josue6368/zeek-splunk-network-threat-hunting-lab
GitHub: josue6368/zeek-splunk-network-threat-hunting-lab
Stars: 0 | Forks: 0
# zeek-splunk-network-threat-hunting-lab
Built a network threat hunting lab using Zeek, Splunk, Kali Linux, and Ubuntu Server to analyze PCAP traffic, generate structured network telemetry, and investigate suspicious DNS, HTTP, and connection activity through Splunk searches.
# Zeek + Splunk Network Threat Hunting Lab
## Overview
This project demonstrates the creation of a network threat hunting lab using Zeek, Splunk Enterprise, Ubuntu Server, and Kali Linux to analyze malicious PCAP traffic and investigate suspicious network activity through structured telemetry and SIEM-based searches.
The lab focuses on ingesting Zeek-generated network logs into Splunk and performing threat hunting workflows involving:
* DNS analysis
* HTTP traffic investigation
* Suspicious external IP communication
* WPAD-related activity
* HTTP POST requests
* User-agent analysis
* Connection telemetry analysis
The environment was built entirely in a virtualized home lab using VMware.
## Lab Environment
| System | Purpose |
| --------------------------------- | ---------------------------------------------------- |
| Ubuntu Server 22.04 VM (SPLUNK01) | Hosted Splunk Enterprise SIEM platform |
| Ubuntu Server 22.04 VM (ZEEK01) | Hosted Zeek network security monitor |
| Kali Linux VM | Security testing / attacker system |
| Windows 11 VM | Endpoint simulation |
| VMware Workstation | Virtualization platform |
| Zeek | Network security monitoring and telemetry generation |
| Splunk Enterprise | SIEM and log analysis platform |
## Technologies Used
* Splunk Enterprise
* Zeek
* VMware Workstation
* Ubuntu Server 22.04
* Kali Linux
* Windows 11
* PCAP traffic analysis
* Network threat hunting
* SIEM log analysis
## Project Objectives
* Install and configure Zeek on Ubuntu Server
* Generate structured network telemetry from PCAP traffic
* Ingest Zeek logs into Splunk Enterprise
* Perform network threat hunting searches
* Investigate suspicious domains and external IP communication
* Analyze HTTP and DNS activity through Splunk
## Zeek Installation
Zeek was installed on Ubunto Server 22.04 and verified from the command line.
### Commands Used
sudo apt update && sudo apt upgrade -y
sudo apt install zeek -y
zeek --version
*Figure 1. Zeek successfully installed on Ubuntu Server and version verified from the command line.*
## PCAP Analysis with Zeek A malware traffic PCAP from Malware-Traffic-Analysis.net was processed through Zeek to generate structured network telemetry logs. ### PCAP Source * Malware-Traffic-Analysis.net * 2026-02-28 Traffic Analysis Exercise: Easy as 123 ### Commands Used mkdir -p ~/zeek-lab/pcaps ~/zeek-lab/logs cd ~/zeek-lab/logs /opt/zeek/bin/zeek -r ../pcaps/traffic.pcap ### Generated Logs Zeek generated multiple logs including: * conn.log * dns.log * http.log * ssl.log * files.log
*Figure 2. Zeek generated structured network telemetry from the Easy as 123 PCAP, including connection, DNS, HTTP, and Kerberos logs.*
## Splunk Index Creation A dedicated Zeek index was created within Splunk Enterprise to store network telemetry data. ## Index Name zeek ## Uploading Zeek Logs into Splunk The following Zeek logs were uploaded into Splunk: | Log File | Source Type | | -------- | ----------- | | conn.log | zeek:conn | | dns.log | zeek:dns | | http.log | zeek:http | ## Zeek Connection elemetry The `conn.log` file was ingested into Splunk to analyze network connection activity. ### Splunk Search index=zeek sourcetype="zeek:conn" NOT "#"
*Figure 3. Zeek connection logs successfully ingested into Splunk using the zeek index.*
## Network Connection Analysis Network connections were analyzed to identify high-volume communication, protocols, services, and external hosts. ### Splunk Search index=zeek sourcetype="zeek:conn" | rex field=_raw "^\S+\s+\S+\s+(?\S+)\s+(?\S+)\s+(?\S+)\s+(?\S+)\s+(?\S+)\s+(?\S+)"
| stats count by id_orig_h id_resp_h id_resp_p proto service
| sort - count
*Figure 4. Splunk search showing top Zeek network connections by source, destination, port, protocol, and service.*
## Suspicious External IP Communication
Threat hunting searches identified communication with suspicious external IP address `45.131.214.85`.
### Splunk Search
index=zeek sourcetype="zeek:conn" "45.131.214.85"
*Figure 5. Zeek connection telemetry in Splunk showing communication between the internal host and suspicious external IP address 45.131.214.85 over HTTP/HTTPS-related traffic.*
## DNS Threat Hunting
DNS activity was analyzed to identify suspicious domains and WPAD-related traffic.
### Splunk Search
index=zeek sourcetype="zeek:dns" NOT "#"
*Figure 6. Zeek DNS telemetry in Splunk showing queried domains and DNS request activity extracted from network traffic.*
## HTTP Threat Hunting
HTTP traffic analysis identified suspicious POST requests, URIs, and user-agent metadata associated with external communication.
### Splunk Search
index=zeek sourcetype="zeek:http" "45.131.214.85"
| where NOT like(_raw, "#%")
*Figure 7. Zeek HTTP telemetry in Splunk showing HTTP POST requests, URI activity, user-agent metadata, and communication with external host 45.131.214.85.*
## WPAD / Suspicious Domain Investigation
Additional DNS analysis identified WPAD-related domain queries and suspicious domains observed within the PCAP traffic.
