User Guides
These usage guides walk you through typical Tenzir use cases.
Datasets
Throughout the guides, we use publicly available datasets so that you can follow along.
M57
The M57 Patents Scenario contains large amounts of diverse network traffic. We enriched the PCAP from Nov 18, 2009, by adding malicious traffic from malware-traffic-analysis.net. We adjusted all packet timestamp to 2021. Thereafter, we ran Zeek v5.2.0 and Suricata 6.0.10 to obtain structured logs.
The dataset includes the following files:
- README.md
- zeek-all.log.zst (41 MB)
- suricata.json.zst (57 MB)
For the following examples we assume that you have imported the demo data in your node using the following two pipelines. First the Suricata logs:
load_http "https://storage.googleapis.com/tenzir-datasets/M57/suricata.json.zst"
decompress "zstd"
read_suricata
where @name != "suricata.stats"
import
Then the Zeek logs:
load_http "https://storage.googleapis.com/tenzir-datasets/M57/zeek-all.log.zst"
decompress "zstd"
read_zeek_tsv
import
Note that the demo node already comes with an installed package that ingests this data for you.
📄️ Run pipelines
You can run a pipeline in the
📄️ Manage a pipeline
A pipeline can be in one of the following states after you [run
📄️ Shape data
Tenzir comes with numerous transformation operators that
📄️ Import into a node
Importing (or ingesting) data can be done by [running a
📄️ Export from a node
Exporting (or querying) data can be done by [running a
📄️ Show available schemas
When you write a pipeline, you often reference field names. If you do not know
📄️ Collect metrics
Tenzir keeps track of metrics about node resource usage, pipeline state, and
📄️ Transform data at rest
This feature is currently only available on the command line using the
📄️ Execute Sigma rules
Tenzir supports executing Sigma rules using
📄️ Enrich with Threat Intel
Tenzir has a powerful enrichment framework for
📄️ Enrich with Network Inventory
Tenzir's enrichment framework features *lookup
📄️ Deduplicate events
The deduplicate provides is a powerful