Overview

Details

This add-on parses open-source Zeek data in JSON and TSV formats, and populates it through into the CIM data model. Compatible with the dashboards and visualizations in the Corelight App for Splunk. Previously maintained by Splunk as the "Splunk Add-on for Zeek aka Bro", now maintained by Corelight as part of its ongoing support for the Zeek project.

Corelight Add-on for Zeek Documentation

The TA for Zeek allows a Splunk Enterprise administrator to parse open source Zeek data in JSON or TSV format, and map it into the Common Information Model for use by multiple Splunk security apps.

About Corelight Add-on for Zeek


Author	Aplura, LLC
App Version	1.0.10
App Build	18
Creates an index	False
Implements summarization	No
Summary Indexing	False
Data Model Acceleration	None
Report Acceleration	None
Splunk Enterprise versions	9.x, 8.x
Platforms	Splunk Enterprise

Scripts and binaries

This App provides the following scripts:

None

Overview

Lookups

Corelight Add-on for Zeek contains the following lookup files.

bro_conn_state.csv
bro_note_alert_type.csv
bro_protocols.csv
bro_status_action.csv
bro_tc_flag.csv
bro_vendor_info.csv

Event Generator

Corelight Add-on for Zeek does not include an event generator.

Acceleration

Summary Indexing: No
Data Model Acceleration: No
Report Acceleration: No

binary file declaration

None

Release Notes

Version 1.0.10

Updated the bro and source::...bro.*.log props stanzas to remove FIELD_QUOTE setting.

Version 1.0.9

POTENTIAL BREAKING Change
Due to enforcement of Splunk AppInspect check check_props_conf_has_no_prohibited_characters_in_sourcetypes, the "wildcard" properties in props.conf has been REMOVED.
The settings are included below for reference if needed.

NOTE: This will not be available in Splunk Cloud.

[(?::){0}bro:*:json]
TRUNCATE                = 0
SHOULD_LINEMERGE        = false
TIME_FORMAT             = %s.%6N
MAX_TIMESTAMP_LOOKAHEAD = 20
KV_MODE                 = JSON
FIELDALIAS-dest0        = id.resp_h AS dest
FIELDALIAS-dest_ip0     = id.resp_h AS dest_ip
FIELDALIAS-src0         = id.orig_h AS src
FIELDALIAS-src_ip0      = id.orig_h AS src_ip
FIELDALIAS-src_port0    = id.orig_p AS src_port
EVENT_BREAKER_ENABLE    = true

[(?::){0}bro(_|:)*]
TRUNCATE                      = 0
SHOULD_LINEMERGE              = false
TIME_FORMAT                   = %s.%6N
MAX_TIMESTAMP_LOOKAHEAD       = 20
REPORT-get_bytes_for_bro_conn = bytes_in_int, bytes_out_int
LOOKUP-LookupTCFlag           = LookupTCFlag TC OUTPUT flag
LOOKUP-VendorInfo             = bro_vendor_info_lookup sourcetype OUTPUT vendor,product,product as vendor_product
LOOKUP-NoticeType             = bro_note_alert_type note OUTPUT type
FIELDALIAS-dest_ip            = id_resp_h AS dest_ip
FIELDALIAS-mailfrom           = mailfrom AS src_user
FIELDALIAS-proxied            = proxied AS product
FIELDALIAS-src                = id_orig_h AS src
FIELDALIAS-src_ip             = id_orig_h AS src_ip
FIELDALIAS-src_port           = id_orig_p AS src_port
FIELDALIAS-uid                = uid AS flow_id
FIELDALIAS-src_mac            = mac AS src_mac
EVAL-sensor_name              = coalesce(system_name, host, "unknown")
EVAL-is_broadcast             = if(src in("0.0.0.0", "255.255.255.255") OR dest in("255.255.255.255", "0.0.0.0"),"true","false")
EVAL-direction                = case(local_orig="true" AND local_resp="true", "internal", local_orig="true" and local_resp="false", "outbound", local_orig="false" and local_resp="false", "external", local_orig="false" and local_resp="true", "inbound", 1=1, "unknown")
EVAL-is_src_internal_ip       = if(cidrmatch("10.0.0.0/8",src) OR cidrmatch("172.16.0.0/12",src) OR cidrmatch("192.168.0.0/16", src), "true", "false")
EVAL-is_dest_internal_ip      = if(cidrmatch("10.0.0.0/8",dest) OR cidrmatch("172.16.0.0/12",dest) OR cidrmatch("192.168.0.0/16", dest), "true", "false")
EVAL-id_resp_h                = dest
EVAL-id_resp_p                = dest_port
EVAL-id_orig_h                = src
EVAL-id_orig_p                = src_port
EVAL-bytes                    = if(isnum(bytes),bytes,bytes_in+bytes_out)
EVAL-packets                  = if(isnum(packets),packets,packets_in+packets_out)
EVAL-duration                 = if(isnum(duration),duration,null())
EVAL-dest_port                = coalesce('id.resp_p',id_resp_p)
EVAL-dvc                      = coalesce(extracted_host, host, hostname)
EVAL-dest_host                = coalesce(extracted_host, host, hostname)
EVAL-vendor_action            = split(actions, ",")
EVENT_BREAKER_ENABLE          = true

