First Time Users

Welcome first time users! You’re going to be peeling back the layers of your network in just a few minutes!

First, download our ISO image as shown in the Download section.

Then install the ISO image and configure for IMPORT as shown below (also see the Installation and Configuration sections). This can be done in a minimal virtual machine with as little as 4GB RAM, 2 CPU cores, and 200GB of storage. For more information about virtualization, please see the VMware, VirtualBox, and Proxmox sections.

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown in the Architecture section.

After booting the ISO image, the boot menu appears:

_images/01_grub.png

When prompted, specify your username and password:

_images/02_initial_install.png

Once installation is complete, you are prompted to reboot:

_images/03_initial_install_finished.png

After rebooting, login using the username and password that you specified and then Setup will start automatically:

_images/04_setup_init.png

Perform a standard installation:

_images/05_setup_option.png

When prompted for installation type, select IMPORT:

_images/06_setup_type.png

If your Security Onion machine has full Internet access as described in the Firewall section, select Standard. Otherwise, select Airgap:

_images/06_setup_airgap.png

Review the license and agree:

_images/07_setup_license.png

Set the hostname:

_images/08_setup_hostname.png

If you use the default hostname of securityonion, you will see a warning:

_images/09_setup_hostname_conflict.png

Select your management interface:

_images/10_setup_mn_nic.png

Select static IP addressing (recommended) or DHCP:

_images/11_setup_mn_int.png

Specify IP address and CIDR mask:

_images/12_setup_cidr.png

Set gateway address:

_images/13_setup_gateway.png

Enter DNS servers:

_images/14_setup_dns_servers.png

Configure DNS search domain:

_images/15_setup_dns_domain.png

If necessary, you can change the default Docker IP range:

_images/16_setup_docker_range.png

If you are connected to the Internet, select whether it is direct or via proxy:

_images/18_setup_direct_proxy.png

Create username for Security Onion Console (SOC):

_images/20_setup_webuser.png

Set password for Security Onion Console (SOC):

_images/21_setup_webpass1.png

Confirm password for Security Onion Console (SOC):

_images/22_setup_webpass2.png

Select how to access Security Onion Console (SOC):

_images/23_setup_access_type.png

Allow connections through the host-based firewall if necessary:

_images/26_setup_so_allow.png

Specify an IP address or range to allow through the host-based firewall:

_images/27_setup_so_allow_input.png

Confirm all options:

_images/28_setup_summary.png

Setup complete:

_images/29_setup_finished.png

Login to Security Onion Console (SOC):

_images/37_login.png

After logging in, you will see the Security Onion Console (SOC) Overview page:

_images/38_overview.png

Check Grid to verify all services are running properly:

_images/39_grid.png

While on the Grid page, you can upload a PCAP or EVTX file:

_images/40_upload.png

Review alerts on the Alerts page:

_images/50_alerts.png

Review other logs on the Dashboards page:

_images/51_dashboards.png

If you find something interesting on the Alerts or Dashboards pages, you may want to use the Correlate or Hunt actions to find related logs on the Hunt page:

_images/52_hunt.png

If you find interesting network traffic, you can pivot to full packet capture via the PCAP action:

_images/53_pcap.png

You can change the view to ASCII transcript for a more human readable view of the traffic:

_images/54_pcap_details.png

If you find an interesting artifact, you can send it to CyberChef:

_images/55_cyberchef.png

If you need to refer back to previous PCAP jobs, you can find them on the PCAP page:

_images/56_jobs.png

IMPORT installations do not support remote agents, but if you were running another installation type you could download the Elastic Agent installer from Downloads:

_images/58_downloads.png

The Administration section allows to you manage user accounts:

_images/59_users.png

It also allows you to manage grid members:

_images/60_gridmembers.png

The Administration section also allows you to configure various aspects of the system:

_images/61_config.png

It also allows you to upload a license key for additional enterprise features:

_images/62_licensekey.png

All this in a minimal VM with only 4GB RAM!

_images/99_top.png