top of page

MDR: ZEEK with VelociraptorIR


velociraptor and zeek integration
Zeek integration to velociraptor host

To integrate Zeek with Windows Defender and Velociraptor for network detection, follow these steps:


1. Configure Zeek to output logs in JSON format.


Edit your `zeekctl.cfg` file (usually located in `/usr/local/zeek/etc/`), and add the following line:



LogAscii::use_json = T


This will make Zeek generate logs in JSON format, which is more suitable for further processing and integration with other tools.


2. Forward Zeek logs to Velociraptor.


You can use Velociraptor's "watch_monitor" artifact to monitor Zeek's log directory and collect new log entries. Create a new custom artifact in Velociraptor with the following VQL:




SELECT * FROM watch_monitor(
    glob='path/to/zeek/logs/*.log', 
    accessor='fs'
)


Replace `path/to/zeek/logs` with the correct path to your Zeek log directory.


3. Parse Zeek logs in Velociraptor and create events.


You can create a Velociraptor artifact that processes the collected Zeek logs, parses the JSON, and generates events. The following VQL query is an example of processing Zeek's `conn.log`:




SELECT 
    timestamp(epoch=timestamp) as Timestamp,
    id.orig_h as SourceIP,
    id.orig_p as SourcePort,
    id.resp_h as DestinationIP,
    id.resp_p as DestinationPort,
    proto as Protocol,
    conn_state as ConnectionState,
    service as Service
FROM source
WHERE source.file = "conn.log"

Adjust the query according to the specific Zeek logs and fields you want to analyze.



4. Correlate Velociraptor events with Windows Defender alerts.


You can create Velociraptor artifacts that use the events generated from Zeek logs to correlate with Windows Defender alerts. For example, you could create an artifact that checks if any of the IP addresses found in the Zeek logs match the IP addresses in Windows Defender alerts.


5. Create dashboards and alerts in Velociraptor based on the correlated events.


After integrating Zeek, Windows Defender, and Velociraptor, you can create custom dashboards and alerts in Velociraptor to monitor and respond to network threats effectively.



Note that the specific steps and VQL queries may vary depending on your environment and the Zeek logs you want to analyse. This is a general outline of how you can integrate Zeek with Windows Defender and Velociraptor for network detection.

66 views0 comments

Recent Posts

See All

Comentarios

Obtuvo 0 de 5 estrellas.
Aún no hay calificaciones

Agrega una calificación
bottom of page