Friday, April 17, 2020

Security Onion Hybrid Hunter 1.2.1 - Beta 1 Available for Testing!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

Today we are proud to release Security Onion codenamed “Hybrid Hunter” 1.2.1 aka Beta 1. Hybrid Hunter 1.2.1 officially supports Ubuntu 18.04 and CentOS 7, which means it no longer supports Ubuntu 16.04.  Our ISO image will continue to be based on CentOS 7 for the foreseeable future. There are plans to support CentOS 8 once podman reaches full compatibility with docker.

This release moves us to Elastic 7 and begins to embrace Elastic Common Schema (ECS). This change includes overhauled dashboards and a new prefix of "so-" for Elasticsearch indices. Among other advantages, migrating to ECS means that other products using ECS should more easily inter-operate with Hybrid Hunter. Over the next few releases, we plan to embrace ECS more fully. Stay tuned!

Finally, we are very excited to announce the introduction of the Security Onion Console! Over the next few releases, we will continue to improve and add more functionality to the Security Onion Console. Check it out and let us know what you think!

To read more and download Hybrid Hunter, please see:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

If you have any questions about Hybrid Hunter, please post a message on our reddit community and prefix the title with [Hybrid Hunter]!
https://www.reddit.com/r/securityonion/


Major Highlights in this Release

  • Full support for Ubuntu 18.04. Ubuntu 16.04 is no longer supported for Hybrid Hunter.
  • Elastic 7.6.1 with ECS support
  • New set of Kibana dashboards that align with ECS
  • Introduction of the Security Onion Console. Once logged in you are directly taken to the SOC.
  • New authentication using Kratos
  • Community ID support for Zeek, osquery, and Suricata. You can now tie host events to connection logs!
  • During install you must specify how you would like to access the SOC UI. This is for strict cookie security.
  • Ability to list and delete web users from the SOC UI
  • The soremote account is now used to add nodes to the grid vs using socore.
  • Eval mode no longer uses Logstash for parsing (Filebeat -> ES Ingest)
  • Ingest node parsing for osquery-shipped logs (osquery, Windows event logs, Sysmon)
  • Fleet standalone mode with improved Web UI & API access control
  • Improved Fleet integration support
  • Playbook now has full Windows Sigma community ruleset builtin
  • Automatic Sigma community rule updates
  • Playbook stability enhancements
  • Zeek health check. Zeek will now auto restart if a worker crashes
  • zeekctl is now managed by salt
  • Grafana dashboard improvements and cleanup
  • Moved logstash configs to pillars
  • Salt logs moved to /opt/so/log/salt
  • Strelka integrated for file-oriented detection/analysis at scale

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

Josh Brower
Jason Ertel
Wes Lambert
Josh Patterson
Mike Reeves
William Wernert


Screenshots

Security Onion Console - User Administration

Security Onion Console - User Details

Security Onion Console - Deleting User

Security Onion Console - Downloads



No comments: