Zeek-Endpoint-Enrichment¶
The Zeek-Endpoint-Enrichment Zeek package uses an input file named “hosts_data.tsv”, that contains additional information about endpoints or hosts within an environment, to enrich multiple logs with relevant data. Depending on the data available, and the options enabled, this package can enrich the following logs:
known_devices
known_domains
known_hosts
known_names
conn (optional)
all logs (optional)
Note
Additional fields will only be created is the relevant data is available.
Input file (hosts_data.tsv)¶
The input file contains the following information (if it’s available):
IP address (required)
MAC address
Hostname
Endpoint information source (required)
Endpoint criticality
Endpoint status
Endpoint Unique ID
Customer ID
OS version
Machine domain
Description
The following is a sample input file created by this integration, using tab-separated values.
#fields ip mac hostname uid cid os_version status criticality machine_domain desc source
192.168.56.103 00-50-56-A3-B1-C2 WEF ced83f0c26493b638086fdc7b8b2c01d e29b670f12d342e3bcc7170a288xxxx - managed Unassigned - Exposure Management CrowdStrike
10.21.0.102 00-50-56-A1-B1-C4 DC c53fdc3178ba36759c471d6b6655e324 e29b670f12d342e3bcc7170a288xxxx - managed Critical lab.local Exposure Management CrowdStrike
192.168.56.104 00-50-56-A2-B1-C2 WIN10 abb6c27309cf3730bb73e8cfd732d838 e29b670f12d342e3bcc7170a288xxxx Windows 10 managed High lab.local Exposure Management CrowdStrike
192.168.1.155 92-91-E0-3E-66-A8 ss2oh 9caa11e26d1f371797e73e9b9199d481 e29b670f12d342e3bcc7170a288xxxx - managed Unassigned - Exposure Management CrowdStrike
192.168.1.120 00-0C-29-AB-75-05 fleet 81f845fe72ae32168aba94707fc8a49f e29b670f12d342e3bcc7170a288xxxx - managed Critical - Exposure Management CrowdStrike
192.168.12.1 - - 613cd0e8a671350e83dec735143db1e0 e29b670f12d342e3bcc7170a288xxxx - unsupported Unassigned - Exposure Management CrowdStrike
192.168.12.210 - - 5f67453d7e833b0f82ac1d7a5788142a e29b670f12d342e3bcc7170a288xxxx - unmanaged Unassigned - Exposure Management CrowdStrike
192.168.12.222 - - 5abcec34b3443f3cb7fe17c4f7100e02 e29b670f12d342e3bcc7170a288xxxx - unmanaged Unassigned - Exposure Management CrowdStrike
192.168.12.212 00-50-56-A1-1F-07 skynet 439293445449716808dec735143db1e9 e29b670f12d342e3bcc7170a288xxxx Ubuntu 22.04 managed High - Exposure Management CrowdStrike
known_hosts log¶
The known_hosts log will always be enriched (with available data) for local hosts. A typical known_hosts.log will contain “endpoint” data similar to this example:
{
_path: known_hosts
_system_name: Lab-AP200
_write_ts: 2023-08-22T13:20:59.526107Z
annotations: [ ]
conns_closed: 186
conns_opened: 192
conns_pending: 8
duration: 944.5002398490906
ep.cid: e29b670f12d342e3bcc7170a288xxxx
ep.criticality: Unassigned
ep.desc: Exposure Management
ep.source: CrowdStrike
ep.status: unmanaged
ep.uid: e29b670f12d342e3bcc7170a288a0dbd_5abcec34b3443f3cb7fe17c4f7100e02
host_ip: 192.168.12.222
host_vlan: 12
kuid: KfmyeUjMS1C0j
last_active_interval: 901.3764350414276
last_active_session: Kf9fUdccOniI8
long_conns: 1
ts: 2024-04-03T16:47:30.187750Z
}
known_devices log¶
The known_devices entry will only be created if the MAC is available. A typical known_devices.log provides content similar to this example:
{
_path: known_devices
_system_name: Lab-AP200
_write_ts: 2023-08-22T13:20:59.526107Z
annotations: [
CrowdStrike/managed
]
duration: 920.0746190547943
host_ip: 192.168.12.212
kuid: Kf1THOpT9hJa5
last_active_interval: 954.522488117218
last_active_session: KfqhT6kg6fP7k
mac: 00:50:56:A1:1F:07
num_conns: 0
protocols: [
CrowdStrike
]
ts: 2023-08-22T13:04:54.000617Z
vendor_mac: unknown
}
known_domains log¶
The known_domains entry will only be created if the “Machine Domain” is available. A typical known_domains.log provides content similar to this example:
{
_path: known_domains
_system_name: Lab-AP200
_write_ts: 2023-08-22T13:51:39.591783Z
annotations: [
CrowdStrike/managed
]
domain: LAB.LOCAL
duration: 0
host_ip: 192.168.56.104
kuid: KfkAPIKyTuYv3
last_active_interval: 42202.37188410759
last_active_session: Kf64KcY1eZwM
num_conns: 1
protocols: [
CrowdStrike
]
ts: 2023-08-22T13:47:23.586163Z
}
known_names log¶
The known_names entry will only be created if the hostname is available. A typical known_names.log provides content similar to this example:
{
_path: known_names
_system_name: Lab-AP200
_write_ts: 2023-08-22T13:20:59.526107Z
annotations: [
CrowdStrike/managed
]
duration: 920.0746190547943
host_ip: 192.168.12.212
hostname: SKYNET
kuid: Kf1THOpT9hJa5
last_active_interval: 954.522488117218
last_active_session: KfqhT6kg6fP7k
num_conns: 0
protocols: [
CrowdStrike
]
ts: 2023-08-22T13:04:54.000617Z
}
conn log¶
If enabled, a typical conn.log could contain data similar to this example:
Note
Information related to “orig” or “resp” could come from different sources.
{
_path: conn
_system_name: Lab-AP200
_write_ts: 2024-04-03T16:13:45.854582Z
community_id: 1:V0CSla9v/X7WeKyC0D3V3LNYs2I=
conn_state: OTH
corelight_shunted: false
duration: 0.000028848648071289062
id.orig_h: 192.168.10.175
id.orig_h_name.src: DNS_A
id.orig_h_name.vals: [ [-]
32e0065c-1311-48ff-ad00-b201b2eeef70.local
2f12dc2d-eaf1-4e24-85ed-27668dd05fcc.local
930cdfc7-592a-4a60-a67a-e3797de56c2f.local
]
id.orig_p: 3
id.resp_h: 192.168.12.10
id.resp_h_name.src: DNS_A
id.resp_h_name.vals: [ [-]
pi2.lab.net
]
id.resp_p: 3
id.vlan: 1
local_orig: true
local_resp: true
missed_bytes: 0
orig_bytes: 402
orig_ep_cid: e29b670f12d342e3bcc7170a288xxxx
orig_ep_source: CrowdStrike
orig_ep_status: managed
orig_ep_uid: ecc6a481d55f40a684db15f7512103f2
orig_ip_bytes: 458
orig_l2_addr: 04:d9:f5:82:72:c0
orig_pkts: 2
proto: icmp
resp_bytes: 0
resp_ep_cid: e29b670f12d342e3bcc7170a288xxxx
resp_ep_source: CrowdStrike
resp_ep_status: unsupported
resp_ep_uid: e29b670f12d342e3bcc7170a288a0dbd_ced83f0c26493b638086fdc7b8b2c01d
resp_ip_bytes: 0
resp_l2_addr: f6:92:bf:91:2e:ee
resp_pkts: 0
ts: 2024-04-03T16:12:45.853821Z
uid: CQXWU94ynkRz8ywDri
vlan: 1
}
all logs¶
If enabled, any log with an “id.xxx” field could contain data similar to this example:
Note
Information related to “orig” or “resp” could come from different sources.
{
_path: dns_red
_system_name: Lab-AP200
_write_ts: 2024-04-03T16:13:45.436307Z
answers: [ [-]
www-linkedin-com.l-0005.l-msedge.net
l-0005.l-msedge.net
13.107.42.14
]
id.orig_ep_cid: e29b670f12d342e3bcc7170a288xxxx
id.orig_ep_source: CrowdStrike
id.orig_ep_status: managed
id.orig_ep_uid: ecc6a481d55f40a684db15f7512103f2
id.orig_h: 192.168.10.175
id.orig_p: 65206
id.resp_ep_cid: e29b670f12d342e3bcc7170a288xxxx
id.resp_ep_source: CrowdStrike
id.resp_ep_status: unsupported
id.resp_ep_uid: e29b670f12d342e3bcc7170a288a0dbd_9caa11e26d1f371797e73e9b9199d481
id.resp_h: 192.168.12.9
id.resp_p: 53
id.vlan: 1
num: 1
qtype_name: A
query: www.linkedin.com
rcode: 0
ts: 2024-04-03T16:13:36.649456Z
uid: C2wl6WO7lxCryLhW4
}