Wednesday, May 20, 2020

Security Onion Hybrid Hunter 1.3.0 - Beta 2 Available for Testing!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:

Today we are proud to release Security Onion "Hybrid Hunter” 1.3.0 AKA Beta 2 and it has some amazing new features and improvements!

The biggest new feature in this release is a brand new web interface for hunting through your logs. Once you've logged into the Security Onion Console, click the Hunt link and then choose one of the many pre-defined queries in the drop-down or write your own using Onion Query Language (OQL).  OQL is based on standard Lucene query syntax and allows you to optionally specify one or more fields to group by. For a few examples, check out the screenshot tour at the bottom of this blog post. This is the first public release of this new interface and we are firm believers in "release early, release often". We have lots of ideas for the future of this tool, but we want to hear your ideas as well.

This release also includes a new Standalone installation option that runs all of the major components on one box. It's similar to Eval mode but has more capabilities beyond just doing a quick evaluation.

Finally, this update includes lots of improvements for parsers, visualizations, dashboards, and Elastic Common Schema (ECS) support. We've done lots of testing along the way and we're ready for you to do some testing and let us know what you think!

To read more and download Hybrid Hunter, please see:

If you have any questions about Hybrid Hunter, please post a message on our reddit community and prefix the title with [Hybrid Hunter]!

Major Highlights in this Release


  • New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries!
  • Improved ECS support.
  • Complete refactor of the setup to make it easier to follow.
  • Improved setup script logging to better assist on any issues.
  • Setup now checks for minimal requirements during install.
  • Updated Cyberchef to version 9.20.3.
  • Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
  • Updated Redis to 5.0.9 and switched to alpine to reduce container size.
  • Updated Salt to 2019.2.5
  • Updated Grafana to 6.7.3.
  • Zeek 3.0.6
  • Suricata 4.1.8
  • Fixes so-status to now display correct containers and status.
  • local.zeek is now controlled by a pillar instead of modifying the file directly.
  • Renamed so-core to so-nginx and switched to alpine to reduce container size.
  • Playbook now uses MySQL instead of SQLite.
  • Sigma rules have all been updated.
  • Kibana dashboard improvements for ECS.
  • Fixed an issue where geoip was not properly parsed.
  • ATT&CK Navigator is now it's own state.
  • Standalone mode is now supported.
  • Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.

Known Issues:

  • The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
  • You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
  • Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them.
  • Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
  • The osquery MacOS package does not install correctly.


Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • William Wernert


No comments:

Search This Blog

Featured Post

Security Onion 2.4.70 now available including our new Detections interface and much more!

Security Onion 2.4.70 is now available! It includes some new features for our fellow defenders including our new Detections interface to hel...

Popular Posts

Blog Archive