TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Introduction to Zeek Log Analysis

BHIS · 2025-01-13 · Read original ↗

ATT&CK techniques detected

11 predictions
T1095Non-Application Layer Protocol
98%
"##tamps and these unique ids and such. but i just want to take a quick minute and just go over some of the other ones. so there ’ s the field called proto, which is short for protocol and that ’ s the her documentation is the transport layer protocol kind of sort of, and i say ki…"
T1654Log Enumeration
92%
"a sericata that ’ s a traditional network intrusion detection system. it does a lot more and i resonated with that quote there and that it does this rich data extraction, this metadata extraction of all these network objects, that the sensor sees. and so when it ’ s doing so it ’…"
T1654Log Enumeration
89%
"welcome to the last webcast of 2024 for black hills information security. my name is troy wojewoda, and as jason said, i ’ m going to be talking about zeek logs, the analysis of zeek logs, and really an introduction, to the log framework that zeek, the, network security monitorin…"
T1071.004DNS
86%
"it looks for the returning traffic and it puts it all in one log. so instead of like traditionally when we open up a pcap and we go look, we go, okay, we see the dns request go out. where ’ s the dns response? let me go try to find the dns response. what are the answers coming ba…"
T1572Protocol Tunneling
79%
"connect the dots and for a little bit of visual. how this looks is two different examples here. so the first one is we have a connection. it ’ s logged in the con id. or logged in the con log. it has a cuid or connection id. and it ’ s, and it ’ s of type dns. and so there ’ ll b…"
T1040Network Sniffing
76%
"brought me back to this experience that i had, where one of our network spans was broken, and it was only capturing traffic in one direction. and so if you look at network traffic like we traditionally have with like wireshark, you would see that the source and destination show u…"
T1654Log Enumeration
69%
"introduction to zeek log analysis introduction to zeek log analysis this webcast was originally published on december 19, 2024. in this video, troy wojewoda discusses the intricacies of zeek log analysis, focusing on how this network security monitoring system can be used to unde…"
T1071.004DNS
36%
"connect the dots and for a little bit of visual. how this looks is two different examples here. so the first one is we have a connection. it ’ s logged in the con id. or logged in the con log. it has a cuid or connection id. and it ’ s, and it ’ s of type dns. and so there ’ ll b…"
T1040Network Sniffing
33%
"zeek producing the logs based on that data as it ’ s coming in the other use case which i find useful if you have saved peak apps, i find this useful a lot and say forensic scenarios or ir scenarios where you can go get tactical packet captures and have network packet captures. y…"
T1071.001Web Protocols
33%
", and protocol - specific activities such as dns and http. highlights full video transcript jason blanchard hello, everybody, and welcome to today ’ s black hills information security webcast. my name is jason blanchard, and i am the content community director here at black hills…"
T1055.001Dynamic-link Library Injection
30%
"carry will, will. will log that file id as either the originator or the responder. so which, which host actually sent the file or transmitted the file, will, will show up in that log. there ’ s also this, somewhat of a newer log, i think it came out, either in version four or fiv…"

Summary

In this video, Troy Wojewoda discusses the intricacies of Zeek log analysis, focusing on how this network security monitoring system can be used to understand traffic and analyze logs effectively.

The post Introduction to Zeek Log Analysis appeared first on Black Hills Information Security, Inc..