The user guides walk you through hands-on examples that illustrate how to use Tenzir.
Throughout our guides, we use publicly available datasets so that you can follow along.
The M57 Patents Scenario contains large amounts of diverse network traffic. We enriched the PCAP from Nov 18, 2009, by adding malicious traffic from malware-traffic-analysis.net. We adjusted all packet timestamp to 2021. Thereafter, we ran Zeek v5.2.0 and Suricata 6.0.10 to obtain structured logs.
The dataset includes the following files:
For following examples we assume that you have imported the demo data in your node with the following two pipelines:
read suricata --no-infer
| where #schema != "suricata.stats"
Note that the demo node already comes with this demo data pre-populated for you.
📄️ Run a pipeline
You can run a pipeline in the
📄️ Manage a pipeline
A pipeline can enter many states after you run it. The
📄️ Shape data
Tenzir comes with numerous transformation operators that
📄️ Import into a node
Importing (or ingesting) data can be done by [running a
📄️ Export from a node
Exporting (or querying) data can be done by [running a
📄️ Show available schemas
When you write a pipeline, you often reference field names. If you do not know
📄️ Transform data at rest
This feature is currently only available on the command line using the
📄️ Execute Sigma rules
Tenzir supports executing Sigma rules using
📄️ Enrich with Threat Intel
Tenzir has a powerful contextualization framework for real-time enrichment of a