Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE


MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like adversarial activity. The project is called BZAR – Bro/Zeek ATT&CK-based Analytics and Reporting.

MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups.

BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, correlate certain techniques, and write to the Notice Log.

BZAR is publicly released as open source, under MITRE case number 18-2489. It is available for download at the following URL:

For more information on MITRE ATT&CK, visit

Mark I. Fernandez

The MITRE Corporation

P.S. It does not yet support the Bro/Zeek Package Manager (this is on the todo list).

Nice work, thanks for sharing!

Seconded! This is great, thanks for sharing Mark! Are guys planning on turning this into a package and adding it to the package manager?


Hi Seth, yes, that is on the todo list. Hopefully, I'll have a package for it and add it to the package-manager soon.



Thank you so much for sharing this.



Is this developed for Bro/Zeek 2.5.5? I'm getting errors when attempting to load this in Bro/Zeek 2.6.1.

Gary W. Weasel, Jr.