How is the network traffic collected? According to this? Tap or span port
@security-onion18 күн бұрын
Security Onion can collect live network traffic from a tap or span port. You can also import past traffic via PCAP files. For more information, please see our documentation at docs.securityonion.net/en/2.4/introduction.html. If you have further questions or problems, please start a new discussion at securityonion.com/discuss. Thanks!
@Vxrtzs_18 күн бұрын
@@security-onion i mean based on this set up, is it collecting network traffic from a tap or span port?
@security-onion18 күн бұрын
Span port. If you have further questions or problems, please start a new discussion at securityonion.com/discuss.
@Vxrtzs_18 күн бұрын
@@security-onion thanks for the reply I posted my problem on the GitHub security onion community but didn’t get help , I followed all the steps and there’s no alerts on the alerts interface , but I can see some detections on the detection interface , hint and dashboard I restarted the whole process again of downloading security onion again, let me see how it goes
@security-onion18 күн бұрын
Please make sure you read the discussion guidelines at github.com/Security-Onion-Solutions/securityonion/discussions/1720 and be patient. If you don't have responses in a day or two, you may follow up to your discussion but please keep in mind that community support is considered best effort and there are no guaranteed response times.
@Vxrtzs_19 күн бұрын
I can’t see any alerts on the alerts interface , but I can see some on the detection interface and hunt interface
@security-onion19 күн бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss. Thanks!
@Cysecsg26 күн бұрын
What if I am installing in my laptop and I am bringing over to class? In this case setting static gateway and IP will not work. How can I resolve that?
@security-onion25 күн бұрын
If you install Security Onion in a VM, then it can have a static IP address on the virtual network while your host OS has a dynamic IP on whatever network it's connected to. If you have further questions or problems, please start a new discussion at securityonion.com/discuss. Thanks!
@edvloesungen28 күн бұрын
Thank you very much!
@security-onion28 күн бұрын
You're welcome!
@andreantunes7310Ай бұрын
miss the suricata and logs of apps of pfsense, but great work, keep doing more, and integrations with flux
@fuzzyEuclidАй бұрын
An osquery video would be awesome :)
@RanimHassineАй бұрын
hello thank you for these amazing sessions are cortex and theHive still integrated in SO 2.4? if no does it tolerate it as external extension?
@security-onionАй бұрын
Cortex and TheHive are no longer included in Security Onion. We built our own case management interface and it's integrated directly into Security Onion Console. If you have further questions, please start a new discussion at securityonion.com/discuss. Thanks!
@RanimHassineАй бұрын
@@security-onion can i ask how does the forwarding of suricata logs to SO happen. also i have been facing the same network error when i open the GUI (NB: ama using eval mode)
@security-onionАй бұрын
If you have further questions, please start a new discussion at securityonion.com/discuss.
@CageYimАй бұрын
I saw "Evaluation installs and Import installs do not support remote elastic agents. The links below are shown for demonstration purposes only." after I installed the eval version security onion following your installation guide video, is that means I have to install to other mode? Thank you.
@security-onionАй бұрын
If you want to deploy the Elastic Agent to remote devices, then you will need to install in STANDALONE mode or do a full distributed deployment. For more information, please see the documentation at docs.securityonion.net/en/2.4/architecture.html. If you have further questions or problems, please start a new discussion at securityonion.com/discuss. Thanks!
@CageYimАй бұрын
@@security-onion Thank you very much. Let me try again.
@flyingbyalexeiroudnev9750Ай бұрын
I do not see a way to change severity by one click, or to suppress alert temporarily, or to automatically get IP etc from alert. So it looks as a good step but it is ONLY a FIRST STEP. For example,. we reclassify events in Zabbix all the time, we set up timed reclassifications often, we may need to update a GROUP of Detection rules at once. Idea is great but it looks as very first implementation yet. (Of course I can clone the rule, then change severity in the cloned rule and disable original rule. but why to do it so complicated? or we want to suppress all alerts 'traffic with ... group' whch we do by re: expression today - it's not implemented yet (looks this way) and there are 50+ IP groups and about 10 alerts per group... so what disable can do by single re: rule, detection will require 100 updates (looks like this).
@security-onionАй бұрын
Yes, we have lots of improvements coming. If you have further comments or questions, please start a new discussion at securityonion.com/discuss.
@FlyGuys98Ай бұрын
How do you get gpg?
@security-onionАй бұрын
That depends on what operating system you're using. Google should be able to help you find gpg for your OS. If you have further questions or problems, please start a new discussion at securityonion.com/discuss. Thanks!
@GarethLedger-pz6wlАй бұрын
Any chance you paste the various command line inputs
@GoogelDeepMind2024Ай бұрын
So this (ISO) is for a full install? Is their an app interface to add to my Linus OS system?
