## Working with flows/conn.log

[Dynamite Network Security Monitor](https://github.com/DynamiteAI/dynamite-nsm) normalizes Zeek's `conn.log` and Netflow events to the same underlying data-structure. This means that DynamiteNSM can work directly beside existing NetFlow solutions.

#### Start with importing some required libraries.

In [1]:
from datetime import datetime, timedelta

from dynamite_sdk.search import Search

#### Instantiate our `search.Search` interface to search all Zeek indices with `'event-flows-*'`.

In [2]:
search = Search('conn', as_dataframe=True)

#### Set our initial search window to a 60 minute timeframe.

In [3]:
start = datetime.now() - timedelta(minutes=60)
end = datetime.now()

#### Execute our time windowed query.

In [4]:
search.execute_query(start, end)

In [5]:
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:27:36.073000+00:00,192.168.53.158,169.254.169.123,33452,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.9e-05,True,76,76.0,1,1,Dd,CI0Nz33HY2oec6GKr5
1,conn,2019-10-31 16:27:19.902000+00:00,192.168.53.158,169.254.169.123,42616,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.6e-05,True,76,76.0,1,1,Dd,CJ8P95H4cGNeEwfSe
2,conn,2019-10-31 16:27:03.751000+00:00,192.168.53.158,169.254.169.123,50911,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000137,True,76,76.0,1,1,Dd,CRPAYe3cpDM2QDFvi
3,conn,2019-10-31 16:26:47.666000+00:00,192.168.53.158,169.254.169.123,54844,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000101,True,76,76.0,1,1,Dd,CmVZ5o4k42yJNrPmzc
4,conn,2019-10-31 16:26:31.609000+00:00,192.168.53.158,169.254.169.123,53751,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000112,True,76,76.0,1,1,Dd,CerGms3DCyCTsw7AK8
5,conn,2019-10-31 16:26:19.830000+00:00,80.82.64.73,192.168.53.158,56194,64643,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.227493,False,80,,2,1,SrR,CNxfny3hfEeBiCJ4C7
6,conn,2019-10-31 16:26:15.456000+00:00,192.168.53.158,169.254.169.123,45773,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000148,True,76,76.0,1,1,Dd,C79FVU18GDr0YeELnb
7,conn,2019-10-31 16:26:09.933000+00:00,183.82.142.46,192.168.53.158,27124,445,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.5e-05,False,52,,1,1,Sr,CwF0FB46MumbIPSP82
8,conn,2019-10-31 16:25:59.175000+00:00,192.168.53.158,169.254.169.123,34018,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000121,True,76,76.0,1,1,Dd,CXJ14xyGkF8E1Qr57
9,conn,2019-10-31 16:25:42.885000+00:00,192.168.53.158,169.254.169.123,59771,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000119,True,76,76.0,1,1,Dd,CsCIgLyMilgOwCIT9


### Using additional filters

In addition to timebased filters, the `search.Search` interface provides an optional `search_filter` option.



#### Look at all recent traffic sent to an NTP server.

In [6]:
search.execute_query(start, end, search_filter="flow.dst_port: 123")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:27:36.073000+00:00,192.168.53.158,169.254.169.123,33452,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.9e-05,True,76,76,1,1,Dd,CI0Nz33HY2oec6GKr5
1,conn,2019-10-31 16:27:19.902000+00:00,192.168.53.158,169.254.169.123,42616,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.6e-05,True,76,76,1,1,Dd,CJ8P95H4cGNeEwfSe
2,conn,2019-10-31 16:27:03.751000+00:00,192.168.53.158,169.254.169.123,50911,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000137,True,76,76,1,1,Dd,CRPAYe3cpDM2QDFvi
3,conn,2019-10-31 16:26:47.666000+00:00,192.168.53.158,169.254.169.123,54844,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000101,True,76,76,1,1,Dd,CmVZ5o4k42yJNrPmzc
4,conn,2019-10-31 16:26:31.609000+00:00,192.168.53.158,169.254.169.123,53751,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000112,True,76,76,1,1,Dd,CerGms3DCyCTsw7AK8
5,conn,2019-10-31 16:26:15.456000+00:00,192.168.53.158,169.254.169.123,45773,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000148,True,76,76,1,1,Dd,C79FVU18GDr0YeELnb
6,conn,2019-10-31 16:25:59.175000+00:00,192.168.53.158,169.254.169.123,34018,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000121,True,76,76,1,1,Dd,CXJ14xyGkF8E1Qr57
7,conn,2019-10-31 16:25:42.885000+00:00,192.168.53.158,169.254.169.123,59771,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000119,True,76,76,1,1,Dd,CsCIgLyMilgOwCIT9
8,conn,2019-10-31 16:25:26.596000+00:00,192.168.53.158,169.254.169.123,55513,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000118,True,76,76,1,1,Dd,CwY70dglqdcb8rFOc
9,conn,2019-10-31 16:25:10.546000+00:00,192.168.53.158,169.254.169.123,38386,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000107,True,76,76,1,1,Dd,CQubdc129e1exWhnP8


#### Find connections originating *or* sent to 192.168.53.158.

In [7]:
search.execute_query(start, end, search_filter="192.168.53.158")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:27:36.073000+00:00,192.168.53.158,169.254.169.123,33452,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.9e-05,True,76,76.0,1,1,Dd,CI0Nz33HY2oec6GKr5
1,conn,2019-10-31 16:27:19.902000+00:00,192.168.53.158,169.254.169.123,42616,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.6e-05,True,76,76.0,1,1,Dd,CJ8P95H4cGNeEwfSe
2,conn,2019-10-31 16:27:03.751000+00:00,192.168.53.158,169.254.169.123,50911,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000137,True,76,76.0,1,1,Dd,CRPAYe3cpDM2QDFvi
3,conn,2019-10-31 16:26:47.666000+00:00,192.168.53.158,169.254.169.123,54844,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000101,True,76,76.0,1,1,Dd,CmVZ5o4k42yJNrPmzc
4,conn,2019-10-31 16:26:31.609000+00:00,192.168.53.158,169.254.169.123,53751,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000112,True,76,76.0,1,1,Dd,CerGms3DCyCTsw7AK8
5,conn,2019-10-31 16:26:19.830000+00:00,80.82.64.73,192.168.53.158,56194,64643,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.227493,False,80,,2,1,SrR,CNxfny3hfEeBiCJ4C7
6,conn,2019-10-31 16:26:15.456000+00:00,192.168.53.158,169.254.169.123,45773,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000148,True,76,76.0,1,1,Dd,C79FVU18GDr0YeELnb
7,conn,2019-10-31 16:26:09.933000+00:00,183.82.142.46,192.168.53.158,27124,445,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.5e-05,False,52,,1,1,Sr,CwF0FB46MumbIPSP82
8,conn,2019-10-31 16:25:59.175000+00:00,192.168.53.158,169.254.169.123,34018,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000121,True,76,76.0,1,1,Dd,CXJ14xyGkF8E1Qr57
9,conn,2019-10-31 16:25:42.885000+00:00,192.168.53.158,169.254.169.123,59771,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000119,True,76,76.0,1,1,Dd,CsCIgLyMilgOwCIT9


#### Find connections sent *from* 192.168.53.158.

In [8]:
search.execute_query(start, end, search_filter="flow.src_addr: 192.168.53.158")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:27:36.073000+00:00,192.168.53.158,169.254.169.123,33452,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.9e-05,True,76,76.0,1,1,Dd,CI0Nz33HY2oec6GKr5
1,conn,2019-10-31 16:27:19.902000+00:00,192.168.53.158,169.254.169.123,42616,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.6e-05,True,76,76.0,1,1,Dd,CJ8P95H4cGNeEwfSe
2,conn,2019-10-31 16:27:03.751000+00:00,192.168.53.158,169.254.169.123,50911,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000137,True,76,76.0,1,1,Dd,CRPAYe3cpDM2QDFvi
3,conn,2019-10-31 16:26:47.666000+00:00,192.168.53.158,169.254.169.123,54844,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000101,True,76,76.0,1,1,Dd,CmVZ5o4k42yJNrPmzc
4,conn,2019-10-31 16:26:31.609000+00:00,192.168.53.158,169.254.169.123,53751,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000112,True,76,76.0,1,1,Dd,CerGms3DCyCTsw7AK8
5,conn,2019-10-31 16:26:15.456000+00:00,192.168.53.158,169.254.169.123,45773,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000148,True,76,76.0,1,1,Dd,C79FVU18GDr0YeELnb
6,conn,2019-10-31 16:25:59.175000+00:00,192.168.53.158,169.254.169.123,34018,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000121,True,76,76.0,1,1,Dd,CXJ14xyGkF8E1Qr57
7,conn,2019-10-31 16:25:42.885000+00:00,192.168.53.158,169.254.169.123,59771,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000119,True,76,76.0,1,1,Dd,CsCIgLyMilgOwCIT9
8,conn,2019-10-31 16:25:26.596000+00:00,192.168.53.158,169.254.169.123,55513,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000118,True,76,76.0,1,1,Dd,CwY70dglqdcb8rFOc
9,conn,2019-10-31 16:25:25.973000+00:00,192.168.53.158,62.210.84.26,3,3,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,OTH,,True,446,,1,0,,CDjsnavyu8ebNQyLh


#### Find connections sent *to* 192.168.53.158.

In [9]:
search.execute_query(start, end, search_filter="flow.dst_addr: 192.168.53.158")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:26:19.830000+00:00,80.82.64.73,192.168.53.158,56194,64643,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.227493,False,80,,2,1,SrR,CNxfny3hfEeBiCJ4C7
1,conn,2019-10-31 16:26:09.933000+00:00,183.82.142.46,192.168.53.158,27124,445,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.5e-05,False,52,,1,1,Sr,CwF0FB46MumbIPSP82
2,conn,2019-10-31 16:25:25.973000+00:00,62.210.84.26,192.168.53.158,5204,15260,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,S0,,False,418,,1,0,D,Ct5vNy2aL0bAvom86i
3,conn,2019-10-31 16:25:17.218000+00:00,81.22.45.51,192.168.53.158,57847,8547,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.370018,False,80,,2,1,SrR,C7yTwTbKSrSeUyPb8
4,conn,2019-10-31 16:24:31.956000+00:00,50.225.152.178,192.168.53.158,42214,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[ssh, unknown]",SF,0.935994,False,1345,2453.0,12,14,ShAdDaFf,CMjZwuwI54EhEyIJ8
5,conn,2019-10-31 16:24:05.013000+00:00,167.71.118.48,192.168.53.158,42267,8088,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.1e-05,False,40,,1,1,Sr,C4NtVE2uMcQIr7RH77
6,conn,2019-10-31 16:23:45.822000+00:00,198.108.67.94,192.168.53.158,9390,4500,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,2.6e-05,False,40,,1,1,Sr,CWJFl31IannusTMCXf
7,conn,2019-10-31 16:23:40.144000+00:00,118.24.108.196,192.168.53.158,39240,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,3.58463,False,2230,5089.0,18,15,ShAdDaFf,CKyhJo4lnvLaV3Kh76
8,conn,2019-10-31 16:23:21.494000+00:00,81.22.45.224,192.168.53.158,40762,2019,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.1905,False,80,,2,1,SrR,Cg6QDa1VPi2pdxDJF
9,conn,2019-10-31 16:23:15.312000+00:00,120.238.131.29,192.168.53.158,39584,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,12.2484,False,2102,3733.0,17,14,ShAdDaFfR,CRQ0Hc3vuzr5Z8pmxc


#### Find DNS based connections.

In [10]:
search.execute_query(start, end, search_filter="zeek.service: dns")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:24:32.723000+00:00,192.168.53.158,192.168.0.2,58400,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.076438,True,73,149,1,1,Dd,CF4nu24cAJ7lDC17el
1,conn,2019-10-31 16:23:43.489000+00:00,192.168.53.158,192.168.0.2,55163,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.001185,True,73,161,1,1,Dd,Cxig0m2fQeOpYiZLN3
2,conn,2019-10-31 16:23:23.553000+00:00,192.168.53.158,192.168.0.2,59747,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,4.52681,True,146,73,2,1,Dd,CBH2lN1rbzt0ZSe2J4
3,conn,2019-10-31 16:23:19.409000+00:00,192.168.53.158,192.168.0.2,59704,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,4.14417,True,219,73,3,1,Dd,C2efYe49AdlERGz9D7
4,conn,2019-10-31 16:17:09.332000+00:00,192.168.53.158,192.168.0.2,38397,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.028323,True,72,132,1,1,Dd,C1tDHJ24BJoGklL3c8
5,conn,2019-10-31 16:14:06.295000+00:00,192.168.53.158,192.168.0.2,34319,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.205243,True,72,125,1,1,Dd,CphAbRbSUk3iWwQc
6,conn,2019-10-31 16:11:00.409000+00:00,192.168.53.158,192.168.0.2,57556,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.000908,True,70,125,1,1,Dd,C8i9iL1HOuyT5pEO03
7,conn,2019-10-31 16:10:09.618000+00:00,192.168.53.158,192.168.0.2,39792,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.001045,True,72,160,1,1,Dd,C1xBFICHCOQq0kTa
8,conn,2019-10-31 16:07:19.740000+00:00,192.168.53.158,192.168.0.2,41440,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.000766,True,73,132,1,1,Dd,CJBYej336YhvQOUlHh
9,conn,2019-10-31 16:06:22.144000+00:00,192.168.53.158,192.168.0.2,48925,53,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[dns, unknown]",SF,0.612277,True,71,123,1,1,Dd,CJPKCL3xWcDA8p6A42


