ZEEK Dashboards
[ZEEK] Overviewβ
Indexes: cvah-zeek*
Datasets: zeek.*
Descriptionβ
[ZEEK] INTELβ
Indexes: cvah-zeek.intel*
Datasets: zeek.intel
Descriptionβ
A dashboard with data from the native Zeek intel.log. The Zeek intelligence framework provides a way to feed IOCs (IPs, Domains, URLs, etc.) to Zeek and trigger a log whenever it sees an indicator.
- On a CVA/H DIP, Zeek intel is added by creating a
Zeek Intelruleset in the TFPlenum Rule Set page. - Upon "alerting", a Zeek intel indicator hit may require additional intel research into why the indicator is malicious
Useful Fieldsβ
| Field | Description |
|---|---|
zeek.intel.sources | The intel indicator author |
zeek.intel.seen.indicator_type | The type of indicator that was seen |
zeek.intel.seen.indicator | The specific intel indicator that was seen |
zeek.intel.seen.where | Where the intel indicator was seen |
[ZEEK] NOTICEβ
Indexes: cvah-zeek.notice*
Datasets: zeek.notice
Descriptionβ
A dashboard with data from the native Zeek notice.log. The notice.log captures alert and notice events generated by Zeek. It includes details such as notice types, descriptions, source and destination addresses, and timestamps. This log is essential for monitoring and responding to security alerts, helping to detect and investigate potential threats, policy violations, and other significant events on the network.
Useful Fieldsβ
| Field | Description |
|---|---|
zeek.notice.action | |
zeek.notice.note | |
zeek.notice.msg | |
zeek.notice.sub_msg |
[ZEEK] SIGNATURESβ
Indexes: cvah-zeek.signatures*
Datasets: zeek.signatures
Descriptionβ
A dashboard with data from the native Zeek signatures.log. The signatures.log captures events related to Zeek's signature-based detection. It includes details such as signature IDs, descriptions, matched conditions, source and destination addresses, and timestamps. This log is essential for monitoring and analyzing signature-based detection alerts, helping to detect known threats, validate signature efficacy, and refine detection capabilities.
Useful Fieldsβ
| Field | Description |
|---|---|
zeek.signature.id | |
zeek.signature.event_msg | |
zeek.signature.sub_msg | |
zeek.signature.not |
[ZEEK] CONNβ
Indexes: cvah-zeek.conn*
Datasets: zeek.conn
Descriptionβ
A dashboard with data from the native Zeek conn.log. The conn.log records all connection attempts seen by Zeek, including successful and unsuccessful attempts. It provides detailed information on network connections, such as connection state, duration, byte counts, and flags, helping to analyze and monitor network traffic patterns and detect anomalies.
[ZEEK] CONN - Dataflowβ
Indexes: cvah-zeek.conn*
Datasets: zeek.conn
[ZEEK] CONN - Scannersβ
Indexes: cvah-zeek.conn*
Datasets: zeek.conn
[ZEEK] CONN - Geolocationβ
Indexes: cvah-zeek.conn*
Datasets: zeek.conn
[ZEEK] DCE_RPCβ
Indexes: cvah-zeek.dce_rpc*
Datasets: zeek.dce_rpc
Descriptionβ
A dashboard with data from the native Zeek dce_rpc.log. The dce_rpc.log captures and logs Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) activity mainly seen in Windows environments. It includes details such as UUIDs, operation names, and RPC endpoint information. This log helps in monitoring and analyzing remote procedure call traffic, which is crucial for identifying potential misuse or anomalous activities in network services.
[ZEEK] DHCPβ
Indexes: cvah-zeek.dhcp*
Datasets: zeek.dhcp
Descriptionβ
A dashboard with data from the native Zeek dhcp.log. The dhcp.log records Dynamic Host Configuration Protocol (DHCP) activity, capturing events such as IP address assignments, lease times, and client-server exchanges. This log provides insights into network configuration changes and can help identify unauthorized devices or configuration issues within the network.
