User Guides
The usage guides walk you through typical use cases that you perform..
Datasets
Throughout the guides, we use publicly available datasets so that you can follow along.
M57
The M57 Patents Scenario contains large amounts of diverse network traffic. We enriched the PCAP from Nov 18, 2009, by adding malicious traffic from malware-traffic-analysis.net. We adjusted all packet timestamp to 2021. Thereafter, we ran Zeek v5.2.0 and Suricata 6.0.10 to obtain structured logs.
The dataset includes the following files:
- README.md
- zeek-all.log.zst (41 MB)
- suricata.json.zst (57 MB)
- data.pcap (3.8 GB)
For following examples we assume that you have imported the demo data in your node with the following two pipelines:
from https://storage.googleapis.com/tenzir-datasets/M57/suricata.json.zst
read suricata --no-infer
| where #schema != "suricata.stats"
| import
from https://storage.googleapis.com/tenzir-datasets/M57/zeek-all.log.zst
read zeek-tsv
| import
Note that the demo node already comes with this demo data pre-populated for you.
📄️ Run pipelines
You can run a pipeline in the
📄️ Manage a pipeline
A pipeline can be in one of the following states after you [run
📄️ Shape data
Tenzir comes with numerous transformation operators that
📄️ Import into a node
Importing (or ingesting) data can be done by [running a
📄️ Export from a node
Exporting (or querying) data can be done by [running a
📄️ Show available schemas
When you write a pipeline, you often reference field names. If you do not know
📄️ Collect metrics
Tenzir keeps track of metrics about node resource usage, pipeline state, and
📄️ Transform data at rest
This feature is currently only available on the command line using the
📄️ Execute Sigma rules
Tenzir supports executing Sigma rules using
📄️ Enrich with Threat Intel
Tenzir has a powerful enrichment framework for
📄️ Enrich with Network Inventory
Tenzir's enrichment framework features *lookup
📄️ Deduplicate events
The deduplicate provides is a powerful