User Guides
The user guides walk you through hands-on examples that illustrate how to use Tenzir.
Datasets
Throughout our guides, we use publicly available datasets so that you can follow along.
M57
The M57 Patents Scenario contains large amounts of diverse network traffic. We enriched the PCAP from Nov 18, 2009, by adding malicious traffic from malware-traffic-analysis.net. We adjusted all packet timestamp to 2021. Thereafter, we ran Zeek v5.2.0 and Suricata 6.0.10 to obtain structured logs.
The dataset includes the following files:
- README.md
- zeek-all.log.zst (41 MB)
- suricata.json.zst (57 MB)
- data.pcap (3.8 GB)
For following examples we assume that you have imported the demo data in your node with the following two pipelines:
from https://storage.googleapis.com/tenzir-datasets/M57/suricata.json.zst
read suricata --no-infer
| where #schema != "suricata.stats"
| import
from https://storage.googleapis.com/tenzir-datasets/M57/zeek-all.log.zst
read zeek-tsv
| import
Note that the demo node already comes with this demo data pre-populated for you.
📄️ Run pipelines
You can run a pipeline in the
📄️ Manage a pipeline
A pipeline can be in one of the following states after you [run
📄️ Shape data
Tenzir comes with numerous transformation operators that
📄️ Import into a node
Importing (or ingesting) data can be done by [running a
📄️ Export from a node
Exporting (or querying) data can be done by [running a
📄️ Show available schemas
When you write a pipeline, you often reference field names. If you do not know
📄️ Transform data at rest
This feature is currently only available on the command line using the
📄️ Execute Sigma rules
Tenzir supports executing Sigma rules using
📄️ Enrich with Threat Intel
Tenzir has a powerful contextualization framework for real-time enrichment of a
📄️ Deduplicate events
The deduplicate provides is a powerful