Zeek sits on a hardware, software, virtual, or cloud platform that observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output. Software administrators use Zeek data in Splunk to analyze packet capture data directly or use it as a contextual data feed to correlate with other vulnerability related data in the Splunk plaftorm. In the Common Information Model, Zeek data can be mapped to multiple data models, such as Certificates or Network Resolution, depending on the field.
Guidance for onboarding data can be found in the Spunk Documentation:
- Getting Data In (Splunk Enterprise)
- Getting Data In (Splunk Cloud)
- Get data into Splunk Observability Cloud
Refer to the documentation, and note the following:
- Add-on or app: Technical Add-on for Zeek
When your Splunk deployment is ingesting Zeek data, you can use the data to achieve the following: