Join Aashish Sharma of Lawrence Berkeley National Laboratory (LBL), Zeek Leadership Team (LT) and long standing Zeek user and community member as he shares with you the Top 10 things he thinks you should know about using Zeek that he wishes someone would have shared with him when he was getting started with Zeek.
Top 10 List Includes:
- connection logs are equivalent of netflows
- use UID
- history field is very useful
- SF or no SF makes a difference in incident response and investigation
- you can manipulate notices to your wish – email, page, action, none, all
- you can feed data into zeek real time (input framework
- you can print values or variables with zeekctl – great for troubleshooting
- you can redirect print statements to a file and reporter log
- you can run other people’s packages and scripts – separate data from policy model
- you can create your own detections.
In addition, Aashish will share his thoughts on:
- Clustering is quite easy!
- @load and package ordering does make a difference (further goes into log columns)
Register at: https://event.webinarjam.com/register/28/405xvax5
Please let me know if you have any questions.