Our Tenzir Query Language (TQL) is a pipeline language that works by chaining
operators into data flows. When we designed TQL, we specifically studied
Splunk's Search Processing Language (SPL), as it generally leaves a
positive impression for security analysts that are not data engineers. Our goal
was to take all the good things of SPL, but provide a more powerful language
without compromising simplicity. In this blog post, we explain how the two
languages differ using concrete threat hunting examples.
As an incident responder, threat hunter, or detection engineer, getting quickly
to your analytics is key for productivity. For network-based visibility and
detection, Zeek and Suricata are the
bedrock for many security teams. But operationalizing these tools can take a
good chunk of time.
So we asked ourselves: How can we make it super easy to work with Zeek and
Suricata logs?
Zeek turns packets into structured logs. By default, Zeek
generates one file per log type and per rotation timeframe. If you don't want to
wrangle files and directly process the output, this short blog post is for you.
Zeek offers many ways to produce and consume logs. In this
blog, we explain the various Zeek logging formats and show how you can get the
most out of Zeek with Tenzir. We conclude with recommendations for when to use
what Zeek format based on your use case.