Wednesday, May 29, 2024

Security Onion 2.4.70 now available including our new Detections interface and much more!

Security Onion 2.4.70 is now available! It includes some new features for our fellow defenders including our new Detections interface to help you take your detection engineering capabilities to the next level!

Security Onion is a cybersecurity platform built by defenders for defenders. For this release, we spent several MONTHS thinking through the defender workflow specifically around detection engineering. This resulted in a new interface called Detections that makes it super simple to tune your NIDS rules for Suricata, Sigma rules for ElastAlert, and YARA rules for Strelka.

We recently shared a sneak peek at Detections and you can find that video here:

Since that sneak peak video, Detections has gotten even better! 

Let's walk through the interface. First, we start with the main Detections page:

The upper-right corner shows a count of detections that matched the search query. To the left of that is a status indicator for each of the detection engines. The status can show whether a sync is in process, as well as whether the engine has detected errors. Clicking the status text will navigate to Hunt and attempt to find related logs.

The Detections menu option on the left side of the application will show an exclamation mark if there is a recent failure in any of the detection engines. In this situation the web browser tab will also show an exclamation indicator. If no failures are detected, and if any of the detection engines has an import pending or is performing a rule import, synchronization, or migration, then a blue hourglass will appear next to the Detections menu option.

The Options menu allows you to synchronize a particular detection engine such as ElastAlert, Strelka, or Suricata:

Once you’ve selected the detection engine that you want to synchronize, you can then click either the DIFFERENTIAL UPDATE or FULL UPDATE button:

  • The differential update is a lightweight sync that will skip the thorough sync and comparison of each individual rule. For example, with Suricata it will compute and compare the hash of the source rule list with the hash of the deployed rules, and only if there’s a mismatch will it perform the full sync.
  • A full sync can involve inspecting and comparing individual rules, of which there can be thousands. This more thorough sync can take much longer than the differential sync. Note that each engine has its own unique synchronization process.

To add a new rule, go to the main Detections page and click the blue + button between Options and the query bar. A form will appear where you will:

  • click the Language drop-down and select your desired rule language
  • optionally specify a license
  • add the signature
  • click the CREATE button and the detection should deploy to your grid at the next 15-minute cycle

To review and modify existing rules, there are two ways to reach the detail page:

  • From the main Detections interface, you can search for the desired detection and click the binoculars icon to the left of the rule title:


  • From the Alerts interface, you can click an alert and then click the Tune Detection menu item:

Once you’ve used one of these methods to reach the detection detail page, you can check the Status field in the upper-right corner and use the slider to enable or disable the detection.

To the left of the Status field are several tabs. The first tab on the left is the OVERVIEW tab and it displays the Summary, References, and Detection Logic for the detection:

The OPERATIONAL NOTES tab allows you to add your own local notes to the detection in markdown format:

The DETECTION SOURCE tab shows the full content of the detection:

The TUNING tab allows you to tune the detection. For NIDS rules, you can modify, suppress, or threshold. For Sigma rules, you can create a custom filter. For example, here is a NIDS suppression:

The HISTORY tab shows the history of the detection since it was added to your deployment:

Here's an example of a Sigma rule:

Here's an example of a YARA rule:

As you can see, Detections will help you take your detection engineering capabilities to the next level!

SOC Dashboards

In addition to Detections, we spent a lot of time updating SOC Dashboards! We updated just about every one of our existing default dashboards to standardize on a new sankey diagram format that will help you see relationships between different fields more clearly and filter those fields more quickly. We also added column definitions for many different data types to aid you in your hunting expeditions. This release also includes a complete set of dashboards for Elastic Agent:

We also added new dashboards for NetFlow, Kismet, and more:

Elastic Integrations

This release adds a new Elastic integration for CEF. You can find our full list of supported Elastic integrations at:


Starting in this release, Security Onion Console (SOC) can optionally send telemetry data to Google Analytics. 

During setup, or during non-automated soup invocations, the user must choose to enable or disable SOC telemetry collection.

After installation, grid administrators can enable or disable SOC Telemetry via the configuration interface. Search for SOC Telemetry in the Configuration screen.

The purpose of this telemetry is to help the Security Onion development team improve the product. Specifically, by knowing which user-interface features are being used, and how the user interacts with the SOC user interface, the development team can better prioritize new features, improvements to the existing user interface, and begin deprecating features that are rarely used. Deprecating unused features will help developers avoid spending their time and effort maintaining and upgrading areas of the product that aren’t widely used. This allows more time to be spent on new features and bug fixes, directly benefiting Security Onion users.

For more information, please see the Telemetry section of the docs:

Other Features and Fixes

There are many more features and fixes included in this release! For a complete list of all changes, please see the Release Notes:

Known Issues

For a list of known issues, please see:

About Security Onion

Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management. 

For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture, and file analysis. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management. 

Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!


You can find our online documentation here:

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

New Installations

If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:

Existing 2.4 Installations

If you have an existing Security Onion 2.4 installation, you can update to the latest version using soup:

Before updating your production deployment, we highly recommend testing the upgrade process on a test deployment that closely matches your production deployment if possible.

2.3 EOL

As a reminder, Security Onion 2.3 reached End Of Life (EOL) on April 6, 2024:


Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Corey Ogburn
  • Josh Patterson
  • Mike Reeves

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the 2.4 category at our Discussions site:


Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

Cloud Installations

For new Security Onion 2 installations in the cloud, Security Onion 2.4 will soon be available on the AWS, Azure, and GCP marketplaces!

AWS Marketplace and Documentation:

Azure Marketplace and documentation:

GCP Marketplace and documentation:

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive