|Has index-time operations||false|
|Creates an index||false|
|Implements summarization||Currently, the app does not generate summaries|
About TA for Zeek
The TA for Zeek allows a Splunk Enterprise administrator to parse open source Zeek data in JSON or TSV format, and map it into the Common Information Model for use by multiple Splunk security apps, including the https://splunkbase.splunk.com/app/3884/.
Fix bug that broke mapping of dest_port field.
Add FIELDALIASes per field request for improved ES/CIM mapping.
Add FIELDALIASes per field request.
Add several FIELDALIASes for better CIM mapping; add event types for better compatibility with the Corelight App for Splunk.
Minor bug fixes
Transition from the https://splunkbase.splunk.com/app/1617/, which had been unmaintained from late 2018 through early 2021. This update is primarily focused on better support for the Common Information Model, with multiple fields being remapped to more appropriate locations, and others being added for the first time. Additionally, parity of mappings between JSON and TSV format was added, as the two were previously inconsistent.
Version 1.0.2 of TA for Zeek has the following known issues:
Support is available via email at email@example.com. Responses vary on working days between working hours.
Splunk 7.3 or above
Common Information Model 4.x
Administrators should uninstall the Splunk Add-on for Zeek aka Bro and then install the TA for Zeek in its place.
Fixed a bug in the mapping of the dest_port field
Add DNS field mappings for improved Enterprise Security/CIM functionality
Added new FIELDALIAS values per field request
Add several FIELDALIAS items for CIM mapping, as well as event types that make the data render better within the Corelight App for Splunk.
Minor bug fixes
• Updated “action” field to produce values in line with the Network Traffic data model, including removing the mappings for actions from the notice log.
• Moved several fields from global declarations to local ones based on where the data will actually be present:
• Removed incorrect mappings for “body”, “subject”, “orig_recipient”, and “severity”
• Added mappings for “ssl_issuer_email” and “ssl_issuer_organization”
• Added a value for vendor_action field
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.