Has anyone ever labeled individual records in Zeek logs for attacks/exploits? If so, how did they do it?

Zeek, formerly known as Bro Network Security Monitor, is a powerful open-source intrusion detection system. There was a requirement to know whether an individual record should be marked as anomalous or not, assuming attacks are anomalies.  The inquirer was interested in finding possible solutions to automatically label network events/sessions based on time and IP addresses of known attacks using Zeek logs. CSIAC subject matter experts provided open-source research to the inquirer and publicly posted the technical inquiry to solicit responses from our membership.  We then consolidated, organized, and analyzed 10 community responses before forwarding the synthesized set of viable solutions to the inquirer.