3 Ways to Integrate Zeek With Your Security Stack

Zeek rarely works in isolation. The real power comes from pairing it with other tools – SIEMs for log aggregation, IDS/IPS for signature-based detection, threat intel feeds for enrichment, packet capture tools for deeper investigation.

We recently asked our community: What else is in your stack? How are you integrating Zeek with other tools?

We heard from users running everything from single-SIEM deployments to comprehensive multi-tool platforms. While approaches vary widely, they all share common challenges around data format compatibility and correlation – each solving them differently based on their environment and needs.

Here’s what we learned from three community members taking different approaches.

SIEM-Centric Integration

The most common approach treats the SIEM as the integration hub. One community member running a Splunk-focused deployment ingests Zeek logs alongside EDR, external monitoring tools, and other security data sources. When certain behaviors appear in Zeek logs, Splunk triggers automated responses, like invoking ServiceNow to block attackers at the network edge.

This approach keeps integration logic in one place. As this user put it: “Once I have the Zeek data in Splunk, integration is a solved problem regardless of the other data source.”

The challenge? Zeek isn’t Common Information Model (CIM) compliant. Field names like id.orig_h and id.resp_p don’t map to standard SIEM field names like src_ip and dest_port. This breaks correlation with other normalized data sources. The workaround being considered: field name rewrites at ingestion time to improve compatibility and reduce log volume.

Purpose-Built Platform

Security Onion takes a different approach: building the entire stack around integration from the start. The platform combines Zeek with Suricata for NIDS alerts, Strelka for file analysis, honeypot services for deception, Elastic Agent for endpoint visibility and log collection, Logstash and Redis for log transport and queueing, and Elasticsearch for storage.

This solves the compatibility problem by controlling the full ecosystem. The Security Onion Console enables pivoting from Zeek logs to full packet capture, Suricata alerts, endpoint logs, firewall logs, and netflow without fighting field name mismatches or data format differences. You can escalate logs to cases, send artifacts to CyberChef for analysis, and work with your team to close investigations.

When you control every component, you can design correlation workflows that would be difficult to replicate with point solutions.

Containerized Flexibility

Malcolm uses containerization to solve a different problem: reproducible deployment across varied environments. The platform bundles Zeek with Arkime for PCAP analysis, OpenSearch for indexing, Suricata for IDS, YARA and ClamAV for file scanning, threat intel feeds from MISP and other sources, CyberChef for artifact analysis, and NetBox for asset inventory enrichment.

Containerization via Docker, Podman, or Kubernetes enables consistent deployment from Raspberry Pi sensors to distributed cloud architectures on AWS. The same stack adapts to available resources – whether you’re running a small capture appliance or a scalable enterprise deployment.

Like Security Onion, Malcolm addresses compatibility by building the integration into the platform architecture. But containerization adds deployment flexibility that matters when you’re running Zeek across different environments or need to spin up temporary analysis systems.

Key Takeaways

Three patterns emerged from the discussion:

1. Data format compatibility is a universal challenge. Whether you’re mapping Zeek fields to CIM in Splunk or building a custom platform, translating between tools requires intentional design. Field name mismatches aren’t edge cases – they’re the default state.
2. Correlation requires architectural decisions. SIEM-centric approaches centralize correlation logic in one tool. Purpose-built platforms design it into the stack. Both work, but they require different expertise and maintenance approaches.
3. The right approach depends on your constraints. Already invested in a SIEM? SIEM-centric integration makes sense. Need deep correlation across network and endpoint data? Purpose-built platforms handle complexity you’d struggle to replicate manually. Want deployment flexibility? Containerization solves that problem.

There’s no “right way” to integrate Zeek. What matters is understanding the tradeoffs and choosing the approach that fits your environment, technical expertise, and resources.

Using a different integration approach? Share them in the Zeek Slack. And check out January’s Topic of the Month – we’re asking about discovery stories: What interesting or unexpected things have you found in your Zeek logs?

Thanks to Mark, Doug, Seth, Dop, Chris C., Carlos, Chris H., Rastislav, Rudra, Kevin, and Tom for participating in this discussion and sharing their integration approaches.