top of page
Search

MDR: ZEEK with VelociraptorIR

Writer's picture: Cynor SenseCynor Sense
Apr 25, 20232 min read

velociraptor and zeek integration
Zeek integration to velociraptor host

To integrate Zeek with Windows Defender and Velociraptor for network detection, follow these steps:


1. Configure Zeek to output logs in JSON format.


Edit your `zeekctl.cfg` file (usually located in `/usr/local/zeek/etc/`), and add the following line:



LogAscii::use_json = T


This will make Zeek generate logs in JSON format, which is more suitable for further processing and integration with other tools.


2. Forward Zeek logs to Velociraptor.


You can use Velociraptor's "watch_monitor" artifact to monitor Zeek's log directory and collect new log entries. Create a new custom artifact in Velociraptor with the following VQL:




SELECT * FROM watch_monitor(
    glob='path/to/zeek/logs/*.log', 
    accessor='fs'
)


Replace `path/to/zeek/logs` with the correct path to your Zeek log directory.


3. Parse Zeek logs in Velociraptor and create events.


You can create a Velociraptor artifact that processes the collected Zeek logs, parses the JSON, and generates events. The following VQL query is an example of processing Zeek's `conn.log`:




SELECT 
    timestamp(epoch=timestamp) as Timestamp,
    id.orig_h as SourceIP,
    id.orig_p as SourcePort,
    id.resp_h as DestinationIP,
    id.resp_p as DestinationPort,
    proto as Protocol,
    conn_state as ConnectionState,
    service as Service
FROM source
WHERE source.file = "conn.log"

Adjust the query according to the specific Zeek logs and fields you want to analyze.



4. Correlate Velociraptor events with Windows Defender alerts.


You can create Velociraptor artifacts that use the events generated from Zeek logs to correlate with Windows Defender alerts. For example, you could create an artifact that checks if any of the IP addresses found in the Zeek logs match the IP addresses in Windows Defender alerts.


5. Create dashboards and alerts in Velociraptor based on the correlated events.


After integrating Zeek, Windows Defender, and Velociraptor, you can create custom dashboards and alerts in Velociraptor to monitor and respond to network threats effectively.



Note that the specific steps and VQL queries may vary depending on your environment and the Zeek logs you want to analyse. This is a general outline of how you can integrate Zeek with Windows Defender and Velociraptor for network detection.

 
 
 

Comentarios

Obtuvo 0 de 5 estrellas.
Aún no hay calificaciones
Agrega una calificación

Cyber Security Services

           CynorSense Solution Pvt. Ltd. is your dedicated partner in the ever-evolving domain of cybersecurity. We are committed to delivering cutting-edge cybersecurity solutions, tailored to meet the unique needs of each client. Our comprehensive suite of services includes Penetration Testing, SOC & SIEM Services, Incident Response, and Cyber Security Consultation.

Our expertise extends across Secure Code Review, Vulnerability Assessment and Penetration Testing (VAPT) Services, Security Audits, Risk and Threat Assessment, and Vulnerability Scanning. In addition, we offer services in Malware Analysis, Phishing Simulation, Social Engineering Testing, Web Application Testing, Mobile Application Testing, Network Security Testing, Infrastructure Security Testing, Application Security Testing, and Data Security Testing. 

We understand the importance of compliance in today's regulatory environment. Our Compliance Testing services are designed to help your organization navigate the complex landscape of regulations such as ISO 27001, PCI DSS, HIPAA, SOX, GLBA, NERC CIP, FISMA, and the NIST Cybersecurity Framework. 

At CynorSense, we blend innovative technology with a robust understanding of the cybersecurity landscape to provide you with the tools and knowledge needed to safeguard your digital assets. Let us be your trusted guide in the realm of cybersecurity, providing the assurance you need in an increasingly interconnected world.

ISO 27001 and ISO 9001 certified company

EMAIL:

email@cynorsense.com

TELEPHONE:

 +91 4046007719

 +91 8179245139

 ADDRESS: 

 Cynor Sense Solutions Pvt. Ltd.

 Vijay Krishna Towers,   Nanakramguda, Hyderabad,

 Telangana, India - 500032

© 2023 Cynorsense Pvt. Ltd. All rights reserved.

bottom of page