Links

Zeek Logs

Connecting Zeek logs to your Panther Console

Overview

Panther supports ingesting Zeek logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Zeek logs to Panther

To pull these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure Zeek to push logs to the Data Transport source.
    • See Zeek's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields are in bold.

Zeek.CaptureLoss

Zeek CaptureLoss logs evidence regarding the degree to which the packet capture process suffers from measurement loss.
Reference: Capture Loss
schema: Zeek.CaptureLoss
parser:
native:
name: Zeek.CaptureLoss
description: Zeek CaptureLoss. It logs evidence regarding the degree to which the packet capture process suffers from measurement loss
referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/capture-loss.zeek.html
fields:
- name: acks
required: true
description: acks
type: bigint
- name: gaps
required: true
description: gaps
type: bigint
- name: peer
required: true
description: peer
type: string
- name: percent_lost
required: true
description: percent_lost
type: float
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: ts_delta
required: true
description: ts_delta
type: float

Zeek.Conn

Reference: conn.log
schema: Zeek.Conn
parser:
native:
name: Zeek.Conn
description: Zeek Conn
referenceURL: https://docs.zeek.org/en/master/logs/conn.html
fields:
- name: service
description: service
type: string
- name: duration
description: duration
type: float
- name: orig_bytes
description: orig_bytes
type: bigint
- name: resp_bytes
description: resp_bytes
type: bigint
- name: history
description: history
type: string
- name: conn_state
required: true
description: conn_state
type: string
- name: id.orig_h
required: true
description: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: id.orig_p
type: bigint
- name: id.resp_h
required: true
description: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: id.resp_p
type: bigint
- name: local_orig
required: true
description: local_orig
type: boolean
- name: local_resp
required: true
description: local_resp
type: boolean
- name: missed_bytes
required: true
description: missed_bytes
type: bigint
- name: orig_ip_bytes
required: true
description: orig_ip_bytes
type: bigint
- name: orig_pkts
required: true
description: orig_pkts
type: bigint
- name: proto
required: true
description: proto
type: string
- name: resp_ip_bytes
required: true
description: resp_ip_bytes
type: bigint
- name: resp_pkts
required: true
description: resp_pkts
type: bigint
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: uid
required: true
description: uid
type: string
indicators:
- trace_id
- name: uid2
description: uid2
type: string
indicators:
- trace_id

Zeek.DHCP

Reference: dhcp.log
schema: Zeek.DHCP
parser:
native:
name: Zeek.DHCP
description: Zeek DHCP
referenceURL: https://docs.zeek.org/en/master/logs/dhcp.html
fields:
- name: host_name
description: host_name
type: string
indicators:
- domain
- name: requested_addr
description: requested_addr
type: string
indicators:
- ip
- name: duration
required: true
description: duration
type: float
- name: mac
required: true
description: mac
type: string
- name: msg_types
required: true
description: msg_types
type: array
element:
type: string
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: uids
required: true
description: uids
type: array
element:
type: string
indicators:
- trace_id

Zeek.DNS

Zeek DNS activity
schema: Zeek.DNS
parser:
native:
name: Zeek.DNS
description: Zeek DNS activity
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
fields:
- name: ts
required: true
description: The earliest time at which a DNS protocol message over the associated connection is observed.
type: timestamp
timeFormat: unix
isEventTime: true
- name: uid
required: true
description: A unique identifier of the connection over which DNS messages are being transferred.
type: string
- name: id.orig_h
required: true
description: The originator’s IP address.
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: The originator’s port number.
type: int
- name: id.resp_h
required: true
description: The responder’s IP address.
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: The responder’s port number.
type: int
- name: proto
required: true
description: The transport layer protocol of the connection.
type: string
- name: trans_id
description: A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries.
type: int
- name: query
description: The domain name that is the subject of the DNS query.
type: string
indicators:
- domain
- name: qclass
description: The QCLASS value specifying the class of the query.
type: bigint
- name: qclass_name
description: A descriptive name for the class of the query.
type: string
- name: qtype
description: A QTYPE value specifying the type of the query.
type: bigint
- name: qtype_name
description: A descriptive name for the type of the query.
type: string
- name: rcode
description: The response code value in DNS response messages.
type: bigint
- name: rcode_name
description: A descriptive name for the response code value.
type: string
- name: AA
description: The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
type: boolean
- name: TC
description: The Truncation bit specifies that the message was truncated.
type: boolean
- name: RD
description: The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
type: boolean
- name: RA
description: The Recursion Available bit in a response message indicates that the name server supports recursive queries.
type: boolean
- name: Z
description: A reserved field that is usually zero in queries and responses.
type: bigint
- name: answers
description: The set of resource descriptions in the query answer.
type: array
element:
type: string
indicators:
- hostname
- name: TTLs
description: The caching intervals (measured in seconds) of the associated RRs described by the answers field.
type: array
element:
type: float
- name: rejected
description: The DNS query was rejected by the server.
type: boolean

Zeek.DPD

Zeek Dynamic Protocol Detection.
Reference: dpd.log
schema: Zeek.DPD
parser:
native:
name: Zeek.DPD
description: Zeek Dynamic Protocol Detection
referenceURL: https://docs.zeek.org/en/master/logs/dpd.html
fields:
- name: analyzer
required: true
description: analyzer
type: string
- name: failure_reason
required: true
description: failure_reason
type: string
- name: id.orig_h
required: true
description: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: id.orig_p
type: bigint
- name: id.resp_h
required: true
description: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: id.resp_p
type: bigint
- name: proto
required: true
description: proto
type: string
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: uid
required: true
description: uid
type: string
indicators:
- trace_id

Zeek.Files

Reference: files.log
schema: Zeek.Files
parser:
native:
name: Zeek.Files
description: Zeek Files
referenceURL: https://docs.zeek.org/en/master/logs/files.html
fields:
- name: analyzers
required: true
description: analyzers
type: array
element:
type: string
- name: conn_uids
required: true
description: conn_uids
type: array
element:
type: string
indicators:
- trace_id
- name: depth
required: true
description: depth
type: bigint
- name: duration
required: true
description: duration
type: float
- name: fuid
required: true
description: fuid
type: string
indicators:
- trace_id
- name: is_orig
required: true
description: is_orig
type: boolean
- name: local_orig
required: true
description: local_orig
type: boolean
- name: md5
required: true
description: md5
type: string
indicators:
- md5
- name: mime_type
description: mime_type
type: string
- name: missing_bytes
required: true
description: missing_bytes
type: bigint
- name: overflow_bytes
required: true
description: overflow_bytes
type: bigint
- name: rx_hosts
required: true
description: rx_hosts
type: array
element:
type: string
indicators:
- ip
- name: seen_bytes
required: true
description: seen_bytes
type: bigint
- name: sha1
required: true
description: sha1
type: string
indicators:
- sha1
- name: source
required: true
description: source
type: string
- name: timedout
required: true
description: timedout
type: boolean
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: tx_hosts
required: true
description: tx_hosts
type: array
element:
type: string
indicators:
- ip

Zeek.HTTP

Reference: http.log
schema: Zeek.HTTP
parser:
native:
name: Zeek.HTTP
description: Zeek HTTP activity
referenceURL: https://docs.zeek.org/en/master/logs/http.html
fields:
- name: resp_fuids
description: resp_fuids
type: array
element:
type: string
indicators:
- trace_id
- name: resp_mime_types
description: resp_mime_types
type: array
element:
type: string
- name: status_code
description: status_code
type: bigint
- name: status_msg
description: status_msg
type: string
- name: version
description: version
type: float
- name: host
description: host
type: string
indicators:
- domain
- name: user_agent
description: user_agent
type: string
- name: id.orig_h
required: true
description: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: id.orig_p
type: bigint
- name: id.resp_h
required: true
description: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: id.resp_p
type: bigint
- name: method
required: true
description: method
type: string
- name: request_body_len
required: true
description: request_body_len
type: bigint
- name: response_body_len
required: true
description: response_body_len
type: bigint
- name: trans_depth
required: true
description: trans_depth
type: bigint
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: uid
required: true
description: uid
type: string
indicators:
- trace_id
- name: uri
required: true
description: uri
type: string