[ZEEK] DNSβ
Indexes: cvah-zeek.dns*
Datasets: zeek.dns
Descriptionβ
A dashboard with data from the native Zeek dns.log. The dns.log captures Domain Name System (DNS) queries and responses. It includes details such as query types, response codes, query names, and resolved IP addresses. NetBIOS-NS (Network Basic Input/Output System Name Service) traffic is also captured here, is it is also technically a Domain Name System. This log is essential for monitoring and analyzing DNS traffic, helping to detect suspicious domain lookups, DNS-based attacks, and overall DNS health.
[ZEEK] DNS - Domain Analysisβ
Indexes: cvah-zeek.dns*
Datasets: zeek.dns
[ZEEK] FTPβ
Indexes: cvah-zeek.ftp*
Datasets: zeek.ftp
Descriptionβ
A dashboard with data from the native Zeek ftp.log. The ftp.log captures unencrypted File Transfer Protocol (FTP) sessions. It includes details such as command types, file names, user credentials, and transfer status. This log helps in monitoring and analyzing FTP activity, which is crucial for detecting unauthorized file transfers, credential abuse, and other anomalies in file sharing services.
[ZEEK] HTTPβ
Indexes: cvah-zeek.http*
Datasets: zeek.http
Descriptionβ
A dashboard with data from the native Zeek http.log. The http.log records unencrypted Hypertext Transfer Protocol (HTTP) requests and responses. It includes details such as URLs, methods, response codes, user agents, and referrers. This log is vital for monitoring and analyzing web traffic, helping to identify suspicious activity, web-based attacks, and performance issues.
[ZEEK] HTTP - Dataflowβ
Indexes: cvah-zeek.http*
Datasets: zeek.http
[ZEEK] IRCβ
Indexes: cvah-zeek.irc*
Datasets: zeek.irc
Descriptionβ
A dashboard with data from the native Zeek irc.log. The irc.log captures unencrypted Internet Relay Chat (IRC) communication. It includes details such as message content, user nicknames, channels, and commands. This log is useful for monitoring and analyzing IRC traffic, helping to detect unauthorized chat activities, command and control channels, and other malicious uses of IRC.
[ZEEK] KERBEROSβ
Indexes: cvah-zeek.kerberos*
Datasets: zeek.kerberos
Descriptionβ
A dashboard with data from the native Zeek kerberos.log. The kerberos.log records Kerberos authentication traffic. It includes details such as client and server principal names, ticket-granting ticket (TGT) requests, service ticket requests, and encryption types. This log is crucial for monitoring and analyzing authentication activities, helping to detect unauthorized access attempts, credential abuse, and other anomalies in the Kerberos authentication process.
[ZEEK] LDAPβ
Indexes: cvah-zeek.ldap*
Datasets: zeek.ldap, zeek.ldap_search
Descriptionβ
A dashboard with data from the native Zeek ldap.log and ldap_search.log. The ldap.log captures unencrypted Lightweight Directory Access Protocol (LDAP) operations, including bind requests, modifications, and other directory service interactions. The ldap_search.log specifically logs unencrypted LDAP search operations, detailing search filters, base objects, and returned attributes. These logs are essential for monitoring and analyzing directory service activities, helping to detect unauthorized access, changes to directory entries, and other suspicious behaviors within LDAP environments.
[ZEEK] MYSQLβ
Indexes: cvah-zeek.mysql*
Datasets: zeek.mysql
Descriptionβ
A dashboard with data from the native Zeek mysql.log. The mysql.log captures unencrypted MySQL database activity. It includes details such as query types, user authentication attempts, and query execution times. This log is crucial for monitoring and analyzing database interactions, helping to detect unauthorized access, SQL injection attacks, and performance issues within MySQL databases.
[ZEEK] NTLMβ
Indexes: cvah-zeek.ntlm*
Datasets: zeek.ntlm
Descriptionβ
A dashboard with data from the native Zeek ntlm.log. The ntlm.log records NT LAN Manager (NTLM) authentication traffic. It includes details such as client and server hostnames, domain names, user names, and the success or failure of authentication attempts. This log is important for monitoring and analyzing NTLM authentication activities, helping to detect unauthorized access attempts, credential abuse, and other anomalies in NTLM authentication processes.
[ZEEK] QUICβ
Indexes: cvah-zeek.quic*
Datasets: zeek.quic
Descriptionβ
A dashboard with data from the native Zeek quic.log. The quic.log captures Quick UDP Internet Connections (QUIC) protocol traffic. It includes details such as connection identifiers, source and destination addresses, and QUIC-specific parameters like stream IDs and packet numbers. This log is essential for monitoring and analyzing QUIC traffic, helping to detect anomalies, performance issues, and potential security threats in QUIC-based communications.
[ZEEK] RADIUSβ
Indexes: cvah-zeek.radius*
Datasets: zeek.radius
Descriptionβ
A dashboard with data from the native Zeek radius.log. The radius.log captures Remote Authentication Dial-In User Service (RADIUS) protocol activity. It includes details such as authentication requests, accounting records, client and server addresses, and result codes. This log is crucial for monitoring and analyzing RADIUS authentication and accounting transactions, helping to detect unauthorized access attempts, misconfigurations, and other anomalies in RADIUS-based services.
[ZEEK] RDPβ
Indexes: cvah-zeek.rdp*
Datasets: zeek.rdp
Descriptionβ
A dashboard with data from the native Zeek rdp.log. The rdp.log captures Remote Desktop Protocol (RDP) activity. It includes details such as connection attempts, client and server addresses, security protocols used, and session information. This log is vital for monitoring and analyzing RDP sessions, helping to detect unauthorized access attempts, brute force attacks, and other suspicious activities in RDP communications.
[ZEEK] RFBβ
Indexes: cvah-zeek.rfb*
Datasets: zeek.rfb
Descriptionβ
A dashboard with data from the native Zeek rfb.log. The rfb.log captures Remote Framebuffer (RFB) protocol activity, which is the basis for VNC (Virtual Network Computing). It includes details such as client and server addresses, authentication methods, and session information. This log is essential for monitoring and analyzing VNC sessions, helping to detect unauthorized remote access, potential security breaches, and other anomalies in RFB communications.
[ZEEK] SIPβ
Indexes: cvah-zeek.sip*
Datasets: zeek.sip
Descriptionβ
A dashboard with data from the native Zeek sip.log. The sip.log captures Session Initiation Protocol (SIP) traffic. It includes details such as call setup and teardown messages, participant addresses, SIP methods, and response codes. This log is crucial for monitoring and analyzing Voice over IP (VoIP) communications, helping to detect unauthorized call attempts, signaling issues, and other anomalies in SIP traffic.
[ZEEK] SMB_MAPPINGβ
Indexes: cvah-zeek.smb_mapping*
Datasets: zeek.smb_mapping
Descriptionβ
A dashboard with data from the native Zeek smb_mapping.log. The smb_mapping.log captures Server Message Block (SMB) share mapping activity. It includes details such as client and server addresses, share names, user IDs, and mapping status. This log is essential for monitoring and analyzing SMB share access, helping to detect unauthorized access attempts, misconfigurations, and other anomalies in SMB share mappings.
[ZEEK] SMB_CMDβ
Indexes: cvah-zeek.smb_cmd*
Datasets: zeek.smb_cmd
Descriptionβ
A dashboard with data from the native Zeek smb_cmd.log. The smb_cmd.log captures Server Message Block (SMB) command activity. It includes details such as client and server addresses, command types, file names, and user IDs. This log is crucial for monitoring and analyzing SMB protocol operations, helping to detect unauthorized file access, command execution, and other anomalies in SMB communications.
[ZEEK] SMB_FILESβ
Indexes: cvah-zeek.smb_files*
Datasets: zeek.smb_files
Descriptionβ
A dashboard with data from the native Zeek smb_files.log. The smb_files.log captures Server Message Block (SMB) file activity. It includes details such as file names, file paths, operation types, client and server addresses, and user IDs. This log is essential for monitoring and analyzing file interactions over SMB, helping to detect unauthorized file access, data exfiltration, and other anomalies in SMB file operations.
