Security Onion Console (SOC) gives you access to our new Hunt interface. This interface allows you to hunt through all of the data in Elasticsearch and is highly tuned for stacking, pivoting, data expansion, and data reduction.
Starting in Security Onion 2.3.60, there is a new Options drop-down menu that allows you to set options such as Auto Hunt, Automatic Refresh Interval, and Time Zone.
The Auto Hunt option defaults to enabled:
When enabled, Hunt will automatically submit your query any time you change filters, groupings, or date ranges.
Automatic Refresh Interval¶
The Automatic Refresh Interval setting will automatically refresh your query at the time interval you select:
Hunt will try to detect your local time zone via your browser. Starting in Security Onion 2.3.60, you can manually specify your time zone if necessary.
The easiest way to get started is to click the query drop down box and select one of the pre-defined queries. These pre-defined queries cover most of the major data types that you would expect to see in a Security Onion deployment: NIDS alerts from Suricata, HIDS alerts from Wazuh, protocol metadata logs from Zeek or Suricata, endpoint logs, and firewall logs. Each of the entries in the drop down list will show the actual query followed by a description of what that query does.
By default, Hunt searches the last 24 hours. If you want to search a different time frame, you can change it in the upper right corner of the screen. You can use the default relative time or click the clock icon to change to absolute time.
The first section of output contains a Most Occurences visualization, a timeline visualization, and a Fewest Occurences visualization. Bar charts are clickable, so you can click a value to update your search criteria. Aggregation defaults to 10 values, so Most Occurences is the Top 10 and Fewest Occurences is the Bottom 10 (long tail). The number of aggregation values is controlled by the Fetch Limit setting in the Group Metrics section.
The middle section of output is the Group Metrics section and it’s a data table that allows you to stack (aggregate) arbitrary fields. Group metrics are controlled by the
groupby parameter in the search bar. Clicking the table headers allows you to sort ascending or descending.
Clicking a value in the Group Metrics table brings up a context menu of actions for that value. This allows you to refine your existing search, start a new search, or even pivot to external sites like Google and VirusTotal.
The default Fetch Limit for the Group Metrics table is
10. If you need to see more than the top 10, you can increase the Fetch Limit and then page through the output using the left and right arrow icons or increase the
Rows per page setting.
The third and final section of output is a data table that contains all search results and allows you to drill into individual search results as necessary. Clicking the table headers allows you to sort ascending or descending. Starting from the left side of each row, there is an arrow which will expand the result to show all of its fields. To the right of that arrow is the
Timestamp field. Next, a few standard fields are shown:
log.id.uid (Zeek unique identifier),
network.community_id (Community ID), and
event.dataset. Depending on what kind of data you’re looking at, there may be some additional data-specific fields as well.
Clicking a value in the Events table brings up a context menu of actions for that value. This allows you to refine your existing search, start a new search, or even pivot to external sites like Google and VirusTotal.
The default Fetch Limit for the Events table is
100. If you need to see more than 100 events, you can increase the Fetch Limit and then page through the output using the left and right arrow icons or increase the
Rows per page setting.
When you click the arrow to expand a row in the Events table, it will show all of the individual fields from that event. Field names are shown on the left and field values on the right. When looking at the field names, there is an icon to the left that will add that field to the
groupby section of your query. You can click on values on the right to bring up the context menu to refine your search or pivot to other pages.
The bottom left corner of the page shows statistics about the current query including the speed of the backend data fetch and the total round trip time.
Onion Query Language (OQL) starts with standard Lucene query syntax and then allows you to add optional segments that control what Hunt does with the results from the query. The
groupby segment tells Hunt to group by (aggregate) a particular field. So, for example, if you want to group by destination IP address, you can add
| groupby destination.ip to your search (assuming it didn’t already have a groupby statement). The
groupby segment supports multiple aggregations so you can add more fields that you want to group by, separating those fields with spaces. For example, to group by destination IP address and then destination port, you could use
| groupby destination.ip destination.port.
By default, grouping by a particular field won’t show any values if that field is missing. Starting in Security Onion 2.3.50, you can add an asterisk after the field name if you would like to include missing values. For example, you might have some non-HTTP traffic on port 80 that wouldn’t be shown by the following query grouping by
However, if you add an asterisk after the
network.protocol field name, Hunt will show missing values which in this case will help you see the non-HTTP traffic on port 80: