Analyst VM

Full-time analysts may want to create a dedicated Analyst VM. This allows you to investigate pcaps and other potentially malicious artifacts without impacting your Security Onion deployment or your workstation.


The so-analyst-install script will install a full GNOME desktop environment including Chromium web browser, NetworkMiner, Wireshark, and other analyst tools. so-analyst-install is totally independent of the standard setup process, so you can run it before or after setup or not run setup at all if all you really want is the Analyst VM itself.


so-analyst-install currently only supports CentOS, so you’ll either need to use our Security Onion ISO image (recommended) or a manual installation of CentOS 7.


so-analyst-install currently downloads packages from the Internet, so you will need to ensure that networking is configured before running so-analyst-install.

To connect from the Analyst VM to your manager node, you will need to run so-allow on the manager node and choose the analyst option to allow the traffic through the host-based Firewall.