A few questions and answers on Zeek and Windows

Hello,

Yesterday Elad Solomon from Microsoft briefed ZeekWeek attendees on Microsoft’s work to get Zeek running on Windows. I asked him a short set of questions via Slack, and he provided these responses. I tried to collect questions from the community and summarize them for Elad.

===

Q: Is Zeek really installed with Windows, or is it part of some additional component that requires licensing?

A: It’s a part of Microsoft Defender for Endpoint, so it’s available to all enterprise customers that have the license for that.

Q: Can security teams configure Zeek or access any Zeek outputs? Can third party vendors work with Microsoft to configure Zeek or access any Zeek outputs?

A: Not yet, but that may be a future feature – allowing customers to add their own Zeek content.

Q: I have privacy concerns. Who at Microsoft can access Zeek data?

A: The data from Zeek is going through the same secure data pipelines as all MDE events, which of course is very much privacy compliant .

The data per organization is available only to people from the org, and all the data storage & pipelines are compliant with latest GDPR requirements.

Q: Is Microsoft correlating endpoint data, like process information, with network data from Zeek?

A: Yes, but not in this initial version. We focused on getting this initial MVP to customers as quickly as possible so we’re adding things around it in the next release. Stay tuned!

Q: I appreciate Microsoft contributing code to compile Zeek on Windows. However, if Windows already contains Zeek, but I can’t access it, it seems clunky that I have to install another copy of Zeek myself. Can you make Zeek available to authorized users?

A: Zeek isn’t part of Windows per-se, it is powering the MDE agent enhancing its network capabilities, which is only operating in enterprise networks that are customers of MDE.

Once the contribution process is complete in GitHub, you could create your own Zeek and tune it to your needs. To analyze live traffic I suggest installing npcap and using the built-in pcap packet source that Zeek already has!

===

I expect to have more questions and answers during today’s second briefing from Microsoft. Feel free to join the Zeek Slack channel as well, where Microsoft has been interacting with other Zeek users.

Sincerely,

Richard

1 Like

Thanks for the extra info, Richard! I’m curious what detection use cases this enables or enhances beyond both a traditional Zeek deployment and existing MDE capabilities? Or, maybe phrased another way, what are the trade-offs between capturing network traffic on the host and collecting info via EDR-style hooks?

I’m also keen to see how this can improve host attribution.

Since the original post, I’ve learned via the Microsoft talks at ZeekWeek that they are capturing network traffic with npcap. This means, for example, that they see encrypted traffic as encrypted, just as a passive sensor sees on the wire. They do not hook into the stack, say, above the encryption. They are considering that for a future capability, but have not said anything more about it.

Sincerely,

Richard