[ZEEK] SMTPβ
Indexes: cvah-zeek.smtp*
Datasets: zeek.smtp
Descriptionβ
A dashboard with data from the native Zeek smtp.log. The smtp.log captures unencrypted Simple Mail Transfer Protocol (SMTP) activity. It includes details such as sender and recipient email addresses, subject lines, mail server addresses, and message sizes. This log is crucial for monitoring and analyzing email traffic, helping to detect spam, phishing attempts, unauthorized email usage, and other anomalies in SMTP communications.
[ZEEK] SNMPβ
Indexes: cvah-zeek.snmp*
Datasets: zeek.snmp
Descriptionβ
A dashboard with data from the native Zeek snmp.log. The snmp.log captures Simple Network Management Protocol (SNMP) activity. It includes details such as source and destination addresses, SNMP versions, community strings, and PDU (Protocol Data Unit) types. This log is essential for monitoring and analyzing network management traffic, helping to detect unauthorized access, configuration changes, and other anomalies in SNMP communications.
[ZEEK] SOCKSβ
Indexes: cvah-zeek.socks*
Datasets: zeek.socks
Descriptionβ
A dashboard with data from the native Zeek socks.log. The socks.log captures SOCKS proxy activity. It includes details such as client and server addresses, command types, and authentication methods. This log is essential for monitoring and analyzing SOCKS proxy usage, helping to detect unauthorized access, tunneling activities, and other anomalies in SOCKS communications.
[ZEEK] SSHβ
Indexes: cvah-zeek.ssh*
Datasets: zeek.ssh
Descriptionβ
A dashboard with data from the native Zeek ssh.log. The ssh.log captures Secure Shell (SSH) protocol activity. It includes details such as client and server addresses, authentication methods, user names, and key exchange algorithms. This log is crucial for monitoring and analyzing SSH sessions, helping to detect unauthorized access attempts, brute force attacks, and other anomalies in SSH communications.
[ZEEK] SSLβ
Indexes: cvah-zeek.ssl*
Datasets: zeek.ssl
Descriptionβ
A dashboard with data from the native Zeek ssl.log. The ssl.log captures Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol activity. It includes details such as server and client addresses, certificate information, cipher suites, and protocol versions. This log is essential for monitoring and analyzing encrypted traffic, helping to detect issues with SSL/TLS configurations, certificate anomalies, and potential security threats in encrypted communications.
[ZEEK] SYSLOGβ
Indexes: cvah-zeek.syslog*
Datasets: zeek.syslog
Descriptionβ
A dashboard with data from the native Zeek syslog.log. The syslog.log captures unencrypted Syslog protocol messages. It includes details such as timestamps, message severities, facility codes, and message content. This log is essential for monitoring and analyzing system and network device logs, helping to detect system errors, security events, and other significant activities reported via Syslog.
[ZEEK] TUNNELβ
Indexes: cvah-zeek.tunnel*
Datasets: zeek.tunnel
Descriptionβ
A dashboard with data from the native Zeek tunnel.log. The tunnel.log captures tunnel-related activity, including protocols like Virtual Private Network (VPN) and Generic Routing Encapsulation (GRE). It includes details such as inner and outer source and destination addresses, tunnel types, and encapsulated protocols. This log is crucial for monitoring and analyzing tunneling activities, helping to detect unauthorized tunneling, VPN usage, and other anomalies in tunneled communications.
[ZEEK] WEBSOCKETβ
Indexes: cvah-zeek.websocket*
Datasets: zeek.websocket
Descriptionβ
A dashboard with data from the native Zeek websocket.log. The websocket.log captures WebSocket protocol activity. It includes details such as connection attempts, client and server addresses, messages sent and received, and WebSocket opcodes. This log is essential for monitoring and analyzing WebSocket communications, helping to detect unauthorized access, data exfiltration, and other anomalies in WebSocket traffic.
[ZEEK] BACNETβ
Indexes: cvah-zeek.bacnet*
Datasets: zeek.bacnet, zeek.bacnet_discovery, zeek.bacnet_property, zeek.bacnet_property, zeek.bacnet_device_control
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for BACnet protocol. The bacnet* logs capture Building Automation and Control Network (BACnet) traffic. They include details such as BACnet services, device addresses, property values, and network layer information. These logs are crucial for monitoring and analyzing BACnet communications, helping to detect unauthorized access, misconfigurations, and other anomalies in building automation and control systems.
