Some Zeek behavior can be tweaked through the use of environment variables in the .env files beginning with zeek….
Other changes to Zeek's behavior could be made by modifying [local.zeek]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) and either using a bind mount or rebuilding the zeek image with the modification. See the Zeek documentation for more information on customizing a Zeek instance. Note that changing Zeek's behavior could result in changes to the format of the logs Zeek generates, which could break Malcolm's parsing of those logs, so exercise caution.
The easiest way to add a new Zeek package to Malcolm is to add the git URL of that package to the ZKG_GITHUB_URLS array in [zeek_install_plugins.sh]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_install_plugins.sh) script and then rebuilding the zeek image. This will cause the package to be installed (via the zkg command-line tool). See Parsing new Zeek logs on how to process any new .log files if the package generates them.
See Zeek Intelligence Framework in the Malcolm README for information on how to use Zeek's Intelligence Framework with Malcolm.