Zeek-Endpoint-Enrichment

The Zeek-Endpoint-Enrichment Zeek package uses the input file “hosts_data.tsv” to enrich multiple logs with relevant data. Depending on the data provided in the “hosts_data.tsv” file and the options enabled, this package can enrich the following logs:

  • known_devices

  • known_domains

  • known_hosts

  • known_names

  • conn (optional)

  • all logs (optional)

Note

Additional fields will only be created if the relevant data is available.

Input file (hosts_data.tsv)

The input file contains the following information (if available):

  • IP address (required)

  • MAC address

  • Hostname

  • Endpoint information source (required)

  • Endpoint criticality

  • Endpoint status

  • Endpoint Unique ID

  • Customer ID

  • OS version

  • Machine domain

  • Description

For example, this is a sample input file created by this integration, formatted using tab-separated values.

#fields  ip     mac                hostname  uid                               cid                              os_version    status       criticality  machine_domain  desc                 source
192.168.56.103  00-50-56-A3-B1-C2  WEF       ced83f0c26493b638086fdc7b8b2c01d  e29b670f12d342e3bcc7170a288xxxx  -             managed      Unassigned   -               Exposure Management  CrowdStrike
10.21.0.102     00-50-56-A1-B1-C4  DC        c53fdc3178ba36759c471d6b6655e324  e29b670f12d342e3bcc7170a288xxxx  -             managed      Critical     lab.local       Exposure Management  CrowdStrike
192.168.56.104  00-50-56-A2-B1-C2  WIN10     abb6c27309cf3730bb73e8cfd732d838  e29b670f12d342e3bcc7170a288xxxx  Windows 10    managed      High         lab.local       Exposure Management  CrowdStrike
192.168.1.155   92-91-E0-3E-66-A8  ss2oh     9caa11e26d1f371797e73e9b9199d481  e29b670f12d342e3bcc7170a288xxxx  -             managed      Unassigned   -               Exposure Management  CrowdStrike
192.168.1.120   00-0C-29-AB-75-05  fleet     81f845fe72ae32168aba94707fc8a49f  e29b670f12d342e3bcc7170a288xxxx  -             managed      Critical     -               Exposure Management  CrowdStrike
192.168.12.1    -                  -         613cd0e8a671350e83dec735143db1e0  e29b670f12d342e3bcc7170a288xxxx  -             unsupported  Unassigned   -               Exposure Management  CrowdStrike
192.168.12.210  -                  -         5f67453d7e833b0f82ac1d7a5788142a  e29b670f12d342e3bcc7170a288xxxx  -             unmanaged    Unassigned   -               Exposure Management  CrowdStrike
192.168.12.222  -                  -         5abcec34b3443f3cb7fe17c4f7100e02  e29b670f12d342e3bcc7170a288xxxx  -             unmanaged    Unassigned   -               Exposure Management  CrowdStrike
192.168.12.212  00-50-56-A1-1F-07  skynet    439293445449716808dec735143db1e9  e29b670f12d342e3bcc7170a288xxxx  Ubuntu 22.04  managed      High         -               Exposure Management  CrowdStrike

known_hosts log

The known_hosts log will always be enriched (with available data) for local hosts.

For example, a known_hosts.log can contain “endpoint” data similar to the sample below:

  {
    _path: known_hosts
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:20:59.526107Z
    annotations: [ ]
    conns_closed: 186
    conns_opened: 192
    conns_pending: 8
    duration: 944.5002398490906
    ep.cid: e29b670f12d342e3bcc7170a288xxxx
    ep.criticality: Unassigned
    ep.desc: Exposure Management
    ep.source: CrowdStrike
    ep.status: unmanaged
    ep.uid: e29b670f12d342e3bcc7170a288a0dbd_5abcec34b3443f3cb7fe17c4f7100e02
    host_ip: 192.168.12.222
    host_vlan: 12
    kuid: KfmyeUjMS1C0j
    last_active_interval: 901.3764350414276
    last_active_session: Kf9fUdccOniI8
    long_conns: 1
    ts: 2024-04-03T16:47:30.187750Z
  }

known_devices log

The known_devices entry will only be created if the MAC is available. For example, a known_devices.log can contain content similar to the sample below:

  {
    _path: known_devices
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:20:59.526107Z
    annotations: [
      CrowdStrike/managed
    ]
    duration: 920.0746190547943
    host_ip: 192.168.12.212
    kuid: Kf1THOpT9hJa5
    last_active_interval: 954.522488117218
    last_active_session: KfqhT6kg6fP7k
    mac: 00:50:56:A1:1F:07
    num_conns: 0
    protocols: [
      CrowdStrike
    ]
    ts: 2023-08-22T13:04:54.000617Z
    vendor_mac: unknown
  }

known_domains log

The known_domains entry will only be created if the “Machine Domain” is available. For example, a known_domains.log can contain content similar to the sample below:

  {
    _path: known_domains
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:51:39.591783Z
    annotations: [
      CrowdStrike/managed
    ]
    domain: LAB.LOCAL
    duration: 0
    host_ip: 192.168.56.104
    kuid: KfkAPIKyTuYv3
    last_active_interval: 42202.37188410759
    last_active_session: Kf64KcY1eZwM
    num_conns: 1
    protocols: [
      CrowdStrike
    ]
    ts: 2023-08-22T13:47:23.586163Z
  }

known_names log

The known_names entry will only be created if the hostname is available. For example, a known_names.log can contain content similar to the sample below:

  {
    _path: known_names
    _system_name: Lab-AP200
    _write_ts: 2023-08-22T13:20:59.526107Z
    annotations: [
      CrowdStrike/managed
    ]
    duration: 920.0746190547943
    host_ip: 192.168.12.212
    hostname: SKYNET
    kuid: Kf1THOpT9hJa5
    last_active_interval: 954.522488117218
    last_active_session: KfqhT6kg6fP7k
    num_conns: 0
    protocols: [
      CrowdStrike
    ]
    ts: 2023-08-22T13:04:54.000617Z
  }

conn log

If enabled, a typical conn.log can contain content similar to the sample below:

Note

Information related to “orig” or “resp” could come from different sources.

  {
    _path: conn
    _system_name: Lab-AP200
    _write_ts: 2024-04-03T16:13:45.854582Z
    community_id: 1:V0CSla9v/X7WeKyC0D3V3LNYs2I=
    conn_state: OTH
    corelight_shunted: false
    duration: 0.000028848648071289062
    id.orig_h: 192.168.10.175
    id.orig_h_name.src: DNS_A
    id.orig_h_name.vals: [ [-]
      32e0065c-1311-48ff-ad00-b201b2eeef70.local
      2f12dc2d-eaf1-4e24-85ed-27668dd05fcc.local
      930cdfc7-592a-4a60-a67a-e3797de56c2f.local
    ]
    id.orig_p: 3
    id.resp_h: 192.168.12.10
    id.resp_h_name.src: DNS_A
    id.resp_h_name.vals: [ [-]
      pi2.lab.net
    ]
    id.resp_p: 3
    id.vlan: 1
    local_orig: true
    local_resp: true
    missed_bytes: 0
    orig_bytes: 402
    orig_ep_cid: e29b670f12d342e3bcc7170a288xxxx
    orig_ep_source: CrowdStrike
    orig_ep_status: managed
    orig_ep_uid: ecc6a481d55f40a684db15f7512103f2
    orig_ip_bytes: 458
    orig_l2_addr: 04:d9:f5:82:72:c0
    orig_pkts: 2
    proto: icmp
    resp_bytes: 0
    resp_ep_cid: e29b670f12d342e3bcc7170a288xxxx
    resp_ep_source: CrowdStrike
    resp_ep_status: unsupported
    resp_ep_uid: e29b670f12d342e3bcc7170a288a0dbd_ced83f0c26493b638086fdc7b8b2c01d
    resp_ip_bytes: 0
    resp_l2_addr: f6:92:bf:91:2e:ee
    resp_pkts: 0
    ts: 2024-04-03T16:12:45.853821Z
    uid: CQXWU94ynkRz8ywDri
    vlan: 1
  }

all logs

If enabled, any log with an “id.xxx” field can contain content similar to the sample below:

Note

Information related to “orig” or “resp” could come from different sources.

  {
    _path: dns_red
    _system_name: Lab-AP200
    _write_ts: 2024-04-03T16:13:45.436307Z
    answers: [ [-]
    www-linkedin-com.l-0005.l-msedge.net
    l-0005.l-msedge.net
    13.107.42.14
    ]
    id.orig_ep_cid: e29b670f12d342e3bcc7170a288xxxx
    id.orig_ep_source: CrowdStrike
    id.orig_ep_status: managed
    id.orig_ep_uid: ecc6a481d55f40a684db15f7512103f2
    id.orig_h: 192.168.10.175
    id.orig_p: 65206
    id.resp_ep_cid: e29b670f12d342e3bcc7170a288xxxx
    id.resp_ep_source: CrowdStrike
    id.resp_ep_status: unsupported
    id.resp_ep_uid: e29b670f12d342e3bcc7170a288a0dbd_9caa11e26d1f371797e73e9b9199d481
    id.resp_h: 192.168.12.9
    id.resp_p: 53
    id.vlan: 1
    num: 1
    qtype_name: A
    query: www.linkedin.com
    rcode: 0
    ts: 2024-04-03T16:13:36.649456Z
    uid: C2wl6WO7lxCryLhW4
  }