Links

Zeek Logs

Connecting Zeek logs to your Panther Console

Overview

Panther supports ingesting Zeek logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Zeek logs to Panther

To pull these logs into Panther:
  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Search for the log type you want to onboard, then click its tile.
  5. 5.
    Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
    1. 1.
      AWS SQS
  6. 6.
    Configure Zeek to push logs to the Data Transport source.
    • See Zeek's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields are in bold.

Zeek.CaptureLoss

Zeek CaptureLoss logs evidence regarding the degree to which the packet capture process suffers from measurement loss.
Reference: Capture Loss
schema: Zeek.CaptureLoss
description: Zeek CaptureLoss. It logs evidence regarding the degree to which the packet capture process suffers from measurement loss
referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/capture-loss.zeek.html
fields:
- name: acks
required: true
type: bigint
- name: gaps
required: true
type: bigint
- name: peer
required: true
type: string
- name: percent_lost
required: true
type: float
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: ts_delta
required: true
type: float

Zeek.Conn

Reference: conn.log
schema: Zeek.Conn
description: Zeek Conn
referenceURL: https://docs.zeek.org/en/master/logs/conn.html
fields:
- name: service
type: string
- name: duration
type: float
- name: orig_bytes
type: bigint
- name: resp_bytes
type: bigint
- name: history
type: string
- name: conn_state
required: true
type: string
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: local_orig
required: true
type: boolean
- name: local_resp
required: true
type: boolean
- name: missed_bytes
required: true
type: bigint
- name: orig_ip_bytes
required: true
type: bigint
- name: orig_pkts
required: true
type: bigint
- name: proto
required: true
type: string
- name: resp_ip_bytes
required: true
type: bigint
- name: resp_pkts
required: true
type: bigint
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: uid2
type: string
indicators:
- trace_id

Zeek.DHCP

Reference: dhcp.log
schema: Zeek.DHCP
description: Zeek DHCP
referenceURL: https://docs.zeek.org/en/master/logs/dhcp.html
fields:
- name: host_name
type: string
indicators:
- domain
- name: requested_addr
type: string
indicators:
- ip
- name: duration
required: true
type: float
- name: mac
required: true
type: string
indicators:
- mac
- name: msg_types
required: true
type: array
element:
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uids
required: true
type: array
element:
type: string
indicators:
- trace_id

Zeek.DNS

Zeek DNS activity
schema: Zeek.DNS
description: Zeek DNS activity
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
fields:
- name: ts
required: true
description: The earliest time at which a DNS protocol message over the associated connection is observed.
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
description: A unique identifier of the connection over which DNS messages are being transferred.
type: string
- name: id.orig_h
required: true
description: The originator’s IP address.
type: string
indicators:
- ip
- name: id.orig_p
required: true
description: The originator’s port number.
type: int
- name: id.resp_h
required: true
description: The responder’s IP address.
type: string
indicators:
- ip
- name: id.resp_p
required: true
description: The responder’s port number.
type: int
- name: proto
required: true
description: The transport layer protocol of the connection.
type: string
- name: trans_id
description: A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries.
type: int
- name: query
description: The domain name that is the subject of the DNS query.
type: string
indicators:
- domain
- name: qclass
description: The QCLASS value specifying the class of the query.
type: bigint
- name: qclass_name
description: A descriptive name for the class of the query.
type: string
- name: qtype
description: A QTYPE value specifying the type of the query.
type: bigint
- name: qtype_name
description: A descriptive name for the type of the query.
type: string
- name: rcode
description: The response code value in DNS response messages.
type: bigint
- name: rcode_name
description: A descriptive name for the response code value.
type: string
- name: AA
description: The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
type: boolean
- name: TC
description: The Truncation bit specifies that the message was truncated.
type: boolean
- name: RD
description: The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
type: boolean
- name: RA
description: The Recursion Available bit in a response message indicates that the name server supports recursive queries.
type: boolean
- name: Z
description: A reserved field that is usually zero in queries and responses.
type: bigint
- name: answers
description: The set of resource descriptions in the query answer.
type: array
element:
type: string
indicators:
- hostname
- name: TTLs
description: The caching intervals (measured in seconds) of the associated RRs described by the answers field.
type: array
element:
type: float
- name: rejected
description: The DNS query was rejected by the server.
type: boolean

