Monday, October 30, 2023

Security Onion 2.4 Feature o' the Day - Configure Backups

Security Onion 2.4 includes lots of new features! SOC's new Configuration interface allows you to configure where you want to store backups:


You can read more about this in our documentation:
https://docs.securityonion.net/en/2.4/backup.html


More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:
https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:
https://docs.securityonion.net/en/2.4/appendix.html

Friday, October 27, 2023

Security Onion 2.4 Feature o' the Day - SOC Grid Improvements

Security Onion 2.4 includes lots of new features! SOC's Grid interface has been much improved to show more status information about your nodes:


You can read more about this in our documentation:
https://docs.securityonion.net/en/2.4/grid.html


More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:
https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:
https://docs.securityonion.net/en/2.4/appendix.html

 

Thursday, October 26, 2023

Security Onion 2.4 Feature o' the Day - Manage Nodes via SOC

Security Onion 2.4 includes lots of new features! You can now add and remove nodes from SOC's Administration section:


You can read more about this in our documentation:

https://docs.securityonion.net/en/2.4/administration.html#grid-members


More Security Onion 2.4 Features


To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:

https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:

https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4


If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:

https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:

https://docs.securityonion.net/en/2.4/appendix.html


Wednesday, October 25, 2023

Security Onion 2.4 Feature o' the Day - Manage User Accounts via SOC

Security Onion 2.4 includes lots of new features! You can now manage user accounts via SOC!

When you drill into a user account, you can:

  • change first and last name
  • update the Note field
  • modify the user roles
  • reset the user password
  • lock the user account
  • delete the user account


You can read more about this in our documentation:
https://docs.securityonion.net/en/2.4/administration.html#users


More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:
https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:
https://docs.securityonion.net/en/2.4/appendix.html

Tuesday, October 24, 2023

Security Onion 2.4 Feature o' the Day - SOC can now import PCAP and EVTX files

Security Onion 2.4 includes lots of new features! SOC can now import PCAP and EVTX files!


You can read more about this in our documentation:
https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner


More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:
https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:
https://docs.securityonion.net/en/2.4/appendix.html


10% Early Bird discount for Security Onion Fundamentals for Analysts & Threat Hunters Class in December 2023!

We've scheduled the next run of our 4-day Security Onion Fundamentals for Analysts & Threat Hunters class!

Use promo code earlybird by November 3, 2023 to receive 10% off!

For more details and to register, please see:
https://securityoniondec2023.eventbrite.com/

If you have any questions about this class, please use the Contact link on the bottom of the Eventbrite page.

For other training options, please see:
https://securityonionsolutions.com/training/





Monday, October 23, 2023

Security Onion 2.4 Feature o' the Day - Dynamic Observable Extraction in SOC Cases

Security Onion 2.4 includes lots of new features! SOC Cases now supports dynamic observable extraction! For example, we escalated this alert to a case:


Going to Cases and then the Events tab, we see the escalated alert:

Going to the Observables tab, we see that the IP addresses were automatically extracted as observables:


You can read more about Cases and Observables in our documentation:
https://docs.securityonion.net/en/2.4/cases.html


More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:
https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:

If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:

Friday, October 20, 2023

Quick Malware Analysis: TA577 PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-10-17

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/10/17/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Screenshots

First, we start with the overview of all alerts and logs:


Next, let's focus on just the alerts:


Notice that there are several alerts for one TCP stream:


Let's pivot to PCAP for that TCP stream:


Now switch to ASCII transcript to see the EXE download:


Next, let's look at an overview of all protocol metadata:


Drilling into HTTP transactions, we see the EXE that we saw in the alerts but we also see another interesting file:


This file is a zip file:


Here's another look at all files transferred via HTTP:


Here are all the DNS lookups:


Here are the SSL/TLS transactions:


Here are the invalid SSL/TLS certs:


Finally, here is an overview of all network connections:



Security Onion 2.4 Feature o' the Day - SOC Numeric Ops

Security Onion 2.4 includes lots of new features! Security Onion Console (SOC) now includes pivots for relational operators on numbers:


You can read more about this feature in our documentation:
https://docs.securityonion.net/en/2.4/dashboards.html#numeric-ops


More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:
https://blog.securityonion.net/search/label/feature%20o%27%20the%20day


You can also check out our Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html


Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:
https://docs.securityonion.net/en/2.4/appendix.html


