◼️
General Knowledge
  • Introduction
  • Building a Home Lab
  • Certification Roadmap
  • Basics
    • Basic Networking
    • Basic Gigamon Configuration
  • Firewalls
    • PFSense
    • Cisco ASA
  • Hardware Setup and Device Networking
    • Cisco Device
    • MaxVision Servers
    • Gigamon
  • Reporting
    • Network Activity Report (NAR)
    • Network Change Request (NCR)
    • Redmine
  • DCO Tools
    • Splunk
      • Threat Hunting with Splunk
    • Security Onion 2.4
      • Threat Hunting with Security Onion
    • OsQuery
  • Methodology
    • Gather Information
    • Gather Documents
    • Prepare Equipment and Team Procedures
    • Conduct Network Reconnaissance
    • MITTRE ATT&CK Framework
    • Considerations when Recommending Remedial Action
    • Document Everything
    • Defensive Cyber Operations Checklist
  • Requirements
    • Power Requirements
    • Port Density Requirements
    • Opened Port Requirements
  • Building a Virtual Testing Environment
    • Identify Requirements
    • Gather Equipment and tools
    • Initial Draft
    • Building the Environment
    • Example
Powered by GitBook
On this page
  • Introduction
  • Elastic Agent
  • Alerts
  • Dashboards
  • Hunt
  • Cases
  • Kibana
  1. DCO Tools
  2. Security Onion 2.4

Threat Hunting with Security Onion

The basics of threat hunting utilizing Security Onion 2.4

PreviousSecurity Onion 2.4NextOsQuery

Last updated 2 years ago

Introduction

Security Onion comes out of the box, well configured for basic threat hunting. There are a few different avenues of approach for drilling down on an alert or suspicious activity. The first is through the SO hunt page, and the second is utilizing Kibana. They both visualize data differently and have different query languages but are ultimately displaying the same data. Please refer to the Security Onion documentation for more information. Moreover, the FREE Security onion essentials training linked at the bottom of the page is a basic overview of how to hunt through Security Onion

Elastic Agent

The below information is taken from the official Elastic Agent documentation

Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. A single agent makes it easier and faster to deploy monitoring across your infrastructure. Each agent has a single policy you can update to add integrations for new data sources, security protections, and more.

As the following diagram illustrates, Elastic Agent can monitor the host where it’s deployed, and it can collect and forward data from remote services and hardware where direct deployment is not possible.

Alerts

A good place to start searching for malicious activity is through the "Alerts" page. This displays Suricata alerts that you can use to drill down.

Dashboards

The dashboards page has multiple pre-made dashboards for visualization of common data in Security Onion

Hunt

The hunting page shows data metrics for hunt queries on data ingested into Security Onion.

Cases

When you find indicators of compromise, you can use the cases tab to create a case for that data. You can store information found in Alerts, Dashboards, and Hunt tab and add comments and manage the case.

Below is the Security Onion Essentials playlist on youtube that covers the basics of threat hunting utilizing Security Onion

Kibana

In Kibana you can visualize data and create dashboards utilizing the Kibana Query Language and hunt through those dashboards. It offers an alternative to the Security Onion tools. For more information, the videos below provide a basic overview of how to utilize Kibana to hunt

Fleet and Elastic Agent overview | Fleet and Elastic Agent Guide [7.16] | ElasticElastic
Security Onion Essentials
Elastic Agent
https://www.elastic.co/guide/en/fleet/current/fleet-overview.html
Logo