
type: float
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
type: string
indicators:
- trace_idZeek.NTP
Reference: ntp.log
schema: Zeek.NTP
description: Zeek Network Time Protocol activity
referenceURL: https://docs.zeek.org/en/master/logs/ntp.html
fields:
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: mode
required: true
type: bigint
- name: num_exts
required: true
type: bigint
- name: org_time
required: true
type: float
- name: poll
required: true
type: float
- name: precision
required: true
type: float
- name: rec_time
required: true
type: float
- name: ref_id
required: true
type: string
- name: ref_time
required: true
type: float
- name: root_delay
required: true
type: float
- name: root_disp
required: true
type: float
- name: stratum
required: true
type: bigint
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: version
required: true
type: bigint
- name: xmt_time
required: true
type: floatZeek.OCSP
Reference: ocsp.log
schema: Zeek.OCSP
description: Zeek Online Certificate Status Protocol activity
referenceURL: https://docs.zeek.org/en/v4.0.0/scripts/policy/files/x509/log-ocsp.zeek.html
fields:
- name: certStatus
required: true
type: string
- name: hashAlgorithm
required: true
type: string
- name: id
required: true
type: string
- name: issuerKeyHash
required: true
type: string
- name: issuerNameHash
required: true
type: string
- name: nextUpdate
required: true
type: timestamp
timeFormats:
- unix
- name: serialNumber
required: true
type: string
- name: revoketime
type: timestamp
timeFormats:
- unix
- name: revokereason
type: string
- name: thisUpdate
required: true
type: timestamp
timeFormats:
- unix
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: trueZeek.Reporter
Zeek internal warnings and errors.
Reference: reporter.log
sch type: bigint
- name: status_msg
type: string
- name: warning
type: string
- name: request_body_len
type: bigint
- name: response_body_len
type: bigint
- name: content_type
type: stringZeek.SIP
This schema represents Zeek SIP analysis logs.
Reference: sip.log
schema: Zeek.SIP
description: Zeek SIP analysis
referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/sip/main.zeek.html#id2
fields:
- name: ts
required: true
type: timestamp
timeFormats:
- unix
- name: uid
required: true
type: string
indicators:
- trace_id
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: trans_depth
required: true
type: bigint
- name: method
type: string
- name: uri
type: string
- name: date
type: string
- name: request_from
type: string
- name: request_to
type: string
- name: response_from
type: string
- name: response_to
type: string
- name: reply_to
type: string
- name: call_id
type: string
- name: seq
type: string
- name: subject
type: string
- name: request_path
type: array
element:
type: string
- name: response_path
type: array
element:
type: string
- name: user_agent
type: string
- name: status_code
type: bigint
- name: status_msg
type: string
- name: warning
type: string
- name: request_body_len
type: bigint
- name: response_body_len
type: bigint
- name: content_type
type: stringZeek.Software
Reference: software.log
schema: Zeek.Software
description: Zeek Software activity
referenceURL: https://docs.zeek.org/en/master/logs/known-and-software.html#software-log
fields:
- name: host_p
description: host_p
type: bigint
- name: version.addl
description: version.addl
type: string
- name: version.minor2
description: version.minor2
type: string
- name: version.minor3
description: version.minor3
type: string
- name: version.minor
description: version.minor
type: string
- name: host
required: true
description: host
type: string
indicators:
- ip
- name: name
required: true
description: name
type: string
- name: software_type
required: true
description: software_type
type: string
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: unparsed_version
required: true
description: unparsed_version
type: string
- name: version.major
description: version.major
type: bigintZeek.SSH
Reference: ssh.log
schema: Zeek.Ssh
description: Zeek ssh activity
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
fields:
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: version
type: string
- name: auth_success
type: boolean
- name: auth_attempts
type: bigint
- name: direction
type: string
- name: client
type: string
- name: server
type: string
- name: cipher_alg
type: string
- name: mac_alg
type: string
- name: compression_alg
type: string
- name: kex_alg
type: string
- name: host_key_alg
type: string
- name: host_key
type: stringZeek.SSL
Reference: ssl.log
schema: Zeek.Ssl
description: Zeek SSL activity
referenceURL: https://docs.zeek.org/en/master/logs/ssl.html
fields:
- name: next_protocol
type: string
- name: cert_chain_fps
type: array
element:
type: string
- name: sni_matches_cert
type: boolean
- name: validation_status
type: string
- name: curve
type: string
- name: cipher
type: string
- name: established
required: true
type: boolean
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: resumed
required: true
type: boolean
- name: server_name
type: string
indicators:
- domain
- name: ssl_history
required: true
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: version
type: string
```Zeek.Stats
Reference: stats.log
schema: Zeek.Stats
description: Zeek Log memory/packet/lag statistics.
referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html
fields:
- name: active_dns_requests
required: true
type: bigint
- name: active_files
required: true
type: bigint
- name: active_icmp_conns
required: true
type: bigint
- name: active_tcp_conns
required: true
type: bigint
- name: active_timers
required: true
type: bigint
- name: active_udp_conns
required: true
type: bigint
- name: bytes_recv
required: true
type: bigint
- name: dns_requests
required: true
type: bigint
- name: events_proc
required: true
type: bigint
- name: events_queued
required: true
type: bigint
- name: files
required: true
type: bigint
- name: icmp_conns
required: true
type: bigint
- name: mem
required: true
type: bigint
- name: peer
required: true
type: string
- name: pkt_lag
required: true
type: float
- name: pkts_dropped
required: true
type: bigint
- name: pkts_link
required: true
type: bigint
- name: pkts_proc
required: true
type: bigint
- name: reassem_file_size
required: true
type: bigint
- name: reassem_frag_size
required: true
type: bigint
- name: reassem_tcp_size
required: true
type: bigint
- name: reassem_unknown_size
required: true
type: bigint
- name: tcp_conns
required: true
type: bigint
- name: timers
required: true
type: bigint
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: udp_conns
required: true
type: bigintZeek.Tunnel
The purpose of Zeek’s tunnel.log is to identify encapsulated traffic.
Reference: tunnel.log
schema: Zeek.Tunnel
description: The purpose of Zeek’s tunnel.log is to identify encapsulated traffic.
referenceURL: https://docs.zeek.org/en/master/logs/tunnel.html
fields:
- name: action
required: true
type: string
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: tunnel_type
required: true
type: stringZeek.Weird
Reference: weird.log
schema: Zeek.Weird
description: Zeek Weird activity
referenceURL: https://docs.zeek.org/en/master/logs/weird-and-notice.html
fields:
- name: source
type: string
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: name
required: true
type: string
- name: notice
required: true
type: boolean
- name: peer
required: true
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_idZeek.X509
Reference: x509.log
schema: Zeek.X509
description: Zeek X509
referenceURL: https://docs.zeek.org/en/master/logs/x509.html
fields:
- name: certificate.curve
type: string
- name: certificate.exponent
type: bigint
- name: basic_constraints.ca
required: true
type: boolean
- name: certificate.issuer
required: true
type: string
- name: certificate.key_alg
required: true
type: string
- name: certificate.key_length
required: true
type: bigint
- name: certificate.key_type
required: true
type: string
- name: certificate.not_valid_after
required: true
type: timestamp
timeFormats:
- unix
- name: certificate.not_valid_before
required: true
type: timestamp
timeFormats:
- unix
- name: certificate.serial
required: true
type: string
- name: certificate.sig_alg
required: true
type: string
- name: certificate.subject
required: true
type: string
- name: certificate.version
required: true
type: string
- name: client_cert
required: true
type: boolean
- name: fingerprint
required: true
type: string
- name: host_cert
required: true
type: boolean
- name: san.dns
required: true
type: array
element:
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: trueLast updated