Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Data Transports
Supported Logs
1Password Logs
Apache Logs
Asana Logs
Atlassian Logs
AWS Logs
Box Logs
Cisco Umbrella Logs
Cloudflare Logs
CrowdStrike Logs
Dropbox Logs
Duo Security Logs
Fastly Logs
Fluentd Logs
GCP Logs
Github Logs
GitLab Logs
G Suite Logs
JAMF Pro Logs
Juniper Logs
Lacework Logs
Microsoft 365 Logs
Microsoft Graph Logs (Beta)
Nginx Logs
Okta Logs
OneLogin Logs
Osquery Logs
OSSEC Logs
Salesforce Logs
Sophos Logs
Slack Logs
Snyk Logs
Suricata Logs
Syslog Logs
Teleport Logs
Zeek Logs
Zoom Logs
Zendesk Logs
Custom Logs
Monitoring Log Sources
Writing Detections
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
Zeek Logs
Connecting Zeek logs to your Panther Console

Overview

Panther supports ingesting Zeek logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Zeek logs to Panther

To pull these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure Zeek to push logs to the Data Transport source.
    • See Zeek's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields are in bold.

Zeek.DNS

Zeek DNS activity
Column
Type
Description
ts
timestamp
The earliest time at which a DNS protocol message over the associated connection is observed.
uid
string
A unique identifier of the connection over which DNS messages are being transferred.
id_orig_h
string
The originator’s IP address.
id_orig_p
int
The originator’s port number.
id_resp_h
string
The responder’s IP address.
id_resp_p
int
The responder’s port number.
proto
string
The transport layer protocol of the connection.
trans_id
int
A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries.
query
string
The domain name that is the subject of the DNS query.
qclass
bigint
The QCLASS value specifying the class of the query.
qclass_name
string
A descriptive name for the class of the query.
qtype
bigint
A QTYPE value specifying the type of the query.
qtype_name
string
A descriptive name for the type of the query.
rcode
bigint
The response code value in DNS response messages.
rcode_name
string
A descriptive name for the response code value.
AA
boolean
The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
TC
boolean
The Truncation bit specifies that the message was truncated.
RD
boolean
The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
RA
boolean
The Recursion Available bit in a response message indicates that the name server supports recursive queries.
Previous
Teleport Logs
Next
Zoom Logs
Last modified 17d ago
Copy link
Outline
Overview
How to onboard Zeek logs to Panther
Supported log types
Zeek.DNS