Security Onion Documentation

Table of Contents

• About
  • Security Onion
  • Security Onion Solutions, LLC
  • Documentation
• Introduction
  • Network Security Monitoring
  • Enterprise Security Monitoring
  • Analysis Tools
  • Workflow
  • Deployment Scenarios
  • Conclusion
• License
• First Time Users
• Getting Started
  • Best Practices
  • Architecture
  • Hardware Requirements
  • Partitioning
  • Download
  • VMware
  • VirtualBox
  • Proxmox
  • Booting Issues
  • Airgap
  • Installation
  • AWS Cloud AMI
  • Azure Cloud Image
  • Configuration
  • After Installation
• Security Onion Console (SOC)
  • Alerts
  • Dashboards
  • Hunt
  • Cases
  • PCAP
  • Grid
  • Downloads
  • Administration
  • Kibana
  • Grafana
  • CyberChef
  • Playbook
  • FleetDM
  • ATT&CK Navigator
• Analyst VM
  • so-analyst-install
  • Security Onion 2.3.120 Changes
• Network Visibility
  • AF-PACKET
  • Stenographer
  • Suricata
  • Zeek
  • Strelka
  • Intrusion Detection Honeypot
• Host Visibility
  • osquery
  • Beats
  • Wazuh
  • Syslog
  • Sysmon
  • Autoruns
• Logs
  • Ingest
  • Filebeat
  • Logstash
  • Redis
  • Elasticsearch
  • ElastAlert
  • Curator
  • Data Fields
  • Alert Data Fields
  • Elastalert Fields
  • Zeek Fields
  • Community ID
  • Re-Indexing
  • SOC Logs
  • Other Supported Logs
• Updating
  • soup
  • End Of Life
• Accounts
  • Passwords
  • MFA
  • Adding Accounts
  • Listing Accounts
  • Disabling Accounts
  • Role-Based Access Control (RBAC)
• Services
• Customizing for Your Environment
  • SOC Customization
  • Proxy Configuration
  • Firewall
  • Email Configuration
  • NTP
  • SSH
  • Changing Hostname
  • Changing IP Addresses
  • Changing Web Access URL
• Tuning
  • Salt
  • Homenet
  • BPF
  • Managing Rules
  • Adding Local Rules
  • Managing Alerts
  • High Performance Tuning
• Tricks and Tips
  • Backups
  • Docker
  • DNS Anomaly Detection
  • Endgame
  • ICMP Anomaly Detection
  • Jupyter Notebook
  • Machine Learning
  • Adding a new disk
  • PCAPs for Testing
  • Removing a Node
  • Syslog Output
  • UTC and Time Zones
• Utilities
  • jq
  • so-allow
  • so-elastic-auth
  • so-elasticsearch-query
  • so-import-pcap
  • so-import-evtx
  • so-monitor-add
  • so-status
  • so-test
  • so-zeek-logs
• Help
  • FAQ
  • Directory Structure
  • Tools
  • Support
  • Community Support
  • Help Wanted
• Security
  • Vulnerability Disclosure
  • Product and Supply Chain Integrity
• Appendix
• Release Notes
  • 2.3.170 [20220922] Changes
  • 2.3.160 [20220829] Changes
  • 2.3.150 [20220820] Changes
  • 2.3.140 Hotfix [20220812] Changes
  • 2.3.140 Hotfix [20220719] Changes
  • 2.3.140 Changes
  • 2.3.130 Changes
  • 2.3.120 Changes
  • 2.3.110 Hotfix [20220407] Changes
  • 2.3.110 Hotfix [20220407] Known Issues
  • 2.3.110 Hotfix [20220405] Changes
  • 2.3.110 Hotfix [20220401] Changes
  • 2.3.110 Changes
  • 2.3.100 Hotfix [20220301] Changes
  • 2.3.100 Hotfix [20220203] Changes
  • 2.3.100 Hotfix [20220202] Changes
  • 2.3.100 Changes
  • 2.3.91 Changes
  • 2.3.90 Hotfix [20211213]
  • 2.3.90 Hotfix [20211210]
  • 2.3.90 Hotfix [20211206]
  • 2.3.90 Hotfix [AIRGAPFIX]
  • 2.3.90 Hotfix [WAZUH]
  • 2.3.90 Changes
  • 2.3.80 Changes
  • 2.3.70 Hotfix [WAZUH]
  • 2.3.70 Hotfix [GRAFANA_DASH_ALLOW]
  • 2.3.70 Hotfix [CURATOR]
  • 2.3.70 Changes
  • 2.3.61 Hotfix [STENO, MSEARCH]
  • 2.3.61 Changes
  • 2.3.60 Hotfix [ECSFIX, HEAVYNODE, FBPIPELINE, CURATORAUTH] Changes
  • 2.3.60 Changes
  • 2.3.52 Changes
  • 2.3.51 Changes
  • 2.3.50 Changes
  • 2.3.50 Known Issues
  • 2.3.40 Changes
  • 2.3.40 Known Issues
  • 2.3.30 Changes
  • 2.3.30 Known Issues
  • 2.3.21 Changes
  • 2.3.10 Changes
  • 2.3.10 Known Issues
  • 2.3.2 Changes
  • 2.3.1 Changes
  • 2.3.1 Known Issues
  • 2.3.0 Changes
  • 2.2.0 Changes
  • 2.1.0 Changes
  • 2.0.3 Changes
  • 2.0.2 Changes
  • 2.0.1 Changes
  • 2.0.0 Changes
• Cheat Sheet