Library

Instant gratification, packaged

Tenzir packages are snackable bundles of pipelines and enrichment tables—so you can parse, enrich, and route like a boss without starting from scratch.
Library

Instant gratification, packaged

Tenzir packages are snackable bundles of pipelines and enrichment tables—so you can parse, enrich, and route like a boss without starting from scratch.
Library

Instant gratification, packaged

Tenzir packages are snackable bundles of pipelines and enrichment tables—so you can parse, enrich, and route like a boss without starting from scratch.

4

2

alphaMountain

alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.

This package provides the alphamountain-threats context for enrichment and pipelines that periodically update the feed.

3

Amazon Security Lake Destination

Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources.

This package provides pipelines for writing OCSF events to Amazon Security Lake using the S3-based ingestion format.

NOTE: Before you can write events to the Security Lake, you must configure a source per event type in Security Lake and ensure the Tenzir Node has write permissions to the S3 source directory. If you use a non-default name for the source, adjust the source name parameter below.

2

AWS VPC Flow Logs

AWS VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. This package provides utilities for ingesting, parsing, and analyzing VPC Flow Log data.

This package provides:

  • Raw VPC Flow Log events on the aws topic as aws.vpc_flow events

  • OCSF-formatted network activity events on the ocsf topic as ocsf.network_activity events

To use this package, you must configure your AWS VPC to log to S3 in text format as described in the AWS documentation.

2

Cisco Umbrella

The Cisco Umbrella package onboards DNS Log data from a Cisco Umbrella S3 Bucket.

2

DCSO TIE

The DCSO Threat Intelligence Engine (TIE) provides premium threat intelligence feeds from Deutsche Cyber-Sicherheitsorganisation (DCSO), a leading European provider of threat intelligence services. DCSO delivers high-fidelity APT and threat intelligence with deep analysis of threats and campaigns, offering European sovereign intelligence sources for enhanced security operations.

For detailed API documentation and IOC schema definitions, refer to the DCSO TIE API documentation.

This package provides the dcso-tie context for enrichment and pipelines that periodically update the feed, enabling real-time threat detection and intelligence-driven security workflows.

2

Demo Data Generator

This package provides a live Zeek and Suricata event feed for demo purposes.

2

Demo Node

This package provides sample data and example pipelines to play with. Every cloud-hosted demo node has this package installed by default.

The package imports a Zeek and Suricata logs that run on a PCAP from a modified version of the M57-Patents dataset, a forensics research corpus generated by Woods at al. in 2001. We enhanced this PCAP by also injecting traffic from malware samples.

1

1

Feodo Abuse Blocklist

Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with Dridex, Emotet (aka Heodo), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo.

1

Fortinet FortiGate

Fortinet FortiGate appliances provide network security by combining firewall, VPN, and intrusion prevention features.

This package makes it easy to onboard the logs that FortiGate generates, publishing the events to the fortinet topic.

8

7

FoxIO JA4+

The FoxIO JA+ Database provides context for various JA+ fingerprints, such as operating system, device, library, user agent.

This package provides multiple contexts for enrichment, each of which contains a subset of the JA4+ database for a particular JA4+ type and a corresponding pipeline that periodically refreshes the context.

3

2

Geo Open

Free IP geolocation using Geo Open MMDB databases from CIRCL. Geo Open provides daily snapshots of IP-to-country and IP-to-ASN mappings in MaxMind database format. This package provides two contexts for IP enrichment: country-only lookups and combined country+ASN lookups.

1

NXLog

No description available

1

1

OCSF OSINT Enrichment

This package provides a lookup table context for enriching OCSF events with OCSF OSINT objects.

1

OCSF Trimming

Reduces the size of OCSF events by trimming optional and recommended fields based on configurable size settings. Supports three trimming levels:

  • S (Small): removes optional and recommended fields

  • M (Medium): removes optional fields only

  • L (Large): keeps all fields and derives string fields for enum fields

1

Palo Alto Networks

Palo Alto Networks solutions analyze and control network traffic by identifying applications and users, facilitating effective policy enforcement and threat prevention.

This package simplifies the process of integrating and managing logs generated by Palo Alto Networks devices.

1

Send to Slack

The Slack package makes it easy to send data from a pipeline to a Slack channel. The package requires an incoming webhook URL from a Slack app.

5

Sophos

The Sophos package onboards data from various Sophos APIs. OCSF mapping pipelines create the respective findings.

1

Splunk

A package to send data to Splunk via the HTTP Event Collector (HEC).

1

1

SSLBL

The SSL Blocklist (SSLBL) package makes available a lookup table sslbl with SHA1 hashes of blacklisted certificates that can be used when monitoring SSL/TLS certificate exchanges.

17

Suricata

Suricata is an open-source network monitoring and threat detection tool.

This package provides pipelines to onboard Suricata logs, as well as mapping pipelines that translate Suricata EVE JSON to OCSF events.

5

4

ThreatFox

ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.

This package provides multiple contexts for enrichment, each of which contains a subset of the ThreatFox IOC database for a particular IOC type and a corresponding pipeline that periodically refreshes the context.

12

Zeek

Zeek is an open-source network security monitor that provides rich logs about network activity.

This package provides pipelines to onboard Zeek logs, as well as mapping pipelines that translate Zeek logs to OCSF events.

3

Zscaler Internet Access

A package to use Zscaler Internet Access as a data source.