@security-onionАй бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss
@capitalreg3182 ай бұрын
Oh this will be very useful. Cool feature indeed, thank you!! Two things: 1. Any possibility of adding an optional Elastic Defend/Predefined Rules integration to that Detections menu? Currently it is buried in Kibana and requires some additional digging to add the Predefined Rule integration, then unhide the Security tab Kibana Spaces? 2. Any chance of upgrading the OSquery Manager to the Velociraptor platform to integrate that amazing tool's DFIR capabilities with the SOC/Elastic Agent?
@security-onion2 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.net/discuss
@zapphoddbubbahbrox56812 ай бұрын
somehow SYSMON integration not working or showing up as an integration for a windows box. i'd added SYSMON to the node after the agent was enrolled. does this require removal (big pains here also, it won't properly remove)? Would be great to have a guide for this. Also for Linux SYSMON
@security-onion2 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss
@Rabah_RAHLI2 ай бұрын
can this functionality work with pfsense comunity edition ?
@security-onion2 ай бұрын
Yes! If you have further questions or problems, please start a new discussion at securityonion.com/discuss
@MariodeLeon-C-Security2 ай бұрын
I'm attempting to install securityonion iso on a physical device with no success as there is an error during the installation process. I want to try the mentioned "Manual Installation via other ISO Image" option but it doesn't exist on SecurityOnion's website anymore. Is that option no longer available? Anyone else struggle to install the iso on a physical device that can share some tips/resources? Thank you for making and sharing this video!
@security-onion2 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss
@TheChad17Ай бұрын
What are you trying to install on? Does it have any OS installed?
@ceroandone2 ай бұрын
Followed instructions and stuck installations with problems. It intended to reach some url
@security-onion2 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss
@johnmosqueda10292 ай бұрын
Is there an in place upgrade option available?
@security-onion2 ай бұрын
There will be an in-place upgrade option once 2.4.70 is released. If you have further questions or problems, please start a new discussion at securityonion.com/discuss
@juanmartinmerlo36822 ай бұрын
I can't wait to upgrade! Is there an estimated release date? Great job team!
@security-onion2 ай бұрын
2.4.70 is scheduled to release in the next few weeks. Stay tuned! If you have further questions or problems, please start a new discussion at securityonion.com/discuss
@DroisKargva2 ай бұрын
Here is additional details for yall: 1) 2 ethernet NICs (the plug thingy where ethernet cable goes) is required. 1st used for “accessing” the browser UI (when you type running machines IP address) and 2ed used for the port mirroring (receiving copy of all the network traffic from other port). IF YOU TRYING IN LAPTOP HARDWARE you can get additional USB TO ETHERNET bundle on Menards for cheap (16$) 2) Port mirroring is required so you need managed switch (switch that you can access and manually set up for port mirroring) 3) 16gb ram is required. The operating system is demanding. 4) IF YOU HAVE ALL IN ONE ROUTER: for monitoring wifi traffic you need additional Access Point (or additional router) and switch otherwise it wont work. overall fairly complicated to set up (8/10) BUT it worth it 100%, even for home usage. I detected malware that I would never guess existed 🤯 Hopefully this additional details helps yall. Big thanks to developers and community 🎉
@DroisKargva2 ай бұрын
Here is additional details for yall: 1) 2 ethernet NICs (the plug thingy where ethernet cable goes) is required. 1st used for “accessing” the browser UI (when you type running machines IP address) and 2ed used for the port mirroring (receiving copy of all the network traffic from other port). IF YOU TRYING IN LAPTOP HARDWARE you can get additional USB TO ETHERNET bundle on Menards for cheap (16$) 2) Port mirroring is required so you need managed switch (switch that you can access and manually set up for port mirroring) 3) 16gb ram is required. The operating system is demanding. 4) IF YOU HAVE ALL IN ONE ROUTER: for monitoring wifi traffic you need additional Access Point (or additional router) and switch otherwise it wont work. overall fairly complicated to set up (8/10) BUT it worth it 100%, even for home usage. I detected malware that I would never guess existed 🤯 Hopefully this additional details helps yall. Big thanks to developers and community 🎉
@DroisKargva2 ай бұрын
if installing in Virtual Machine “attack detect defend” has great video. You can also split one NIC into several with virtual machine so you would avoid extra expenses. You would still need to place the machine on appropriate location in network tho
@DroisKargva2 ай бұрын
Thanks
@security-onion2 ай бұрын
You're welcome!
@virmanisandeep2 ай бұрын
This is one of the best user stories for an L1/L2 analyst to determine how to handle alerts, surface a case, and escalate it to the TH teams. Awesome! Looking forward to more!
@security-onion2 ай бұрын
Thanks, glad you like it!
@michaelporter82422 ай бұрын
Wow, this is a great improvement for tuning. Can't wait to give it a try!
@security-onion2 ай бұрын
Thanks, glad you like it!
@izid00d2 ай бұрын
awesome, just as i imagined it in my head! i will look forward to the update, sheesh this will shorten the tuning process by a lot. Thanks to the SO Team!!!
@security-onion2 ай бұрын
Thanks, glad you like it!
