First Time Users

Welcome, first time users! You’re going to be peeling back the layers of your network in just a few minutes!

First, please note that Security Onion only supports x86-64 architecture (standard Intel or AMD 64-bit processors). If you don’t have an x86-64 box available, then one option may be to run Security Onion in the cloud. For more information, please see the Amazon Cloud Image, Azure Cloud Image, and Google Cloud Image sections.

Otherwise, if you have an x86-64 box for your Security Onion IMPORT installation, then check to make sure it meets the MINIMUM hardware requirements of 4GB RAM, 2 CPU cores, and 200GB of storage. If you will be installing Security Onion in a virtual machine, then the VM will need those specs at minimum and the host machine will have higher hardware requirements since it will be running the host operating system and possibly other VMs or apps. For more information about virtualization, please see the VMware, VirtualBox, and Proxmox sections. Once you’ve verified that you have an appropriate installation target, you can proceed to download our ISO image as shown in the Download section and then install the ISO image as shown in the Installation section.

Once you have Security Onion installed either in the cloud or on-prem, you can configure for IMPORT as shown below (also see the Configuration section).

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown in the Architecture section.

After booting the ISO image, the boot menu appears:

_images/01_grub.png

When prompted, enter your desired username and password:

_images/02_initial_install.png

Once installation is complete, you are prompted to reboot:

_images/03_initial_install_finished.png

After rebooting, login using the username and password that you specified and then Setup will start automatically:

_images/04_setup_init.png

Perform a standard installation:

_images/05_setup_option.png

When prompted for installation type, select IMPORT:

_images/06_setup_type.png

If your Security Onion machine has full Internet access as described in the Firewall section, select Standard. Otherwise, select Airgap:

_images/06_setup_airgap.png

Review the license and agree:

_images/07_setup_license.png

Set the hostname:

_images/08_setup_hostname.png

If you use the default hostname of securityonion, you will see a warning:

_images/09_setup_hostname_conflict.png

Select your management interface:

_images/10_setup_mn_nic.png

Select static IP addressing (recommended) or DHCP:

_images/11_setup_mn_int.png

Specify IP address and CIDR mask:

_images/12_setup_cidr.png

Set gateway address:

_images/13_setup_gateway.png

Enter DNS servers:

_images/14_setup_dns_servers.png

Configure DNS search domain:

_images/15_setup_dns_domain.png

If necessary, you can change the default Docker IP range:

_images/16_setup_docker_range.png

If you are connected to the Internet, select whether it is direct or via proxy:

_images/18_setup_direct_proxy.png

Create username for Security Onion Console (SOC):

_images/20_setup_webuser.png

Set password for Security Onion Console (SOC):

_images/21_setup_webpass1.png

Confirm password for Security Onion Console (SOC):

_images/22_setup_webpass2.png

Select how to access Security Onion Console (SOC):

_images/23_setup_access_type.png

Allow connections through the host-based firewall if necessary:

_images/26_setup_so_allow.png

Specify an IP address or range to allow through the host-based firewall:

_images/27_setup_so_allow_input.png

Confirm all options:

_images/28_setup_summary.png

Setup complete:

_images/29_setup_finished.png

Login to Security Onion Console (SOC):

_images/37_login.png

After logging in, you will see the Security Onion Console (SOC) Overview page:

_images/38_overview.png

Go to the Grid page, click the button to expand the node, and then verify all services are running properly:

_images/39_grid.png

While on the Grid page, you can import a PCAP or EVTX file using the upload button at the bottom of the screen:

_images/40_upload.png

Once the import is complete, the Grid page should display a message at the of the page and provide a link to Dashboards to view all alerts and logs from the import:

_images/45_import.png

If you want to see just the alerts, you can go to the Alerts page although you may need to manually adjust the time range:

_images/50_alerts.png

If you find something interesting on the Alerts or Dashboards pages, you may want to use the Correlate or Hunt actions to find related logs on the Hunt page:

_images/56_hunt.png

If you find interesting network traffic, you can pivot to full packet capture via the PCAP action:

_images/62_pcap.png

You can change the view to ASCII transcript for a more human readable view of the traffic:

_images/65_pcap_details.png

If you need to refer back to previous PCAP jobs, you can find them on the PCAP page:

_images/72_jobs.png

IMPORT installations do not support remote agents, but if you were running a production installation you could download the Elastic Agent installer from Downloads:

_images/78_downloads.png

The Administration section allows you to manage user accounts:

_images/81_users.png

It also allows you to manage grid members:

_images/84_gridmembers.png

The Administration section also allows you to configure various aspects of the system:

_images/87_config.png

It also allows you to upload a license key for additional enterprise features:

_images/91_licensekey.png

If you made it to the end of this First Time Users section, congratulations! If you have any questions or problems, please see the Help section. If you like Security Onion, please consider sharing on social media about Security Onion to help spread the word. Thanks!