corelight/zeek-cheatsheets

Readme badge preview -

If you own this repo, copy the snippet below and add it to your README.md

[![RelatedRepos](https://img.shields.io/badge/related-repos-yellow)](https://relatedrepos.com/gh/corelight/zeek-cheatsheets)

corelight / zeek-cheatsheets

Zeek Log Cheatsheets

☆303

Alternatives and similar repositories for zeek-cheatsheets

Users that are interested in zeek-cheatsheets are comparing it to the libraries listed below

Sorting:

corelight / threat-hunting-guide
View on GitHub
☆58Mar 4, 2022Updated 4 years ago
corelight / zeek-long-connections
View on GitHub
Zeek package for tracking long connections to report them before they have completed.
☆31Nov 25, 2025Updated 3 months ago
corelight / conn-burst
View on GitHub
A Bro package to identify connections that are bursting (lots of data and transferring quickly).
☆13Oct 15, 2020Updated 5 years ago
corelight / log-add-http-post-bodies
View on GitHub
Add POST body excerpt to Bro's HTTP log
☆14Dec 10, 2025Updated 2 months ago
zeek / package-manager
View on GitHub
A package manager for Zeek
☆47Jan 8, 2026Updated 2 months ago
activecm / threat-hunting-labs
View on GitHub
Collection of walkthroughs on various threat hunting techniques
☆76Aug 3, 2020Updated 5 years ago
SuperCowPowers / zat
View on GitHub
Zeek Analysis Tools (ZAT): Processing and analysis of Zeek network data with Pandas, scikit-learn, Kafka and Spark
☆451Jan 16, 2024Updated 2 years ago
corelight / zeek-community-id
View on GitHub
Zeek support for Community ID flow hashing.
☆36Jul 11, 2023Updated 2 years ago
initconf / scan-NG
View on GitHub
scan-detection policies for bro
☆16Jan 16, 2025Updated last year
mitre-attack / bzar
View on GitHub
A set of Zeek scripts to detect ATT&CK techniques.
☆621Jun 26, 2024Updated last year
CyCat-project / cycat-taxonomy
View on GitHub
CyCAT.org taxonomies
☆15May 22, 2021Updated 4 years ago
corelight / Corelight-Ansible-Roles
View on GitHub
Corelight-Ansible-Roles are a collection of Ansible Roles and playbooks that install, configure, run and manage a variety of Corelight, S…
☆16Jun 15, 2021Updated 4 years ago
zeek / packages
View on GitHub
The default package source of the Zeek Package Manager. Wrote a package? See the README for how to get it included.
☆143Feb 27, 2026Updated last week
sbousseaden / EVTX-ATTACK-SAMPLES
View on GitHub
Windows Events Attack Samples
☆2,517Jan 24, 2023Updated 3 years ago
activecm / rita-legacy
View on GitHub
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis…
☆2,515Jan 12, 2026Updated last month
corelight / community-id-spec
View on GitHub
An open standard for hashing network flows into identifiers, a.k.a "Community IDs".
☆194Sep 23, 2024Updated last year
JPCERTCC / SysmonSearch
View on GitHub
Investigate suspicious activity by visualizing Sysmon's event log
☆431Dec 22, 2023Updated 2 years ago
OTRF / Security-Datasets
View on GitHub
Re-play Security Events
☆1,725Mar 20, 2024Updated last year
tenzir / zeek-tenzir
View on GitHub
Enables Zeek to communicate with Tenzir
☆11Jul 20, 2023Updated 2 years ago
olafhartong / sysmon-modular
View on GitHub
A repository of sysmon configuration modules
☆2,987Aug 21, 2024Updated last year
tylabs / dovehawk
View on GitHub
Dovehawk is a Zeek module that automatically imports MISP indicators and reports Sightings
☆122Jul 12, 2021Updated 4 years ago
rabobank-cdc / DeTTECT
View on GitHub
Detect Tactics, Techniques & Combat Threats
☆2,268Jan 21, 2026Updated last month
corelight / zeek2es
View on GitHub
A Python application to filter and transfer Zeek logs to Elastic/OpenSearch+Humio. This app can also output pure JSON logs to stdout for…
☆39Aug 18, 2022Updated 3 years ago
JPCERTCC / LogonTracer
View on GitHub
Investigate malicious Windows logon by visualizing and analyzing Windows event log
☆3,137Oct 19, 2025Updated 4 months ago
corelight / json-tcp-lb
View on GitHub
line based tcp load balancing proxy.
☆14Jun 18, 2024Updated last year
sroberts / sapho
View on GitHub
A homebrewed cyber threat intelligence solution
☆20Nov 20, 2012Updated 13 years ago
salesforce / bro-sysmon
View on GitHub
How to Zeek Sysmon Logs!
☆103Feb 12, 2022Updated 4 years ago
OTRF / ThreatHunter-Playbook
View on GitHub
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more e…
☆4,492Jan 12, 2026Updated last month
hosom / bro-phishing
View on GitHub
Detect Phishing with Bro IDS
☆18Feb 1, 2017Updated 9 years ago
ThreatHuntingProject / ThreatHunting
View on GitHub
An informational repo about hunting for adversaries in your IT environment.
☆1,854Nov 17, 2021Updated 4 years ago
cisagov / Malcolm
View on GitHub
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs an…
☆2,347Feb 19, 2026Updated 2 weeks ago
mitre-attack / car
View on GitHub
Cyber Analytics Repository
☆986May 16, 2025Updated 9 months ago
activecm / docker-zeek
View on GitHub
Run zeek with zeekctl in docker
☆63Sep 12, 2024Updated last year
cyberdefenders / DetectionLabELK
View on GitHub
DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
☆573Dec 12, 2021Updated 4 years ago
clong / DetectionLab
View on GitHub
Automate the creation of a lab environment complete with security tooling and logging best practices
☆4,909Jul 6, 2024Updated last year
cyberdefenders / email-header-analyzer
View on GitHub
E-Mail Header Analyzer
☆696Apr 11, 2023Updated 2 years ago
dwmetz / CyberPipe
View on GitHub
An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
☆341Dec 3, 2025Updated 3 months ago
elastic / detection-rules
View on GitHub
☆2,513Updated this week
Cyb3r-Monk / RITA-J
View on GitHub
Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.
☆208Jul 21, 2022Updated 3 years ago