First Time Users

Welcome first time users! You’re going to be peeling back the layers of your network in just a few minutes!

First, download our ISO image as shown in the Download section.

Then install the ISO image and configure for IMPORT as shown below (also see the Installation and Configuration sections). This can be done in a minimal virtual machine with as little as 4GB RAM, 2 CPU cores, and 200GB of storage. For more information about virtualization, please see the VMware, VirtualBox, and Proxmox sections.

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown in the Architecture section.

After booting the ISO image, the boot menu appears:


When prompted, specify your username and password:


Once installation is complete, you are prompted to reboot:


After rebooting, login using the username and password that you specified and then Setup will start automatically:


Perform a standard installation:


When prompted for installation type, select IMPORT:


If your Security Onion machine has full Internet access as described in the Firewall section, select Standard. Otherwise, select Airgap:


Review the license and agree:


Set the hostname:


If you use the default hostname of securityonion, you will see a warning:


Select your management interface:


Select static IP addressing (recommended) or DHCP:


Specify IP address and CIDR mask:


Set gateway address:


Enter DNS servers:


Configure DNS search domain:


If necessary, you can change the default Docker IP range:


If you are connected to the Internet, select whether it is direct or via proxy:


Create username for Security Onion Console (SOC):


Set password for Security Onion Console (SOC):


Confirm password for Security Onion Console (SOC):


Select how to access Security Onion Console (SOC):


Allow connections through the host-based firewall if necessary:


Specify an IP address or range to allow through the host-based firewall:


Confirm all options:


Setup complete:


Login to Security Onion Console (SOC):


After logging in, you will see the Security Onion Console (SOC) Overview page:


Check Grid to verify all services are running properly:


While on the Grid page, you can upload a PCAP or EVTX file:


Review alerts on the Alerts page:


Review other logs on the Dashboards page:


If you find something interesting on the Alerts or Dashboards pages, you may want to use the Correlate or Hunt actions to find related logs on the Hunt page:


If you find interesting network traffic, you can pivot to full packet capture via the PCAP action:


You can change the view to ASCII transcript for a more human readable view of the traffic:


If you find an interesting artifact, you can send it to CyberChef:


If you need to refer back to previous PCAP jobs, you can find them on the PCAP page:


IMPORT installations do not support remote agents, but if you were running another installation type you could download the Elastic Agent installer from Downloads:


The Administration section allows to you manage user accounts:


It also allows you to manage grid members:


The Administration section also allows you to configure various aspects of the system:


It also allows you to upload a license key for additional enterprise features:


All this in a minimal VM with only 4GB RAM!