Zeek.Notice

Reference: notice.log
schema: Zeek.Notice
parser:
native:
name: Zeek.Notice
description: Zeek Notice activities
referenceURL: https://docs.zeek.org/en/master/frameworks/notice.html
fields:
- name: actions
required: true
description: actions
type: array
element:
type: string
- name: email_dest
description: email_dest
type: array
element:
type: string
- name: dst
description: dst
type: string
indicators:
- ip
- name: fuid
description: fuid
type: string
indicators:
- trace_id
- name: id.orig_h
description: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
description: id.orig_p
type: bigint
- name: id.resp_h
description: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
description: id.resp_p
type: bigint
- name: msg
required: true
description: msg
type: string
- name: note
required: true
description: note
type: string
- name: p
description: p
type: bigint
- name: proto
description: proto
type: string
- name: src
description: src
type: string
indicators:
- ip
- name: sub
description: sub
type: string
- name: suppress_for
required: true
description: suppress_for
type: float
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: uid
description: uid
type: string
indicators:
- trace_id

Zeek.NTP

Reference: ntp.log
schema: Zeek.NTP
parser:
native:
name: Zeek.NTP
description: Zeek Network Time Protocol activity
referenceURL: https://docs.zeek.org/en/master/logs/ntp.html
fields:
- name: id.orig_h
required: true
description: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: id.orig_p
type: bigint
- name: id.resp_h
required: true
description: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: id.resp_p
type: bigint
- name: mode
required: true
description: mode
type: bigint
- name: num_exts
required: true
description: num_exts
type: bigint
- name: org_time
required: true
description: org_time
type: float
- name: poll
required: true
description: poll
type: float
- name: precision
required: true
description: precision
type: float
- name: rec_time
required: true
description: rec_time
type: float
- name: ref_id
required: true
description: ref_id
type: string
- name: ref_time
required: true
description: ref_time
type: float
- name: root_delay
required: true
description: root_delay
type: float
- name: root_disp
required: true
description: root_disp
type: float
- name: stratum
required: true
description: stratum
type: bigint
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: uid
required: true
description: uid
type: string
indicators:
- trace_id
- name: version
required: true
description: version
type: bigint
- name: xmt_time
required: true
description: xmt_time
type: float

Zeek.OCSP

Reference: ocsp.log
schema: Zeek.OCSP
parser:
native:
name: Zeek.OCSP
description: Zeek Online Certificate Status Protocol activity
referenceURL: https://docs.zeek.org/en/v4.0.0/scripts/policy/files/x509/log-ocsp.zeek.html
fields:
- name: certStatus
required: true
description: certStatus
type: string
- name: hashAlgorithm
required: true
description: hashAlgorithm
type: string
- name: id
required: true
description: id
type: string
- name: issuerKeyHash
required: true
description: issuerKeyHash
type: string
- name: issuerNameHash
required: true
description: issuerNameHash
type: string
- name: nextUpdate
required: true
description: nextUpdate
type: timestamp
timeFormat: unix
- name: serialNumber
required: true
description: serialNumber
type: string
- name: revoketime
description: revoketime
type: timestamp
timeFormat: unix
- name: revokereason
description: revokereason
type: string
- name: thisUpdate
required: true
description: thisUpdate
type: timestamp
timeFormat: unix
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true

Zeek.Reporter

Zeek internal warnings and errors.
Reference: reporter.log
schema: Zeek.Reporter
parser:
native:
name: Zeek.Reporter
description: Zeek internal warnings and errors
referenceURL: https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html
fields:
- name: level
required: true
description: level
type: string
- name: location
required: true
description: location
type: string
- name: message
required: true
description: message
type: string
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true

Zeek.Software

Reference: software.log
schema: Zeek.Software
parser:
native:
name: Zeek.Software
description: Zeek Software activity
referenceURL: https://docs.zeek.org/en/master/logs/known-and-software.html#software-log
fields:
- name: host_p
description: host_p
type: bigint
- name: version.addl
description: version.addl
type: string
- name: version.minor2
description: version.minor2
type: string
- name: version.minor3
description: version.minor3
type: string
- name: version.minor
description: version.minor
type: string
- name: host
required: true
description: host
type: string
indicators:
- ip
- name: name
required: true
description: name
type: string
- name: software_type
required: true
description: software_type
type: string
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: unparsed_version
required: true
description: unparsed_version
type: string
- name: version.major
description: version.major
type: bigint

Zeek.SSH

Reference: ssh.log
schema: Zeek.Ssh
parser:
native:
name: Zeek.Ssh
description: Zeek ssh activity
referenceURL: https://docs.zeek.org/en/master/logs/ssh.html
fields:
- name: auth_attempts
required: true
description: auth_attempts
type: bigint