[ZEEK] BSAPβ
Indexes: cvah-zeek.bsap*
Datasets: zeek.bsap_ip_header, zeek.bsap_ip_rdb, zeek.bsap_ip_unknown, zeek.bsap_serial_header, zeek.bsap_serial_rdb, zeek.bsap_serial_rdb_ext, zeek.bsap_serial_unknown
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for BSAP protocol. The bsap* logs capture Bristol Standard Asynchronous Protocol (BSAP) traffic. They include details such as message types, device addresses, function codes, and data values. These logs are essential for monitoring and analyzing BSAP communications, helping to detect unauthorized access, protocol anomalies, and other security issues in industrial control systems using BSAP.
[ZEEK] DNP3β
Indexes: cvah-zeek.dnp3*
Datasets: zeek.dnp3, zeek.dnp3_control, zeek.dnp3_objects
Descriptionβ
A dashboard with data from the native Zeek dnp3.log and CISA's ICSNPP plugin for DNP3 protocol. The dnp3.log captures Distributed Network Protocol 3 (DNP3) traffic, including details such as function codes, object headers, and source and destination addresses. The additional logs from the ICSNPP plugin provide enhanced visibility into DNP3 communications, including device status, event data, and detailed protocol analysis. These logs are crucial for monitoring and analyzing DNP3 communications in industrial control systems, helping to detect unauthorized access, protocol misconfigurations, and other anomalies in DNP3 traffic.
[ZEEK] ENIPβ
Indexes: cvah-zeek.enip*
Datasets: zeek.enip, zeek.cip, zeek.cip_io, zeek.cip_identity
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for EtherNet/IP (ENIP) and Common Industrial Protocol (CIP). The enip.log capture ENIP traffic, including details such as device addresses, command types, and connection statuses. The cip* logs capture CIP traffic, providing insights into CIP service requests and responses, object attributes, and class codes. These logs are essential for monitoring and analyzing industrial control system communications, helping to detect unauthorized access, protocol anomalies, and other security issues in ENIP and CIP traffic.
[ZEEK] ETHERCATβ
Indexes: cvah-zeek.ecat*
Datasets: zeek.ecat_registers, zeek.ecat_log_address, zeek.ecat_dev_info, zeek.ecat_aoe_info, zeek.ecat_coe_info, zeek.ecat_foe_info, zeek.ecat_soe_info, zeek.ecat_arp_info
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for EtherCAT protocol. The ecat* logs capture EtherCAT (Ethernet for Control Automation Technology) traffic. They include details such as frame types, slave addresses, command types, and data lengths. These logs are crucial for monitoring and analyzing EtherCAT communications in industrial control systems, helping to detect unauthorized access, protocol misconfigurations, and other anomalies in EtherCAT traffic.
[ZEEK] GENISYSβ
Indexes: cvah-zeek.genisys*
Datasets: zeek.genisys
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for Genisys protocol. The genisys.log captures Genisys traffic, including details such as message types, device addresses, and data values. This log is essential for monitoring and analyzing Genisys communications in industrial control systems, helping to detect unauthorized access, protocol anomalies, and other security issues in Genisys traffic.
[ZEEK] MODBUSβ
Indexes: cvah-zeek.modbus*
Datasets: zeek.modbus, zeek.modbus_register_change, zeek.modbus_detailed, zeek.modbus_mask_write_register, zeek.modbus_read_write_multiple_registers, zeek.modbus_read_device_identification
Descriptionβ
A dashboard with data from the native Zeek modbus.log, modbus_register_change.log, and CISA's ICSNPP plugin for Modbus protocol. The modbus.log captures Modbus traffic, including details such as function codes, unit identifiers, and register addresses. The modbus_register_change.log tracks changes to Modbus registers, providing insights into write operations and their effects. The additional logs from the ICSNPP plugin offer enhanced visibility into Modbus communications, including detailed analysis of read and write operations, exception responses, and device diagnostics. These logs are essential for monitoring and analyzing Modbus communications in industrial control systems, helping to detect unauthorized access, protocol misconfigurations, and other anomalies in Modbus traffic.