#### Find HTTP based connections.

In [11]:
search.execute_query(start, end, search_filter="zeek.service: http")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:13:07.692000+00:00,192.168.53.158,169.254.169.254,50836,80,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[http, unknown]",SF,0.001044,True,417,485,5,5,ShADadfF,C0XBoz4JB8aBDffKSi
1,conn,2019-10-31 16:01:44.491000+00:00,192.168.53.158,169.254.169.254,50834,80,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[http, unknown]",SF,0.001964,True,429,750,5,5,ShADadfF,CCDirE3P8ibDsDWZr5
2,conn,2019-10-31 15:43:52.512000+00:00,192.168.53.158,169.254.169.254,50832,80,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,"[http, unknown]",SF,0.000844,True,417,485,5,5,ShADadfF,Cx00vA1koY4g74o7ea


#### Find all rejected connections.

In [13]:
search.execute_query(start, end, search_filter="zeek.conn_state: REJ")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:26:19.830000+00:00,80.82.64.73,192.168.53.158,56194,64643,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.227493,False,80,,2,1,SrR,CNxfny3hfEeBiCJ4C7
1,conn,2019-10-31 16:26:09.933000+00:00,183.82.142.46,192.168.53.158,27124,445,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.5e-05,False,52,,1,1,Sr,CwF0FB46MumbIPSP82
2,conn,2019-10-31 16:25:17.218000+00:00,81.22.45.51,192.168.53.158,57847,8547,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.370018,False,80,,2,1,SrR,C7yTwTbKSrSeUyPb8
3,conn,2019-10-31 16:24:05.013000+00:00,167.71.118.48,192.168.53.158,42267,8088,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.1e-05,False,40,,1,1,Sr,C4NtVE2uMcQIr7RH77
4,conn,2019-10-31 16:23:45.822000+00:00,198.108.67.94,192.168.53.158,9390,4500,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,2.6e-05,False,40,,1,1,Sr,CWJFl31IannusTMCXf
5,conn,2019-10-31 16:23:21.494000+00:00,81.22.45.224,192.168.53.158,40762,2019,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.1905,False,80,,2,1,SrR,Cg6QDa1VPi2pdxDJF
6,conn,2019-10-31 16:23:07.270000+00:00,92.118.37.83,192.168.53.158,46274,3334,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.188821,False,80,,2,1,SrR,CpmhJmKbPBvV10Zhd
7,conn,2019-10-31 16:22:40.085000+00:00,159.203.81.129,192.168.53.158,45916,8088,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.1e-05,False,40,,1,1,Sr,CI3jMn1gIrdstshhb7
8,conn,2019-10-31 16:22:34.380000+00:00,185.176.27.110,192.168.53.158,40971,3382,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.215114,False,80,,2,1,SrR,CveUw32xiTz7dYqxya
9,conn,2019-10-31 16:22:33.732000+00:00,45.136.109.95,192.168.53.158,44020,3399,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.187137,False,80,,2,1,SrR,Cr2VjF1LfWP8Kc1bh1


