Security Onion 2.4 Feature o' the Day - Configure Elastic Fleet

Security Onion 2.4 includes lots of new features! SOC's new Configuration interface allows you to configure Elastic Fleet:

You can read more about this in our documentation:

https://docs.securityonion.net/en/2.4/elastic-fleet.html

More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:

https://blog.securityonion.net/search/label/feature%20o%27%20the%20day

You can also check out our Release Notes:

https://docs.securityonion.net/en/2.4/release-notes.html

Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:

https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html

If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:

https://docs.securityonion.net/en/2.4/appendix.html

Security Onion Hybrid Hunter 1.1.0 ALPHA Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.0 is now available for testing and is considered our ALPHA release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this ALPHA release:

• Alpha is here!! Check out the Hybrid Hunter Quick Start Guide.
• There is a new PCAP interface called Sensoroni. You can pivot directly from Kibana to Sensoroni via the _id field.
• Bond interface setup now uses nmcli for better compatibility in the network based setup script.
• Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions.
• Authentication is now enabled by default for all the web based components. There will be some major changes before we get to BETA with how authentication in general is handled due to Elastic "Features" and other components.
• Add users to the web interface via so-user-add and follow the prompts.
• so-allow now exists to make your life easier.
• Bro 2.6.2.
• All Docker images were updated to reflect Alpha status.
• Disabled DEBUG logging on a lot of components to reduce space usage.
• Added a rule update cron job so the master pulls new rules down every day at 7AM UTC.
• You can now manually run a rule update using the so-rule-update command.

Thanks to the following for all of their work on this release!
Mike Reeves
Wes Lambert
Dustin Lee
Josh Brower
William Wernert

And special thanks to Jason Ertel for his work on Sensoroni!

Screenshots

Pivoting from Kibana to Sensoroni 

Sensoroni showing overview of pcap data

Sensoroni showing detail of pcap data

Sensoroni showing ASCII transcript of pcap data

Security Onion Hybrid Hunter 1.0.8 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.8 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this release:

• Suricata 4.1.4
• Eval and Master installs now ask which components you would like to install
• Fleet (osquery) now has it's own additional setup script (please see the docs)
• Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
• When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
• We now have a progress bar during install!
• The setup script will now tell you if it was successful

Thanks to Josh Brower for his additional work on the osquery integration!

Screenshots

Installation

Main Web Page with link to OSquery

Osquery Page with prebuilt binaries

Fleet showing endpoints

osquery dashboard in Kibana

Security Onion Hybrid Hunter 1.0.6 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.6 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this release:

• Added Osquery rule packs from Palantir.
• Fully integrated Fleet support. You can now pivot from Kibana directly to the Fleet interface to interact directly with hosts via the LiveQuery hyperlinks.

For more information, please see the Changelog:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Changelog

Kolide Fleet Query Packs

Osquery Dashboard

Security Onion Hybrid Hunter 1.0.5 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.5 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

This release includes Kolide Fleet for managing osquery deployments and many other improvements!  For more information, please see the Changelog:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Changelog

Kolide Fleet