diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh
index e6d58a9..cc65dc5 100644
--- a/Vagrant/logger_bootstrap.sh
+++ b/Vagrant/logger_bootstrap.sh
@@ -195,6 +195,10 @@ install_splunk() {
     cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
     cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
 
+    # Add props.conf to Splunk Zeek TA to properly parse timestamp
+    # and avoid grouping events as a single event
+    cp /vagrant/resources/splunk_server/zeek_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_bro/local/props.conf
+
     # Add custom Macro definitions for ThreatHunting App
     cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
     # Fix props.conf in ThreatHunting App
diff --git a/Vagrant/resources/splunk_server/zeek_ta_props.conf b/Vagrant/resources/splunk_server/zeek_ta_props.conf
new file mode 100644
index 0000000..8bf46c5
--- /dev/null
+++ b/Vagrant/resources/splunk_server/zeek_ta_props.conf
@@ -0,0 +1,12 @@
+[zeek:json]
+DATETIME_CONFIG =
+INDEXED_EXTRACTIONS = json
+KV_MODE = none
+LINE_BREAKER = ([\r\n]+)
+NO_BINARY_CHECK = true
+category = Structured
+description = Zeek JSON sourcetype with fixed timestamp parsing.
+disabled = false
+pulldown_type = true
+TIMESTAMP_FIELDS = ts
+TIME_FORMAT = %s.%6N
\ No newline at end of file