How is the network traffic collected? According to this? Tap or span port

I can’t see any alerts on the alerts interface , but I can see some on the detection interface and hunt interface

What if I am installing in my laptop and I am bringing over to class? In this case setting static gateway and IP will not work. How can I resolve that?

Thank you very much!

miss the suricata and logs of apps of pfsense, but great work, keep doing more, and integrations with flux

An osquery video would be awesome :)

hello thank you for these amazing sessions are cortex and theHive still integrated in SO 2.4? if no does it tolerate it as external extension?

I saw "Evaluation installs and Import installs do not support remote elastic agents. The links below are shown for demonstration purposes only." after I installed the eval version security onion following your installation guide video, is that means I have to install to other mode? Thank you.

I do not see a way to change severity by one click, or to suppress alert temporarily, or to automatically get IP etc from alert. So it looks as a good step but it is ONLY a FIRST STEP. For example,. we reclassify events in Zabbix all the time, we set up timed reclassifications often, we may need to update a GROUP of Detection rules at once. Idea is great but it looks as very first implementation yet. (Of course I can clone the rule, then change severity in the cloned rule and disable original rule. but why to do it so complicated? or we want to suppress all alerts 'traffic with ... group' whch we do by re: expression today - it's not implemented yet (looks this way) and there are 50+ IP groups and about 10 alerts per group... so what disable can do by single re: rule, detection will require 100 updates (looks like this).

How do you get gpg?

Any chance you paste the various command line inputs

So this (ISO) is for a full install? Is their an app interface to add to my Linus OS system?

Oh this will be very useful. Cool feature indeed, thank you!! Two things: 1. Any possibility of adding an optional Elastic Defend/Predefined Rules integration to that Detections menu? Currently it is buried in Kibana and requires some additional digging to add the Predefined Rule integration, then unhide the Security tab Kibana Spaces? 2. Any chance of upgrading the OSquery Manager to the Velociraptor platform to integrate that amazing tool's DFIR capabilities with the SOC/Elastic Agent?

somehow SYSMON integration not working or showing up as an integration for a windows box. i'd added SYSMON to the node after the agent was enrolled. does this require removal (big pains here also, it won't properly remove)? Would be great to have a guide for this. Also for Linux SYSMON

can this functionality work with pfsense comunity edition ?

I'm attempting to install securityonion iso on a physical device with no success as there is an error during the installation process. I want to try the mentioned "Manual Installation via other ISO Image" option but it doesn't exist on SecurityOnion's website anymore. Is that option no longer available? Anyone else struggle to install the iso on a physical device that can share some tips/resources? Thank you for making and sharing this video!

Followed instructions and stuck installations with problems. It intended to reach some url

Is there an in place upgrade option available?

I can't wait to upgrade! Is there an estimated release date? Great job team!

Here is additional details for yall: 1) 2 ethernet NICs (the plug thingy where ethernet cable goes) is required. 1st used for “accessing” the browser UI (when you type running machines IP address) and 2ed used for the port mirroring (receiving copy of all the network traffic from other port). IF YOU TRYING IN LAPTOP HARDWARE you can get additional USB TO ETHERNET bundle on Menards for cheap (16$) 2) Port mirroring is required so you need managed switch (switch that you can access and manually set up for port mirroring) 3) 16gb ram is required. The operating system is demanding. 4) IF YOU HAVE ALL IN ONE ROUTER: for monitoring wifi traffic you need additional Access Point (or additional router) and switch otherwise it wont work. overall fairly complicated to set up (8/10) BUT it worth it 100%, even for home usage. I detected malware that I would never guess existed 🤯 Hopefully this additional details helps yall. Big thanks to developers and community 🎉

Here is additional details for yall: 1) 2 ethernet NICs (the plug thingy where ethernet cable goes) is required. 1st used for “accessing” the browser UI (when you type running machines IP address) and 2ed used for the port mirroring (receiving copy of all the network traffic from other port). IF YOU TRYING IN LAPTOP HARDWARE you can get additional USB TO ETHERNET bundle on Menards for cheap (16$) 2) Port mirroring is required so you need managed switch (switch that you can access and manually set up for port mirroring) 3) 16gb ram is required. The operating system is demanding. 4) IF YOU HAVE ALL IN ONE ROUTER: for monitoring wifi traffic you need additional Access Point (or additional router) and switch otherwise it wont work. overall fairly complicated to set up (8/10) BUT it worth it 100%, even for home usage. I detected malware that I would never guess existed 🤯 Hopefully this additional details helps yall. Big thanks to developers and community 🎉

Thanks

This is one of the best user stories for an L1/L2 analyst to determine how to handle alerts, surface a case, and escalate it to the TH teams. Awesome! Looking forward to more!

Wow, this is a great improvement for tuning. Can't wait to give it a try!

awesome, just as i imagined it in my head! i will look forward to the update, sheesh this will shorten the tuning process by a lot. Thanks to the SO Team!!!

Wow, nice works Security Onion Team!! This will be a much better work flow

I've watched the new video at least four times. Super excited about the Detections module release. Great job!!!!

Huge quality of life upgrade thank you I'm really looking forward to updating

Is it possible to revert changes through history? Is there a rule validator in the Signarutre field? Will the syntax color highlighting appear?

This really is a great new feature. Can't wait to try it out.

Love it

Excellent keynote!

n it.nice beginning for me..

Does this still work?

our network firewall log is coming to my computer how can i send sec-onion?

Great example of installation for beginners. I want to use 2 host. One with standalone installation and one with IDH. From first prompt says Desktop, IDH node etc, I'm confused which one is Standalone edition and install all manager components and sensor components except IDH. Thank you.

Awesome, great material great teacher.

Thank you - Great tutorial. Unfortunately I failed to get it working neiger with pfSense nor with fortigate. tcpdump shows the incoming packages, but they are not parsed. Do you have any hint how to start toubleshooting?

Hello, is Winlogbeat in 2.4.50 ?

Great information. Is there a video to port Cisco switch log files to SO ?

This video series has been a great help in getting me hands on experience for the CySA+ cert. Wouldn't of been able to install an agent on my computer without it!

I would also love to see an osquery video. A strelka one would be great too.

Thanks

Thank you for the video

Does the IP of the virtual machine (to access the SOC) has to be the same as that of the host computer?

Thank you, just in the time :)

Thank you for the quick look! I'd love to see a basic osquery video :)

👏👏

how to capture a real time network traffic? i tried the pcap section but the status is pending for so long

Hello, setup accomplished using ISO on VMware. I do not have influxdb or when selecting the node for eval no status or container windows appear ? using version 2.3.280.