Anthropic-Cybersecurity-Skills/skills/detecting-beaconing-patterns-with-zeek/references/api-reference.md

API Reference: Detecting Beaconing Patterns with Zeek

ZAT (Zeek Analysis Tools)

from zat.log_to_dataframe import LogToDataFrame
from zat import zeek_log_reader
from zat.utils import dataframe_to_matrix

# Load conn.log into DataFrame
log_to_df = LogToDataFrame()
conn_df = log_to_df.create_dataframe('/path/to/conn.log')

# Select specific columns
conn_df = log_to_df.create_dataframe('conn.log',
    usecols=['id.orig_h', 'id.resp_h', 'id.resp_p', 'ts', 'duration'])

# Read rows as dicts (streaming)
reader = zeek_log_reader.ZeekLogReader('conn.log')
for row in reader.readrows():
    print(row)

# Tail mode (live monitoring)
reader = zeek_log_reader.ZeekLogReader('conn.log', tail=True)
for row in reader.readrows():
    process(row)

# Convert to matrix for ML
to_matrix = dataframe_to_matrix.DataFrameToMatrix()
matrix = to_matrix.fit_transform(conn_df[features])

Beaconing Detection Math

import numpy as np

intervals = times.diff().dt.total_seconds().dropna().values
std_dev = np.std(intervals)
mean_val = np.mean(intervals)
cv = std_dev / mean_val  # Coefficient of Variation
# cv < 0.3 = likely beacon (low jitter relative to interval)

Key Zeek Log Fields

Log	Key Fields
conn.log	id.orig_h, id.resp_h, id.resp_p, ts, duration, orig_bytes
dns.log	id.orig_h, query, qtype_name, answers, ts
ssl.log	id.orig_h, server_name, ja3, ja3s, ts

Anomaly Detection with ZAT + scikit-learn

from sklearn.ensemble import IsolationForest
odd_clf = IsolationForest(contamination=0.35)
odd_clf.fit(zeek_matrix)
anomalies = conn_df[odd_clf.predict(zeek_matrix) == -1]

References

• ZAT: https://github.com/SuperCowPowers/zat
• ZAT examples: https://supercowpowers.github.io/zat/examples.html
• zat on PyPI: https://pypi.org/project/zat/