Hunt

Security Onion Console (SOC) gives you access to our new Hunt interface. This interface allows you to hunt through all of the data in Elasticsearch and is highly tuned for stacking, pivoting, data expansion, and data reduction.

The first two elements shown are the query bar and time picker. Once you perform a query, Hunt will display the number of events found in the upper right and then render three main sections of output.

https://user-images.githubusercontent.com/1659467/92962246-afa1fd00-f43e-11ea-8e83-b4c62a622350.png

Query Bar

The easiest way to get started is to click the query drop down box and select one of the pre-defined queries. These pre-defined queries cover most of the major data types that you would expect to see in a Security Onion deployment: NIDS alerts from Suricata, HIDS alerts from Wazuh, protocol metadata logs from Zeek or Suricata, endpoint logs, and firewall logs. Each of the entries in the drop down list will show the actual query followed by a description of what that query does.

https://user-images.githubusercontent.com/1659467/92962511-07406880-f43f-11ea-9b59-eea274903ad5.png

Time Picker

By default, Hunt searches the last 24 hours. If you want to search a different time frame, you can change it in the upper right corner of the screen. You can use the default relative time or click the clock icon to change to absolute time.

https://user-images.githubusercontent.com/1659467/92962580-26d79100-f43f-11ea-8b87-838b8e3b5be4.png

Visualization

The first section of output contains a Most Occurences visualization, a timeline visualization, and a Fewest Occurences visualization. Bar charts are clickable, so you can click a value to update your search criteria. Aggregation defaults to 10 values, so Most Occurences is the Top 10 and Fewest Occurences is the Bottom 10 (long tail). The number of aggregation values is controlled by the Fetch Limit setting in the Group Metrics section.

https://user-images.githubusercontent.com/1659467/92962656-440c5f80-f43f-11ea-84a8-c0f66e80e27a.png

Group Metrics

The middle section of output is the Group Metrics section and it’s a data table that allows you to stack (aggregate) arbitrary fields. Group metrics are controlled by the groupby parameter in the search bar. Clicking the table headers allows you to sort ascending or descending.

Clicking a value in the Group Metrics table brings up a menu of actions for that value. The plus and minus magnifying glass icons to the left allow you to include or exclude (respectively) those values in your query. The third magnifying glass starts a new query for just the value itself. The G and VT on the right end of the actions menu look up the value at Google and VirusTotal (respectively).

The default Fetch Limit for the Group Metrics table is 10. If you need to see more than the top 10, you can increase the Fetch Limit and then page through the output using the left and right arrow icons or increase the Rows per page setting.

https://user-images.githubusercontent.com/1659467/92963676-d9f4ba00-f440-11ea-9357-ab783743190d.png

Events

The third and final section of output is a data table that contains all search results and allows you to drill into individual search results as necessary. Clicking the table headers allows you to sort ascending or descending. Starting from the left side of each row, there is an arrow which will expand the result to show all of its fields. To the right of that arrow is the Timestamp field. Next, a few standard fields are shown: source.ip, source.port, destination.ip, destination.port, log.id.uid (Zeek unique identifier), network.community_id (Community ID), and event.dataset. Depending on what kind of data you’re looking at, there may be some additional data-specific fields as well.

Clicking a value in the Events table brings up a menu of actions for that value. The plus and minus magnifying glass icons to the left allow you to include or exclude (respectively) those values in your query. The third magnifying glass starts a new query for just the value itself. The fourth icon takes you to pcap for the stream. The fifth icon (bell) creates an alert for the event. The G and VT on the right end of the actions menu look up the value at Google and VirusTotal (respectively).

The default Fetch Limit for the Events table is 100. If you need to see more than 100 events, you can increase the Fetch Limit and then page through the output using the left and right arrow icons or increase the Rows per page setting.

https://user-images.githubusercontent.com/1659467/92964083-85057380-f441-11ea-929a-72ec0b34dad2.png

When you click the down arrow to expand a row in the Events table, it will show all of the individual fields from that event. Field names are shown on the left and field values on the right. When looking at the field names, there is an icon to the left that will add that field to the groupby section of your query. You can click on values on the right to bring up the action menu to refine your search or pivot to other pages.

https://user-images.githubusercontent.com/1659467/92965293-8899fa00-f443-11ea-8407-79a81c0e1401.png

Statistics

The bottom left corner of the page shows statistics about the current query including the speed of the backend data fetch and the total round trip time.

https://user-images.githubusercontent.com/1659467/92963000-ca28a600-f43f-11ea-99ff-9a69604b03d0.png

Auto Hunt

The bottom right corner of the page has a toggle for Auto Hunt which defaults to enabled. When enabled, Hunt will automatically submit your query any time you change filters, groupings, or date ranges.

https://user-images.githubusercontent.com/1659467/92963052-d9a7ef00-f43f-11ea-9efe-dad3f29393f1.png

OQL

Onion Query Language (OQL) starts with standard Lucene query syntax and then allows you to add optional segments that control what Hunt does with the results from the query. The groupby segment tells Hunt to group by (aggregate) a particular field. So, for example, if you want to group by destination IP address, you can add | groupby destination.ip to your search (assuming it didn’t already have a groupby statement). The groupby segment supports multiple aggregations so you can add more fields that you want to group by, separating those fields with spaces. For example, to group by destination IP address and then destination port, you could use | groupby destination.ip destination.port.