1. Zeek as a Network Telemetry Engine
$ core idea: Zeek excels at producing structured protocol logs (DNS, HTTP, SSL/TLS, conn, files, notices, and more) that support hunting and retrospective analysis. It helps answer “what happened?” at the session and protocol level.
$ defender angle: Zeek logs are especially powerful when correlated across time and hosts. Analysts can pivot on domains, IPs, JA3-like metadata (if available in your pipeline), user agents, and connection histories to build context around suspicious events.
$ prove understanding: Explain the different roles of Zeek and Suricata in a network monitoring architecture.