Zeek(used to be Bro) is an open-source Network Security Monitor that can be used for Detection System  and network traffic analysis framework.

Zeek can generate real-time alerts, data logging for further investigation, and automatic program execution for detected anomalies. In addition, it can analyze various protocols, including HTTP, FTP, SMTP, and DNS, run host and port scans, detect signatures, and discover syn-floods.

Zeek data can be ingested and parsed using chronicle parser as described in https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zeek

Here is a list of searches using Chronicle UDM against Zeek logs

Filter by destination IP: 

metadata.vendor_name = "Zeek" AND target.ip = "204.79.197.203"

Filter traffic between Source IP and destination IP: 

metadata.vendor_name = "Zeek" AND principal.ip = "10.10.20.60" AND target.ip = "204.79.197.203"

Filter by IP (either Source or destination): 

metadata.vendor_name = "Zeek" AND ip = "10.10.20.60"

Filter by Source port: 

metadata.vendor_name = "Zeek" AND principal.port = 49268

Filter by Destination port: 

metadata.vendor_name = "Zeek" AND target.port = 443

Filter by TCP traffic: 

metadata.vendor_name = "Zeek" AND network.ip_protocol = "TCP"

Filter by UDP Traffic: 

metadata.vendor_name = "Zeek" AND network.ip_protocol = "UDP"

Filter by ICMP Traffic: 

metadata.vendor_name = "Zeek" AND network.ip_protocol = "ICMP"

Filter by DNS Traffic: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_DNS"

Filter by HTTP Traffic: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_HTTP"

Filter by FTP Traffic: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_FTP"

Filter by SMTP Traffic: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_SMTP"

Filter by RDP Traffic: 

metadata.vendor_name = "Zeek" AND metadata.product_event_type = "rdp"

Filter by Microsoft protocols Traffic: 

metadata.vendor_name = "Zeek" AND (metadata.product_event_type = "dce_rpc" OR metadata.product_event_type = "smb_files" OR metadata.product_event_type = "smb_mapping" OR metadata.product_event_type = "ntlm" OR metadata.product_event_type = "kerberos")

Filter by accesses shared folder: 

metadata.vendor_name = "Zeek" AND target.file.full_path = "\\192.168.1.116\ADMIN$"

Filter by one of the MS-SAMR Protocol methods: 

metadata.vendor_name = "Zeek" AND about.labels.value = "SamrEnumerateDomainsInSamServer"

Filter by Windows hostname: 

metadata.vendor_name = "Zeek" AND metadata.product_event_type = "ntlm" AND target.hostname = "VPA-W10-x64-0X"

Filter by domain: 

metadata.vendor_name = "Zeek" AND domain = "functional.events.data.microsoft.com

Filter by Hostname: 

metadata.vendor_name = "Zeek" AND hostname = "msedge.b.tlu.dl.delivery.mp.microsoft.com"

Filter by HTTP method: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_HTTP" AND network.http.method = "GET"

Filter by URL: 

metadata.vendor_name = "Zeek" AND target.url = "wikisend.com/download/730056/testfile.txt"

Filter by HTTP referral: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_HTTP" AND network.http.referral_url = "http://www.wikisend.com/"

Filter by HTTP response code: 

metadata.vendor_name = "Zeek" AND metadata.event_type = "NETWORK_HTTP" AND network.http.response_code = 200

Filter by files: 

metadata.vendor_name = "Zeek" AND metadata.product_event_type = "files"

Filter by file name: 

metadata.vendor_name = "Zeek" AND target.file.full_path = "testfile4.txt"

Filter by MD5: 

metadata.vendor_name = "Zeek" AND target.file.md5 = "8d2f4ed9669c64cda06084701becbe3a"

Filter by SHA1: 

metadata.vendor_name = "Zeek" AND target.file.sha1 = "8d2f4ed9669c64cda06084701becbe3a"