Brim is a full nano network intrusion detection and threat hunting platform, and best of all, it’s open source. There is no need to install half a SOC or a dozen databases on a laptop to run a breach assessment or conduct a threat hunt. All you need is network data and Brim.

We’ve just released Brim v0.22.0 with some really cool features, rounding out the investigation and threat hunting workflow, including a new query library, CSV and NDJSON export, and a dedicated Suricata alert view.

If you are just getting started with Brim, you can download it here and follow our installation instructions. Full release notes for version v0.22.0 are available here.

Query Library

“The only thing that you absolutely have to know, is the location of the library."

                -- Albert Einstein (1879-1955. Theoretical physicist)

Brim now includes a query library. We’ve provided a selection of useful Z queries covering common use cases for Zeek and Suricata events and alerts. Simply click on a query in the sidebar to run it on your data.

Query Library

You can also save your own Z queries. Enter the query you want to save, then select the Star Icon in the search bar. You can add a name, a description, and tags. Tags can be used to filter and organize queries.

Query Library Save

CSV and NDJSON Export

We have added the ability to export data in CSV and NDJSON format, so that you can share your investigation results with other stakeholders or add it to an ongoing incident ticket.

Data Export

Suricata Alert View

Lastly, Brim now includes a dedicated Suricata alert view that can be accessed by double-clicking a Suricata alert record. The view has been enriched with the Suricata alert severity.

Suricata Alert View

If you have any questions, you are welcome to join our Slack Channel.

Project Z

ZNG and the Z language are part of the Z stack, Brim’s ground-breaking data exploration and analytical processing platform.

As all data in Brim is stored in ZNG, you can search and analyse any and all log data using Z without needing to conduct any messy database or parsing acrobatics.

Whether you are threat hunting via the UI, building advanced analytics, or labelling attributes for ML models, Z extends from the data to the presentation layer.