Top 10 things you should know about using Zeek that I wish someone would have told me when I first started


Join Aashish Sharma of Lawrence Berkeley National Laboratory (LBL), Zeek Leadership Team (LT) and long standing Zeek user and community members as he shares with you the Top 10 things he thinks you should know about using Zeek that he wishes someone would have shared with him when he was getting started with Zeek.

The Top 10 list includes: 

1) connection logs are equivalent of netflows 2) use UID
3) history field is very useful 4) SF or no SF makes a difference in incident response and investigation 5) you can manipulate notices to your wish - email, page, action, none, all 6) you can feed data into zeek real time (input framework 7) you can print values or variables with zeekctl - great for trouble shooting 8) you can redirect print statements to a file and reporter log 9) you can run other people’s packages and scripts - separate data from policy model 10) you can create your own detections. 

In addition, Aashish will share his thoughts on
:
* Clustering is quite easy!
* @load  and package ordering does make a difference (further goes into log columns)


​​​​​​​ 

  • Amber Graner

    Webinar Host and Director of Community at Corelight Inc and a member of the Zeek Project's Leadership Team.

  • Aashish Sharma

    Webinar Presenter and a member of the Cyber Security Team at Lawrence Berkeley National Laboratory (LBL), Zeek Leadership Team (LT) and long standing Zeek user and community member.

  • , ,