Locked Security Onion 2.0 RC1 - Linux Distro

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

Security Onion

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack.

Core Components

Logstash – Parse and format logs.
Elasticsearch – Ingest and index logs.
Kibana – Visualize ingested log data.
Auxiliary Components

Curator – Manage indices through scheduled maintenance.
ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.

Changelog v2.0 RC1

    Re-branded 2.0 to give it a fresh look
    All documentation has moved to our docs site
    soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date.
    so-import-pcap is back! See the so-import-pcap docs here.
    Fixed issue with so-features-enable
    Users can now pivot to PCAP from Suricata alerts
    ISO install now prompts users to create an admin/sudo user instead of using a default account name
    The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
    Fixed issue with disk cleanup
    Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
    Locked down access to certain SSL keys
    Suricata logs now compress after they roll over
    Users can now easily customize shard counts per index
    Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
    Elastic nodes are now “hot” by default, making it easier to add a warm node later
    so-allow now runs at the end of an install so users can enable access right away
    Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
    1-Low / 2-Medium / 3-High / 4-Critical
    Initial implementation of alerting queues:
        Low & Medium alerts are accessible through Kibana & Hunt
        High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
    ATT&CK Navigator is now a statically-hosted site in the nginx container
    Playbook
        All Sigma rules in the community repo (500+) are now imported and kept up to date
        Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing)
        Updated UI Theme
        Once authenticated through SOC, users can now access Playbook with analyst permissions without login
    Kolide Launcher has been updated to include the ability to pass arbitrary flags – new functionality sponsored by SOS
    Fixed issue with Wazuh authd registration service port not being correctly exposed
    Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
    Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)
    Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
    Added the ability to use custom Zeek scripts
    Renamed “master server” to “manager node”
    Improved unification of Zeek and Strelka file data

This is the hidden content, please

• Sign In
• or
• Sign Up