### Splunk Search
index=zeek sourcetype="zeek:dns" ("wpad" OR "easyas123")
| where NOT like(_raw, "#%")
*Figure 8. Zeek DNS telemetry in Splunk showing suspicious WPAD-related domain queries observed within network traffic.*
## Key Findings
* Successfully deployed a Zeek + Splunk network threat hunting environment
* Generated structured network telemetry from malicious PCAP traffic
* Ingested Zeek logs into Splunk Enterprise
* Identified suspicious external IP communication
* Investigated DNS and HTTP activity
* Performed SIEM-based network threat hunting workflows
* Analyzed HTTP POST requests and suspicious domains
## Skills Demonstrated
* SIEM administration
* Splunk log ingestion
* Zeek network monitoring
* Network traffic analysis
* DNS threat hunting
* HTTP traffic investigation
* PCAP analysis
* Threat hunting workflows
* Security telemetry analysis
## MITRE ATT&CK Mapping
| Technique | Description |
| --------- | ----------------------------------------- |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1046 | Network Service Discovery |
| T1071.004 | DNS |
| T1105 | Ingress Tool Transfer |
| T1071 | Application Layer Protocol |
## Outcome
This project demonstrates the ability to build and operate a network-focused threat hunting environment capable of ingesting Zeek telemetry into Splunk and performing realistic security investigations using PCAP-derived traffic data.
### Author
:floppy_disk: josue6368
Cybersecurity Analyst | IT Professional
*Figure 1. Zeek successfully installed on Ubuntu Server and version verified from the command line.* ## PCAP Analysis with Zeek A malware traffic PCAP from Malware-Traffic-Analysis.net was processed through Zeek to generate structured network telemetry logs. ### PCAP Source * Malware-Traffic-Analysis.net * 2026-02-28 Traffic Analysis Exercise: Easy as 123 ### Commands Used mkdir -p ~/zeek-lab/pcaps ~/zeek-lab/logs cd ~/zeek-lab/logs /opt/zeek/bin/zeek -r ../pcaps/traffic.pcap ### Generated Logs Zeek generated multiple logs including: * conn.log * dns.log * http.log * ssl.log * files.log
*Figure 2. Zeek generated structured network telemetry from the Easy as 123 PCAP, including connection, DNS, HTTP, and Kerberos logs.* ## Splunk Index Creation A dedicated Zeek index was created within Splunk Enterprise to store network telemetry data. ## Index Name zeek ## Uploading Zeek Logs into Splunk The following Zeek logs were uploaded into Splunk: | Log File | Source Type | | -------- | ----------- | | conn.log | zeek:conn | | dns.log | zeek:dns | | http.log | zeek:http | ## Zeek Connection elemetry The `conn.log` file was ingested into Splunk to analyze network connection activity. ### Splunk Search index=zeek sourcetype="zeek:conn" NOT "#"
*Figure 3. Zeek connection logs successfully ingested into Splunk using the zeek index.* ## Network Connection Analysis Network connections were analyzed to identify high-volume communication, protocols, services, and external hosts. ### Splunk Search index=zeek sourcetype="zeek:conn" | rex field=_raw "^\S+\s+\S+\s+(?
*Figure 5. Zeek connection telemetry in Splunk showing communication between the internal host and suspicious external IP address 45.131.214.85 over HTTP/HTTPS-related traffic.*
## DNS Threat Hunting
DNS activity was analyzed to identify suspicious domains and WPAD-related traffic.
### Splunk Search
index=zeek sourcetype="zeek:dns" NOT "#"
*Figure 6. Zeek DNS telemetry in Splunk showing queried domains and DNS request activity extracted from network traffic.*
## HTTP Threat Hunting
HTTP traffic analysis identified suspicious POST requests, URIs, and user-agent metadata associated with external communication.
### Splunk Search
index=zeek sourcetype="zeek:http" "45.131.214.85"
| where NOT like(_raw, "#%")
*Figure 7. Zeek HTTP telemetry in Splunk showing HTTP POST requests, URI activity, user-agent metadata, and communication with external host 45.131.214.85.*
## WPAD / Suspicious Domain Investigation
Additional DNS analysis identified WPAD-related domain queries and suspicious domains observed within the PCAP traffic.
### Splunk Search
index=zeek sourcetype="zeek:dns" ("wpad" OR "easyas123")
| where NOT like(_raw, "#%")
*Figure 8. Zeek DNS telemetry in Splunk showing suspicious WPAD-related domain queries observed within network traffic.*
## Key Findings
* Successfully deployed a Zeek + Splunk network threat hunting environment
* Generated structured network telemetry from malicious PCAP traffic
* Ingested Zeek logs into Splunk Enterprise
* Identified suspicious external IP communication
* Investigated DNS and HTTP activity
* Performed SIEM-based network threat hunting workflows
* Analyzed HTTP POST requests and suspicious domains
## Skills Demonstrated
* SIEM administration
* Splunk log ingestion
* Zeek network monitoring
* Network traffic analysis
* DNS threat hunting
* HTTP traffic investigation
* PCAP analysis
* Threat hunting workflows
* Security telemetry analysis
## MITRE ATT&CK Mapping
| Technique | Description |
| --------- | ----------------------------------------- |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1046 | Network Service Discovery |
| T1071.004 | DNS |
| T1105 | Ingress Tool Transfer |
| T1071 | Application Layer Protocol |
## Outcome
This project demonstrates the ability to build and operate a network-focused threat hunting environment capable of ingesting Zeek telemetry into Splunk and performing realistic security investigations using PCAP-derived traffic data.
### Author
:floppy_disk: josue6368 Cybersecurity Analyst | IT Professional