[ZEEK] OPCUAβ
Indexes: cvah-zeek.opcua*
Datasets: zeek.opcua-binary, zeek.opcua-binary-diag-info-detail, zeek.opcua-binary-status-code-detail, zeek.opcua-binary-aggregate-filter, zeek.opcua-binary-data-change-filter, zeek.opcua-binary-event-filter, zeek.opcua-binary-event-filter-attribute-operand, zeek.opcua-binary-event-filter-attribute-operand-browse-paths, zeek.opcua-binary-event-filter-where-clause, zeek.opcua-binary-event-filter-where-clause-elements, zeek.opcua-binary-event-filter-element-operand, zeek.opcua-binary-event-filter-literal-operand, zeek.opcua-binary-event-filter-select-clause, zeek.opcua-binary-event-filter-simple-attribute-operand, zeek.opcua-binary-event-filter-simple-attribute-operand-browse-paths, zeek.opcua-binary-variant-array-dims, zeek.opcua-binary-variant-data, zeek.opcua-binary-variant-data-value, zeek.opcua-binary-variant-extension-object, zeek.opcua-binary-variant-metadata, zeek.opcua-binary-activate-session, zeek.opcua-binary-activate-session-client-software-cert, zeek.opcua-binary-activate-session-locale-id, zeek.opcua-binary-browse, zeek.opcua-binary-browse-description, zeek.opcua-binary-browse-request-continuation-point, zeek.opcua-binary-browse-result, zeek.opcua-binary-browse-response-references, zeek.opcua-binary-close-session, zeek.opcua-binary-create-monitored-items, zeek.opcua-binary-create-monitored-items-create-item, zeek.opcua-binary-create-session, zeek.opcua-binary-create-session-discovery, zeek.opcua-binary-create-session-endpoints, zeek.opcua-binary-create-session-user-token, zeek.opcua-binary-create-subscription, zeek.opcua-binary-get-endpoints, zeek.opcua-binary-get-endpoints-description, zeek.opcua-binary-get-endpoints-discovery, zeek.opcua-binary-get-endpoints-user-token, zeek.opcua-binary-get-endpoints-locale_id, zeek.opcua-binary-get-endpoints-profile_uri, zeek.opcua-binary-read, zeek.opcua-binary-read-nodes-to-read, zeek.opcua-binary-read-results, zeek.opcua-binary-opensecure-channel
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for OPC UA Binary protocol. The opcua-binary* logs capture OPC Unified Architecture (OPC UA) communications in binary encoding. They include details such as session creation, service requests and responses, node IDs, and data values. These logs are crucial for monitoring and analyzing OPC UA communications in industrial control systems, helping to detect unauthorized access, protocol anomalies, and other security issues in OPC UA binary traffic.
[ZEEK] PROFINETβ
Indexes: cvah-zeek.profinet*
Datasets: zeek.profinet_io_cm
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for PROFINET IO-Controller Manager protocol. The profinet_io_cm.log capture PROFINET IO communications, including details such as connection management, device addresses, AR (Application Relation) requests and responses, and diagnostic information. These logs are essential for monitoring and analyzing PROFINET IO communications in industrial control systems, helping to detect unauthorized access, protocol misconfigurations, and other anomalies in PROFINET IO traffic.
[ZEEK] S7COMMβ
Indexes: cvah-zeek.s7comm*
Datasets: zeek.cotp, zeek.s7comm, zeek.s7comm_read_szl, zeek.s7comm_upload_download, zeek.s7comm_plus
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for COTP and S7comm protocols. The cotp.log captures Connection-Oriented Transport Protocol (COTP) traffic, including details such as connection setup, teardown, and data transfer phases. The s7comm* logs capture Siemens S7 Communication (S7comm) protocol traffic, providing insights into command types, function codes, parameters, and data areas accessed. These logs are crucial for monitoring and analyzing communications in Siemens industrial control systems, helping to detect unauthorized access, protocol misconfigurations, and other anomalies in COTP and S7comm traffic.