Zeek.DPD

Zeek Dynamic Protocol Detection.
Reference: dpd.log
schema: Zeek.DPD
description: Zeek Dynamic Protocol Detection
referenceURL: https://docs.zeek.org/en/master/logs/dpd.html
fields:
- name: analyzer
required: true
type: string
- name: failure_reason
required: true
type: string
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: proto
required: true
type: string
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id

Zeek.Files

Reference: files.log
schema: Zeek.Files
description: Zeek Files
referenceURL: https://docs.zeek.org/en/master/logs/files.html
fields:
- name: analyzers
required: true
type: array
element:
type: string
- name: conn_uids
required: true
type: array
element:
type: string
indicators:
- trace_id
- name: depth
required: true
type: bigint
- name: duration
required: true
type: float
- name: fuid
required: true
type: string
indicators:
- trace_id
- name: is_orig
required: true
type: boolean
- name: local_orig
required: true
type: boolean
- name: md5
required: true
type: string
indicators:
- md5
- name: mime_type
type: string
- name: missing_bytes
required: true
type: bigint
- name: overflow_bytes
required: true
type: bigint
- name: rx_hosts
required: true
type: array
element:
type: string
indicators:
- ip
- name: seen_bytes
required: true
type: bigint
- name: sha1
required: true
type: string
indicators:
- sha1
- name: source
required: true
type: string
- name: timedout
required: true
type: boolean
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: tx_hosts
required: true
type: array
element:
type: string
indicators:
- ip

Zeek.HTTP

Reference: http.log
schema: Zeek.HTTP
description: Zeek HTTP activity
referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
fields:
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: trans_depth
required: true
type: bigint
- name: method
type: string
- name: host
type: string
indicators:
- domain
- name: uri
type: string
- name: referrer
type: string
- name: version
type: string
- name: user_agent
type: string
- name: origin
type: string
- name: request_body_len
type: bigint
- name: response_body_len
type: bigint
- name: status_code
type: bigint
- name: status_msg
type: string
- name: info_code
type: bigint
- name: info_msg
type: string
- name: tags
required: true
type: json
- name: username
type: string
- name: password
type: string
- name: capture_password
type: boolean
- name: proxied
type: array
element:
type: string
- name: range_request
type: boolean
- name: orig_fuids
type: array
element:
type: string
indicators:
- trace_id
- name: orig_filenames
type: array
element:
type: string
- name: orig_mime_types
type: array
element:
type: string
- name: resp_fuids
type: array
element:
type: string
indicators:
- trace_id
- name: resp_filenames
type: array
element:
type: string
- name: resp_mime_types
type: array
element:
type: string
- name: current_entity
type: json
- name: orig_mime_depth
type: bigint
- name: resp_mime_depth
type: bigint
- name: client_header_names
type: array
element:
type: string
- name: server_header_names
type: array
element:
type: string
- name: omniture
type: boolean
- name: flash_version
type: string
- name: cookie_vars
type: array
element:
type: string
- name: uri_vars
type: array
element:
type: string

Zeek.Notice

Reference: notice.log
schema: Zeek.Notice
description: Zeek Notice activities
referenceURL: https://docs.zeek.org/en/master/frameworks/notice.html
fields:
- name: actions
required: true
type: array
element:
type: string
- name: email_dest
type: array
element:
type: string
- name: dst
type: string
indicators:
- ip
- name: fuid
type: string
indicators:
- trace_id
- name: id.orig_h
type: string
indicators:
- ip
- name: id.orig_p
type: bigint
- name: id.resp_h
type: string
indicators:
- ip
- name: id.resp_p
type: bigint
- name: msg
required: true
type: string
- name: note
required: true
type: string
- name: p
type: bigint
- name: proto
type: string
- name: src
type: string
indicators:
- ip
- name: sub
type: string
- name: suppress_for
required: true
type: float
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
type: string
indicators:
- trace_id

