Cynor Sense
Apr 25, 20232 min
To integrate Zeek with Windows Defender and Velociraptor for network detection, follow these steps:
Edit your `zeekctl.cfg` file (usually located in `/usr/local/zeek/etc/`), and add the following line:
LogAscii::use_json = T
This will make Zeek generate logs in JSON format, which is more suitable for further processing and integration with other tools.
You can use Velociraptor's "watch_monitor" artifact to monitor Zeek's log directory and collect new log entries. Create a new custom artifact in Velociraptor with the following VQL:
SELECT * FROM watch_monitor(
glob='path/to/zeek/logs/*.log',
accessor='fs'
)
Replace `path/to/zeek/logs` with the correct path to your Zeek log directory.
You can create a Velociraptor artifact that processes the collected Zeek logs, parses the JSON, and generates events. The following VQL query is an example of processing Zeek's `conn.log`:
SELECT
timestamp(epoch=timestamp) as Timestamp,
id.orig_h as SourceIP,
id.orig_p as SourcePort,
id.resp_h as DestinationIP,
id.resp_p as DestinationPort,
proto as Protocol,
conn_state as ConnectionState,
service as Service
FROM source
WHERE source.file = "conn.log"
Adjust the query according to the specific Zeek logs and fields you want to analyze.
You can create Velociraptor artifacts that use the events generated from Zeek logs to correlate with Windows Defender alerts. For example, you could create an artifact that checks if any of the IP addresses found in the Zeek logs match the IP addresses in Windows Defender alerts.
After integrating Zeek, Windows Defender, and Velociraptor, you can create custom dashboards and alerts in Velociraptor to monitor and respond to network threats effectively.
Note that the specific steps and VQL queries may vary depending on your environment and the Zeek logs you want to analyse. This is a general outline of how you can integrate Zeek with Windows Defender and Velociraptor for network detection.