[ZEEK] SYNCHROPHASORβ
Indexes: cvah-zeek.synchrophasor*
Datasets: zeek.synchrophasor, zeek.synchrophasor_cmd, zeek.synchrophasor_hdr, zeek.synchrophasor_cfg, zeek.synchrophasor_cfg_detail, zeek.synchrophasor_data, zeek.synchrophasor_data_detail
Descriptionβ
A dashboard with data from CISA's ICSNPP Zeek plugin for Synchrophasor protocol. The synchrophasor* logs capture traffic related to synchrophasor measurements used in power systems. They include details such as phasor data, frequency measurements, device identifiers, and time synchronization information. These logs are essential for monitoring and analyzing synchrophasor communications, helping to detect unauthorized access, measurement anomalies, and other security issues in power system monitoring and control.
[ZEEK] FILESβ
Indexes: cvah-zeek.files*
Datasets: zeek.files
Descriptionβ
A dashboard with data from the native Zeek files.log. The files.log captures information about files transferred over the network. It includes details such as file names, MIME types, file sizes, hashes, and source and destination addresses. This log is essential for monitoring and analyzing file transfer activities, helping to detect unauthorized data exfiltration, malware distribution, and other anomalies in file transfers.
[ZEEK] PEβ
Indexes: cvah-zeek.pe*
Datasets: zeek.pe
Descriptionβ
A dashboard with data from the native Zeek pe.log. The pe.log captures information about Portable Executable (PE) files observed on the network. It includes details such as file hashes, file names, compilation timestamps, and information about sections and imports. This log is essential for monitoring and analyzing executable files, helping to detect malware, unauthorized software, and other anomalies in PE file transfers.
[ZEEK] X509β
Indexes: cvah-zeek.x509*
Datasets: zeek.x509
Descriptionβ
A dashboard with data from the native Zeek x509.log. The x509.log captures information about X.509 certificates observed on the network. It includes details such as certificate fingerprints, subject and issuer information, validity periods, and key lengths. This log is essential for monitoring and analyzing SSL/TLS certificates, helping to detect certificate anomalies, expired certificates, and other issues related to digital certificate management.
[ZEEK] KNOWN_HOSTSβ
Indexes: cvah-zeek.known_hosts*
Datasets: zeek.known_hosts
Descriptionβ
A dashboard with data from the native Zeek known_hosts.log. The known_hosts.log captures information about hosts known to have been seen on the network. It includes details such as IP addresses, MAC addresses, first and last seen timestamps, and associated services. This log is essential for maintaining an inventory of network devices, helping to detect unauthorized devices, track device activity, and ensure network integrity.
[ZEEK] KNOWN_CERTSβ
Indexes: cvah-zeek.known_certs*
Datasets: zeek.known_certs
Descriptionβ
A dashboard with data from the native Zeek known_certs.log. The known_certs.log captures information about X.509 certificates observed on the network. It includes details such as certificate fingerprints, serial numbers, subject and issuer information, and validity periods. This log is essential for tracking and managing known certificates, helping to detect certificate reuse, identify anomalies, and ensure proper certificate usage within the network.
[ZEEK] KNOWN_SERVICESβ
Indexes: cvah-zeek.known_services*
Datasets: zeek.known_services
[ZEEK] SOFTWAREβ
Indexes: cvah-zeek.software*
Datasets: zeek.software
Descriptionβ
A dashboard with data from the native Zeek software.log. The software.log captures information about software observed on the network. It includes details such as software names, versions, types, and the hosts on which the software is running. This log is essential for monitoring and managing software inventory, helping to detect unauthorized software installations, track software usage, and ensure compliance with software policies.
[ZEEK] DPDβ
Indexes: cvah-zeek.dpd*
Datasets: zeek.dpd
Descriptionβ
A dashboard with data from the native Zeek dpd.log. The dpd.log captures information from Zeek's Dynamic Protocol Detection (DPD) framework. It includes details such as detected protocols, connection identifiers, and detection timestamps. This log is essential for identifying and monitoring various protocols used on the network, helping to detect unauthorized or unusual protocol usage and ensure network traffic conforms to expected patterns.