Version 1.0.8

Bug
[DESK-1539] - Updated props.conf for zeek:files to remove an incorrect evaluator (!==) from an eval statement.

Version 1.0.7

Bug
[DESK-1537] - Updated props.conf for zeek:ssl to include the proper lookup definition.

Version 1.0.6

CIM Updates for v5.2

Release Notes

Version 1.0.10

May 19, 2025

Version 1.0.10

Updated the bro and source::...bro.*.log props stanzas to remove FIELD_QUOTE setting.

Version 1.0.9

May 7, 2025

Version 1.0.9

POTENTIAL BREAKING Change
Due to enforcement of Splunk AppInspect check check_props_conf_has_no_prohibited_characters_in_sourcetypes, the "wildcard" properties in props.conf has been REMOVED.
NOTE: This will not be available in Splunk Cloud.

Version 1.0.8

April 10, 2024

Bug
[DESK-1539] - Updated props.conf for zeek:files to remove an incorrect evaluator (!==) from an eval statement.

Version 1.0.7

April 8, 2024

Version 1.0.7

Bug
[DESK-1537] - Updated props.conf for zeek:ssl to include the proper lookup definition.

Version 1.0.6

March 22, 2024

Version 1.0.6

CIM Updates
Improvement in Zeek log parsing and knowledge.

Version 1.0.5

Dec. 3, 2021

Fixed a bug in the mapping of the dest_port field

Version 1.0.4

Oct. 22, 2021

Add DNS field mappings for improved Enterprise Security/CIM functionality

Version 1.0.3

Oct. 15, 2021

Added new FIELDALIAS values per field request

Version 1.0.2

Aug. 25, 2021

Add several FIELDALIAS items for CIM mapping, as well as event types that make the data render better within the Corelight App for Splunk.

Version 1.0.1

April 2, 2021

Minor bug fixes

Version 1.0.0

March 18, 2021

• Updated “action” field to produce values in line with the Network Traffic data model, including removing the mappings for actions from the notice log.
• Moved several fields from global declarations to local ones based on where the data will actually be present:
◦ attachment_type
◦ bytes
◦ bytes_in
◦ bytes_out
◦ duration
◦ file_name
◦ http_content_type
◦ lease_duration
◦ message_id
◦ method
◦ packets
◦ packets_in
◦ packets_out
◦ record_type
◦ referrer
◦ request_body_len
◦ response_body_len
◦ sender
◦ service
◦ status
◦ transport
◦ url
◦ user_agent
◦ user
• Removed incorrect mappings for “body”, “subject”, “orig_recipient”, and “severity”
• Added mappings for “ssl_issuer_email” and “ssl_issuer_organization”
• Added a value for vendor_action field

55,719

Downloads

Share Subscribe

Version

Built by

Corelight Inc

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate

Compatibility

This version of the app (1.0.5) is not available for Splunk Cloud. However, version 1.0.8 of this app is available for Splunk Cloud.

This version of the app (1.0.4) is not available for Splunk Cloud. However, version 1.0.8 of this app is available for Splunk Cloud.

This version of the app (1.0.3) is not available for Splunk Cloud. However, version 1.0.8 of this app is available for Splunk Cloud.

This version of the app (1.0.2) is not available for Splunk Cloud. However, version 1.0.8 of this app is available for Splunk Cloud.

This version of the app (1.0.1) is not available for Splunk Cloud. However, version 1.0.8 of this app is available for Splunk Cloud.

This version of the app (1.0.0) is not available for Splunk Cloud. However, version 1.0.8 of this app is available for Splunk Cloud.

Products: Splunk Enterprise, Splunk Cloud

Products: Splunk Enterprise

Splunk Versions: 9.4, 9.3