Security Onion: Security Onion 2.4.80 now available including improvements to our new Detections interface and much more!

Security Onion 2.4.80 is now available!

Security Onion is a cybersecurity platform built by defenders for defenders. Recently, we released Security Onion 2.4.70 which was the culmination of several MONTHS of thinking through the defender workflow specifically around detection engineering. This resulted in a new interface called Detections that makes it super simple to tune your NIDS rules for Suricata, Sigma rules for ElastAlert, and YARA rules for Strelka.

Since 2.4.70, we've listened to your feedback about Detections and made lots of improvements including syntax highlighting and much more!

We also continue to look for ways to help our fellow defenders when it comes to process logs. In previous versions, we added SOC actions for "Process Info" and "Process Ancestors". In this release, we've expanded on this with two more actions called "Process and Child Info" and "Process All Info":

Here's how these four process actions relate to each other:

Clicking the Process Info option will show all logs that include this process’s entity_id in the process.entity_id field.
Clicking the Process and Child Info option will show all logs that include this process’s entity_id in either the process.entity_id or process.parent.entity_id fields (depending on the process, this may show the same logs as the Process Info option or it may show more).
Clicking the Process All Info option will show all logs that include this process’s entity_id in any field (depending on the process, this may show the same logs as the Process and Child Info option or it may show more).
Clicking the Process Ancestors option will show all parent processes for the selected process.

Please note that these actions will only display on the Actions menu if you click on a specific log type:

The first three Process actions will only appear if you click on a log that contains the process.entity_id field.
The Process Ancestors action will only appear if you click on a log that contains the process.Ext.ancestry field.

There are many more features and fixes included in this release! For a complete list of all changes, please see the Release Notes:

https://docs.securityonion.net/en/2.4/release-notes.html#changes

Known Issues

For a list of known issues, please see:

https://docs.securityonion.net/en/2.4/release-notes.html#known-issues

About Security Onion

Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management.

For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture, and file analysis. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management.

Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!

Documentation

You can find our online documentation here:

https://docs.securityonion.net/en/2.4/

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

New Installations

If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:

https://docs.securityonion.net/en/2.4/first-time-users.html

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:

https://docs.securityonion.net/en/2.4/architecture.html

Existing 2.4 Installations

If you have an existing Security Onion 2.4 installation, you can update to the latest version using soup:

https://docs.securityonion.net/en/2.4/soup.html

Before updating your production deployment, we highly recommend testing the upgrade process on a test deployment that closely matches your production deployment if possible.

If you haven't already upgraded to 2.4.70 then, in preparation for the new Detections module, the following will be completed during soup:

Playbook Plays will be backed up to /nsm/backup/detections-migration/ and any active Elastalert rules will be backed up and removed.
Suricata tuning configurations will be backed to /nsm/backup/detections-migration/ and any thresholds will be migrated over to the new Detections module.

2.3 EOL

As a reminder, Security Onion 2.3 reached End Of Life (EOL) on April 6, 2024:

https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

Josh Brower
Jason Ertel
Wes Lambert
Corey Ogburn
Josh Patterson
Mike Reeves

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the 2.4 category at our Discussions site:

https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Coming Soon: Security Onion Pro

Next month, we plan to officially announce Security Onion Pro which includes many enterprise features that folks have been asking for:

Open ID Connect (OIDC)
Data at Rest Encryption
FIPS for the OS
DoD STIG for the OS
External Notifications in SOC
Time Tracking inside of Cases
Guaranteed Message Delivery

You can read more about these enterprise features in the documentation:

https://docs.securityonion.net/en/2.4/pro.html

We'll provide more information next month, but if you'd like to go ahead and start a discussion with our sales team you can reach them using any of the contact forms at https://securityonionsolutions.com.

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Cloud Installations

For new Security Onion 2 installations in the cloud, Security Onion 2.4 will soon be available on the AWS, Azure, and GCP marketplaces!

AWS Marketplace and Documentation:

https://securityonion.net/aws/?ref=_ptnr_soc_blog_240529

https://docs.securityonion.net/en/2.4/cloud-amazon.html

Azure Marketplace and documentation:

https://securityonion.net/azure

https://docs.securityonion.net/en/2.4/cloud-azure.html

GCP Marketplace and documentation:

https://securityonion.net/google

https://docs.securityonion.net/en/2.4/cloud-google.html

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html