#### Find all connections that originated locally

In [17]:
search.execute_query(start, end, search_filter="zeek.local_orig: true")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:27:36.073000+00:00,192.168.53.158,169.254.169.123,33452,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.9e-05,True,76,76.0,1,1,Dd,CI0Nz33HY2oec6GKr5
1,conn,2019-10-31 16:27:19.902000+00:00,192.168.53.158,169.254.169.123,42616,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,9.6e-05,True,76,76.0,1,1,Dd,CJ8P95H4cGNeEwfSe
2,conn,2019-10-31 16:27:03.751000+00:00,192.168.53.158,169.254.169.123,50911,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000137,True,76,76.0,1,1,Dd,CRPAYe3cpDM2QDFvi
3,conn,2019-10-31 16:26:47.666000+00:00,192.168.53.158,169.254.169.123,54844,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000101,True,76,76.0,1,1,Dd,CmVZ5o4k42yJNrPmzc
4,conn,2019-10-31 16:26:31.609000+00:00,192.168.53.158,169.254.169.123,53751,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000112,True,76,76.0,1,1,Dd,CerGms3DCyCTsw7AK8
5,conn,2019-10-31 16:26:15.456000+00:00,192.168.53.158,169.254.169.123,45773,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000148,True,76,76.0,1,1,Dd,C79FVU18GDr0YeELnb
6,conn,2019-10-31 16:25:59.175000+00:00,192.168.53.158,169.254.169.123,34018,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000121,True,76,76.0,1,1,Dd,CXJ14xyGkF8E1Qr57
7,conn,2019-10-31 16:25:42.885000+00:00,192.168.53.158,169.254.169.123,59771,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000119,True,76,76.0,1,1,Dd,CsCIgLyMilgOwCIT9
8,conn,2019-10-31 16:25:26.596000+00:00,192.168.53.158,169.254.169.123,55513,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,0.000118,True,76,76.0,1,1,Dd,CwY70dglqdcb8rFOc
9,conn,2019-10-31 16:25:25.973000+00:00,192.168.53.158,62.210.84.26,3,3,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,OTH,,True,446,,1,0,,CDjsnavyu8ebNQyLh


#### Find all connections that originated from China.

In [20]:
search.execute_query(start, end, search_filter="flow.src_country: China")
search.events.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,service,connection_state,duration,originated_locally,source_bytes,destination_bytes,source_packets,destination_packets,history,uid
0,conn,2019-10-31 16:23:40.144000+00:00,118.24.108.196,192.168.53.158,39240,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,3.584634,False,2230,5089.0,18,15,ShAdDaFf,CKyhJo4lnvLaV3Kh76
1,conn,2019-10-31 16:23:15.312000+00:00,120.238.131.29,192.168.53.158,39584,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,12.248368,False,2102,3733.0,17,14,ShAdDaFfR,CRQ0Hc3vuzr5Z8pmxc
2,conn,2019-10-31 16:17:21.126000+00:00,218.56.158.75,192.168.53.158,40842,1433,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,0.525573,False,84,,2,1,SrR,CvHuXW3cXabFXdvwfi
3,conn,2019-10-31 16:17:04.986000+00:00,94.191.36.171,192.168.53.158,49886,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,4.609166,False,2178,3797.0,17,14,ShAdDaFf,Ci6VsK3yowCeclzQdf
4,conn,2019-10-31 16:14:01.712000+00:00,117.50.94.229,192.168.53.158,24190,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,5.039983,False,2062,3809.0,16,15,ShAdDaFf,CH0LAW1cHqyug4Fh04
5,conn,2019-10-31 16:13:46.813000+00:00,27.205.210.10,192.168.53.158,64284,60001,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,REJ,3.6e-05,False,44,,1,1,Sr,CtLHkd266GkMlu4xfl
6,conn,2019-10-31 16:10:55.706000+00:00,27.46.171.7,192.168.53.158,44340,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,4.970331,False,2074,3797.0,16,14,ShAdDaFTf,CU5ilnyXS3m81uqzg
7,conn,2019-10-31 16:10:05.941000+00:00,118.24.111.71,192.168.53.158,60412,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,3.900834,False,2074,3577.0,16,11,ShAdDaFf,C8BiXK32SKCXrttmh
8,conn,2019-10-31 16:07:14.627000+00:00,124.42.117.243,192.168.53.158,33732,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,5.377528,False,2074,4982.0,16,13,ShAdDaFf,CW8cmy9go2e8zmlsi
9,conn,2019-10-31 16:06:14.836000+00:00,106.13.78.85,192.168.53.158,43594,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,...,unknown,SF,8.162851,False,2718,4961.0,18,20,ShAdDaFf,CloAFX3icllRRz0TQ