Thursday, October 19, 2023

Security Onion 2.4 Feature o' the Day - Add Observables Directly to Cases

Security Onion 2.4 includes lots of new features! One of the new features that you'll notice in Security Onion Console is that when you go into Alerts, Dashboards, or Hunt you now have the ability to add an observable directly to a case:





You can read more about this feature in our documentation:
https://docs.securityonion.net/en/2.4/dashboards.html#actions


If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:
https://docs.securityonion.net/en/2.4/appendix.html

Wednesday, October 18, 2023

Security Onion 2.4 Feature o' the Day - Passwordless Login

Security Onion 2.4 includes lots of new features! One of the first new features that you'll notice in 2.4 is the passwordless login option:


You can read more about this feature in our documentation:
https://docs.securityonion.net/en/2.4/passwords.html#passwordless-logins-to-soc

Friday, October 13, 2023

Security Onion Documentation printed book now updated for the new Security Onion 2.4!



We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for Security Onion 2.4!



Thanks to Richard Bejtlich for writing the inspiring foreword!




Proceeds go to the Rural Technology Fund!







This edition has been updated for Security Onion 2.4 and includes a 20% discount code for our on-demand training and certification! It is also the first edition of our book that is in FULL COLOR!

This book covers the following Security Onion topics:

  • First Time Users
  • Getting Started
  • Security Onion Console (SOC)
  • Security Onion Desktop
  • Network Visibility
  • Host Visibility
  • Logs
  • Updating
  • Accounts
  • Services
  • Customizing for Your Environment
  • Tuning
  • Tricks and Tips
  • Utilities

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 20% discount code for our on-demand training and certification.

Who should get this book?

You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2.4 and is now in FULL COLOR!

Where do we get it?

https://securityonion.net/book


Security Onion Conference 2023 Videos are now available!



These recordings are also available at https://securityonion.net/conference.

Don't forget to subscribe to our YouTube channel to help us reach 10K subscribers!

Thursday, October 12, 2023

Security Onion 2.4.20 Hotfix 20231012 Now Available!

We recently released Security Onion 2.4.20:
https://blog.securityonion.net/2023/10/security-onion-2420-now-available.html

Today, we are releasing a hotfix which resolves an issue with Elastic Defend:
https://docs.securityonion.net/en/2.4/release-notes.html

New Installations

If you want to perform a new installation, please review the documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.4/download.html

Existing 2.4 Installations

If you have an existing installation of 2.4.20, then you should update to this hotfix. If your 2.4 installation is RC or GA (not Beta), then you can run soup to update.

For more information about the update process, please see:
https://docs.securityonion.net/en/2.4/soup.html

Known Issues

There is a known issue with the Elastic Agent and Elastic Defend on MacOS Sonoma.

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:
https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training


Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware



Friday, October 6, 2023

Security Onion 2.4.20 now available including some new features and lots of bug fixes!

Recently, we announced that Security Onion 2.4 has reached General Availability (GA) by releasing Security Onion 2.4.10:
https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html

Today, we are excited to announce that Security Onion 2.4.20 is now available! It includes some new features and lots of bug fixes!
https://docs.securityonion.net/en/2.4/release-notes.html#changes


About Security Onion

Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management. 

For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture via Stenographer, and file analysis via Strelka. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management. 

Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!

Documentation

You can find our online documentation here:
https://docs.securityonion.net/en/2.4/

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

New Installations

If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:
https://docs.securityonion.net/en/2.4/first-time-users.html

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:
https://docs.securityonion.net/en/2.4/architecture.html

Existing 2.4 Installations

If you have an existing Security Onion 2.4 installation, you can update to the latest version using soup:
https://docs.securityonion.net/en/2.4/soup.html

2.3 EOL

Security Onion 2.3 will reach End Of Life (EOL) on April 6, 2024:
https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Corey Ogburn
  • Josh Patterson
  • Mike Reeves

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:
https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training


Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware


Cloud Installations

For new Security Onion 2 installations in the cloud, Security Onion 2.4 will soon be available on the AWS, Azure, and GCP marketplaces!

AWS Marketplace and Documentation:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_231006
https://docs.securityonion.net/en/2.4/cloud-amazon.html

Azure Marketplace and documentation:
https://securityonion.net/azure
https://docs.securityonion.net/en/2.4/cloud-azure.html

GCP Marketplace and documentation:
https://securityonion.net/gcp
https://docs.securityonion.net/en/2.4/cloud-google.html

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html
















































Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive