Using BZAR Zeek Scripts #11298
-
|
Hello All! I know that BZAR is disabled by default in the zeek config, but I was able to add bzar to the gobal.sls file using the instructions Here The Zeek containers are running without error and the BZAR scripts are loaded, as confirmed by catting loaded_scripts.log. I don't see any output files named bzar. How would I be able to check inside Security Onion to see verify that the bzar is working? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Most BZAR detections generate Zeek notices: So you might try to simulate some of the behavior listed at https://github.com/mitre-attack/bzar and then go to SOC Dashboards and select the |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! It was not really clear in the documentation that the bzar writes to the Zeek Notice. |
Beta Was this translation helpful? Give feedback.
-
|
I've updated the documentation. |
Beta Was this translation helpful? Give feedback.
Most BZAR detections generate Zeek notices:
https://github.com/mitre-attack/bzar
So you might try to simulate some of the behavior listed at https://github.com/mitre-attack/bzar and then go to SOC Dashboards and select the
Zeek Noticedashboard.