diff --git a/salt/zeek/policy/custom/filters/conn b/salt/zeek/policy/custom/filters/conn
new file mode 100644
index 000000000..e9181cc1e
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/conn
@@ -0,0 +1,19 @@
+module Filterconn;
+
+export {
+     global ignore_services: set[string] = {"dns", "krb", "krb_tcp"};
+  }
+
+hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
+    {
+    # Record only connections not in the ignored services
+    if ( ! rec?$service || rec$service in ignore_services )
+        break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(Conn::LOG);
+    local filter: Log::Filter = [$name="conn-filter"];
+    Log::add_filter(Conn::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml
index adb534281..6ae5c22a7 100644
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -17,6 +17,11 @@ zeek:
       CompressLogs:
         description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
   policy:
+    custom:
+      filters: 
+        conn:
+          description: Conn Filter for Zeek
+          file: True
     file_extraction:
       description: This is a list of mime types Zeek will extract from the network streams.
     load: