Roadmap

[rsmmr]

The following is a list of functionality that's on the radar for future versions of the Zeek Agent. Not everything is committed to, or planned out yet; this is primarily a record of ideas. Feedback welcome, just leave comments in this ticket.

Configuration/Deployment/Usage

• Auto-discovery of upstream Zeek connectivity
• Communication proxy aggregating and relaying messages
• Local configuration file (already exists, not yet finalized & documented)
• Remote agent configuration (other than queries)
• Provide user-accessible audit log of requested/transmitted information (simple logging in place already)
• Option to allow user to filter data returned by then agent
• Switch upstream communication to WebSocket protocol, and remove Broker (Add communication over WebSocket #43)

Tables:

• Evented versions of current tables through OS-specific APIs
  • Processes
  • File modifications
  • Network connections / sockets
• Windows system registry modifications
• System services
• Module / kernel extensions loads
• Scripts Loading (Windows)
• Fileless Script loads (Windows)
• Cross Process events (?)

Packaging & OS integration

• Linux systemd integration
• macOS notarized installer package (Add notarization for macOS #15)
• macOS launchd integration
• Windows installer (Add installer build for Windows #40)
• Windows service

Integrations

• Export query results as JSON for consumption by external systems

[timwoj]

One other I'd add (possibly as part of #40) is installing/running the Windows agent as a service instead of just a regular process.

[rsmmr]

One other I'd add (possibly as part of #40) is installing/running the Windows agent as a service instead of just a regular process.

Yeah, that applies in some form to Linux and macOS too: we should provide service definitions Added that all to the list.

[timwoj]

I checked off Windows service since the installer already installs it as a service.