Zeek.NTP

Reference: ntp.log
schema: Zeek.NTP
description: Zeek Network Time Protocol activity
referenceURL: https://docs.zeek.org/en/master/logs/ntp.html
fields:
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: mode
required: true
type: bigint
- name: num_exts
required: true
type: bigint
- name: org_time
required: true
type: float
- name: poll
required: true
type: float
- name: precision
required: true
type: float
- name: rec_time
required: true
type: float
- name: ref_id
required: true
type: string
- name: ref_time
required: true
type: float
- name: root_delay
required: true
type: float
- name: root_disp
required: true
type: float
- name: stratum
required: true
type: bigint
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
- trace_id
- name: version
required: true
type: bigint
- name: xmt_time
required: true
type: float

Zeek.OCSP

Reference: ocsp.log
schema: Zeek.OCSP
description: Zeek Online Certificate Status Protocol activity
referenceURL: https://docs.zeek.org/en/v4.0.0/scripts/policy/files/x509/log-ocsp.zeek.html
fields:
- name: certStatus
required: true
type: string
- name: hashAlgorithm
required: true
type: string
- name: id
required: true
type: string
- name: issuerKeyHash
required: true
type: string
- name: issuerNameHash
required: true
type: string
- name: nextUpdate
required: true
type: timestamp
timeFormats:
- unix
- name: serialNumber
required: true
type: string
- name: revoketime
type: timestamp
timeFormats:
- unix
- name: revokereason
type: string
- name: thisUpdate
required: true
type: timestamp
timeFormats:
- unix
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true

Zeek.Reporter

Zeek internal warnings and errors.
Reference: reporter.log
sch type: bigint
- name: status_msg
type: string
- name: warning
type: string
- name: request_body_len
type: bigint
- name: response_body_len
type: bigint
- name: content_type
type: string

Zeek.SIP

This schema represents Zeek SIP analysis logs.
Reference: sip.log
schema: Zeek.SIP
description: Zeek SIP analysis
referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/sip/main.zeek.html#id2
fields:
- name: ts
required: true
type: timestamp
timeFormats:
- unix
- name: uid
required: true
type: string
indicators:
- trace_id
- name: id.orig_h
required: true
type: string
indicators:
- ip
- name: id.orig_p
required: true
type: bigint
- name: id.resp_h
required: true
type: string
indicators:
- ip
- name: id.resp_p
required: true
type: bigint
- name: trans_depth
required: true
type: bigint
- name: method
type: string
- name: uri
type: string
- name: date
type: string
- name: request_from
type: string
- name: request_to
type: string
- name: response_from
type: string
- name: response_to
type: string
- name: reply_to
type: string
- name: call_id
type: string
- name: seq
type: string
- name: subject
type: string
- name: request_path
type: array
element:
type: string
- name: response_path
type: array
element:
type: string
- name: user_agent
type: string
- name: status_code
type: bigint
- name: status_msg
type: string
- name: warning
type: string
- name: request_body_len
type: bigint
- name: response_body_len
type: bigint
- name: content_type
type: string

Zeek.Software

Reference: software.log
schema: Zeek.Software
description: Zeek Software activity
referenceURL: https://docs.zeek.org/en/master/logs/known-and-software.html#software-log
fields:
- name: host_p
description: host_p
type: bigint
- name: version.addl
description: version.addl
type: string
- name: version.minor2
description: version.minor2
type: string
- name: version.minor3
description: version.minor3
type: string
- name: version.minor
description: version.minor
type: string
- name: host
required: true
description: host
type: string
indicators:
- ip
- name: name
required: true
description: name
type: string
- name: software_type
required: true
description: software_type
type: string
- name: ts
required: true
description: ts
type: timestamp
timeFormat: unix
isEventTime: true
- name: unparsed_version
required: true
description: unparsed_version
type: string
- name: version.major
description: version.major
type: bigint

Zeek.SSH

Reference: ssh.log
schema: Zeek.Ssh
description: Zeek ssh activity
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
fields:
- name: ts
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: uid
required: true
type: string
indicators:
</