@TheLakeBodom2 ай бұрын
Wow, nice works Security Onion Team!! This will be a much better work flow
@security-onion2 ай бұрын
Thanks, glad you like it!
@cyberlabz3 ай бұрын
I've watched the new video at least four times. Super excited about the Detections module release. Great job!!!!
@security-onion2 ай бұрын
Thanks, glad you like it!
@frzen3 ай бұрын
Huge quality of life upgrade thank you I'm really looking forward to updating
@security-onion2 ай бұрын
Thanks, glad you like it!
@user-kb6ii4dw4q3 ай бұрын
Is it possible to revert changes through history? Is there a rule validator in the Signarutre field? Will the syntax color highlighting appear?
@security-onion2 ай бұрын
If you have questions, please start a new discussion at securityonion.com/discuss
@yannickzelt92463 ай бұрын
This really is a great new feature. Can't wait to try it out.
@security-onion2 ай бұрын
Thanks, glad you like it!
@ankuryogi32983 ай бұрын
Love it
@security-onion2 ай бұрын
Thanks!
@jmcgee813 ай бұрын
Excellent keynote!
@security-onion2 ай бұрын
Thanks for watching!
@veronicaindimulim.77123 ай бұрын
n it.nice beginning for me..
@security-onion2 ай бұрын
Thanks, glad you like it!
@giovannisvette4494 ай бұрын
Does this still work?
@security-onion4 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss
@sevadamuradyan54864 ай бұрын
our network firewall log is coming to my computer how can i send sec-onion?
@security-onion4 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.net/discuss
@joy_814 ай бұрын
Great example of installation for beginners. I want to use 2 host. One with standalone installation and one with IDH. From first prompt says Desktop, IDH node etc, I'm confused which one is Standalone edition and install all manager components and sensor components except IDH. Thank you.
@security-onion4 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.net/discuss
@kinghenryjames13274 ай бұрын
Awesome, great material great teacher.
@security-onion4 ай бұрын
Thanks, glad you liked it!
@olivertatzmann30384 ай бұрын
Thank you - Great tutorial. Unfortunately I failed to get it working neiger with pfSense nor with fortigate. tcpdump shows the incoming packages, but they are not parsed. Do you have any hint how to start toubleshooting?
@security-onion4 ай бұрын
If you have questions or problems, please start a new discussion at securityonion.com/discuss
@seckeymaker4 ай бұрын
Hello, is Winlogbeat in 2.4.50 ?
@security-onion4 ай бұрын
Winlogbeat has been replaced by Elastic Agent in 2.4. Documentation: docs.securityonion.net/en/2.4/elastic-agent.html#elastic-agent Video: kzbin.info/www/bejne/mXjQgoCpe9p0rNk If you have further questions or problems, please start a new discussion at securityonion.com/discuss
@user-nk4so7gx8y4 ай бұрын
Great information. Is there a video to port Cisco switch log files to SO ?
@security-onion4 ай бұрын
Please see the Cisco IOS integration at docs.elastic.co/integrations/cisco_ios and our docs at docs.securityonion.net/en/2.4/elastic-fleet.html#elastic-fleet and docs.securityonion.net/en/2.4/elastic-agent.html. If you have further questions or problems, please start a new discussion at securityonion.com/discuss
@Angry.Hippie4 ай бұрын
This video series has been a great help in getting me hands on experience for the CySA+ cert. Wouldn't of been able to install an agent on my computer without it!
@security-onion4 ай бұрын
Thanks, glad to help!
@subhuman74784 ай бұрын
I would also love to see an osquery video. A strelka one would be great too.
@WatsonInfosec5 ай бұрын
Thanks
@security-onion5 ай бұрын
You're welcome!
@taraskobilskiy65385 ай бұрын
Thank you for the video
@security-onion5 ай бұрын
You're welcome!
@user-qy2mb9ly4r5 ай бұрын
Does the IP of the virtual machine (to access the SOC) has to be the same as that of the host computer?
@security-onion5 ай бұрын
No, the VM and the host computer should have different IP addresses. If you have further questions or problems, please start a new discussion at securityonion.com/discuss
@calmeidazim5 ай бұрын
Thank you, just in the time :)
@security-onion5 ай бұрын
You're welcome!
@fuzzyEuclid5 ай бұрын
Thank you for the quick look! I'd love to see a basic osquery video :)
@eliasinaciowilks69395 ай бұрын
👏👏
@security-onion2 ай бұрын
Thanks!
@h_y-hy9yc5 ай бұрын
how to capture a real time network traffic? i tried the pcap section but the status is pending for so long
@security-onion5 ай бұрын
@h_y-hy9yc If you have questions or problems, please start a new discussion at securityonion.com/discuss
@seckeymaker5 ай бұрын
Hello, setup accomplished using ISO on VMware. I do not have influxdb or when selecting the node for eval no status or container windows appear ? using version 2.3.280.
@security-onion5 ай бұрын
@seckeymaker Please perform a new installation using version 2.4. If you have further questions or problems, please start a new discussion at securityonion.com/discuss