Zeek Newsletter - Issue 22 - October 2022

Welcome to the Zeek Newsletter.

In this Issue:

  • TL;DR
  • Development Updates
  • Zeek in the Community
  • Zeek in the Enterprise
  • Upcoming Events
  • Zeek Package Updates
  • Get Involved


ZeekWeek 2022 was a success. Thank you to everyone who attended in person and via remote access. We begin publishing the video recordings this week. We are also continuing to integrate Microsoft’s contributions to Zeek. See below for details.

Development Updates

As noted at ZeekWeek, Microsoft is contributing patches to the Zeek project to enable running Zeek on Windows. The Zeek team is currently integrating those patches into the GitHub repository. Expect that code to be considered “experimental” until further notice. We are interested in any help the community can offer for testing and enhancements.

Zeek in the Community

On 5 October, Fatema Bannat Wala hosted a Zeek community call. The recording is here:


On 17 October, Doug Burks announced that Security Onion 2.3.180 was now available, including Zeek 5.0.2, Elastic 8.4.3, Suricata 6.0.8, and more:


On 20 October, Seth Grover announced the release of Malcolm 6.4.0. The project has refactored the documentation and it offers an initial integration of NetBox. Code updates include Arkime 4.0.1, OpenSearch 2.3 and Zeek 5.0.2. Check out GitHub for details:


Zeek in the Enterprise

Elad Solomon from Microsoft briefed ZeekWeek attendees on Microsoft’s work to get Zeek running on Windows. Richard Bejtlich asked him a short set of questions via Slack, and Elad provided these responses.

Q: Is Zeek really installed with Windows, or is it part of some additional component that requires licensing?

A: It’s a part of Microsoft Defender for Endpoint, so it’s available to all enterprise customers that have the license for that.

Q: Can security teams configure Zeek or access any Zeek outputs? Can third party vendors work with Microsoft to configure Zeek or access any Zeek outputs?

A: Not yet, but that may be a future feature – allowing customers to add their own Zeek content.

Q: I have privacy concerns. Who at Microsoft can access Zeek data?

A: The data from Zeek is going through the same secure data pipelines as all MDE events, which of course is very much privacy compliant .

The data per organization is available only to people from the org, and all the data storage & pipelines are compliant with latest GDPR requirements.

Q: Is Microsoft correlating endpoint data, like process information, with network data from Zeek?

A: Yes, but not in this initial version. We focused on getting this initial MVP to customers as quickly as possible so we’re adding things around it in the next release. Stay tuned!

Q: I appreciate Microsoft contributing code to compile Zeek on Windows. However, if Windows already contains Zeek, but I can’t access it, it seems clunky that I have to install another copy of Zeek myself. Can you make Zeek available to authorized users?

A: Zeek isn’t part of Windows per-se, it is powering the MDE agent enhancing its network capabilities, which is only operating in enterprise networks that are customers of MDE.

Once the contribution process is complete in GitHub, you could create your own Zeek and tune it to your needs. To analyze live traffic I suggest installing npcap and using the built-in pcap packet source that Zeek already has!

Upcoming Events

ZeekWeek 2022 videos are coming to YouTube.

Our first round of video premieres will take place at 11 am ET on 1-3 November (Tuesday-Thursday). Details for each talk are available at YouTube:

ZeekWeek 2022 - Keynote: The Evolving Cyber Threat Landscape - Wendi Whitmore


ZeekWeek 2022 - Zeek for Windows: The Journey to Run on All Endpoints - Elad Solomon


ZeekWeek 2022 - Zeek for Endpoint: Detection and Device Discovery - Boaz Wasserman


Feel free to join these YouTube premiere events. Richard Bejtlich will host each session. We hope to have some speakers participate, or at least answer questions asynchronously via comments.

We encourage attendees to discuss ZeekWeek content in the Zeek Slack, which offers a #zeekweek2022_info channel.

Video premieres will continue through the week of 6-8 December 2022.

The easiest way to stay informed on this content is to subscribe to the Zeek YouTube channel:


Zeek Package Updates

The following packages recently reported updates (as of 31 October), via this search:


Update zkg.index

#191 by fatemabw was merged 19 days ago

Move AF_Packet plugin to Zeek namespace.

#190 by J-Gras was merged 26 days ago

The https://packages.zeek.org site reported the last 5 updates as of 31 October:

10/30/22, 3:43 AM spicy-plugin

10/29/22, 5:35 PM zeek-af_packet-plugin

10/29/22, 5:35 PM bro-af_packet-plugin

10/27/22, 6:13 PM callstranger-detector

10/27/22, 2:40 PM icsnpp-bsap

Get Involved

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.


The Slack channel has been very active during the past month. Here is an invitation link:


Stay up to date by joining the Zeek Discourse:


Subscribe to our YouTube channel:


Follow us on Twitter:


The old mailing list archives now redirect to this site:


If you’d like to read the Leadership Team meeting notes, they are here:


Follow us on LinkedIn:


To search LinkedIn for jobs mentioning Zeek skills, use this query:


See you next time!

This was a bit too late to make the newsletter, but here is some great news – this is Microsoft’s pull request, now on the Zeek GitHub: