diff --git a/alerts.rst b/alerts.rst index ea92fe98..682ed56b 100644 --- a/alerts.rst +++ b/alerts.rst @@ -134,7 +134,7 @@ The ``Clipboard`` sub-menu has several options that allow you to copy selected d Actions ~~~~~~~ -The ``Actions`` sub-menu has several different options: +The ``Actions`` sub-menu has several different options. Please note that some of these actions will only display on the Actions menu if you click on a specific log type. - Clicking the ``Hunt`` option will start a new search for the selected value and will give you a good overview of what types of data are available for that indicator. @@ -142,20 +142,18 @@ The ``Actions`` sub-menu has several different options: - Clicking the ``Correlate`` option will find related logs based on Community ID, uid, fuid, etc. -- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream. +- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream. This option will only appear if you click on a log that contains source IP, source port, destination IP, destination port, etc. - Clicking the ``Google`` option will search Google for the selected value. - Clicking the ``VirusTotal`` option will search VirusTotal for the selected value. -- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field. +- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field. This option will only appear if you click on a log that contains the ``process.entity_id`` field. -- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields (depending on the process, this may show the same logs as the ``Process Info`` option or it may show more). +- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields. Depending on the process, this may show the same logs as the ``Process Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field. -- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field (depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more). +- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field. Depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field. -- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process. - -Please note that some of these actions will only display on the Actions menu if you click on a specific log type. For example, the first three Process actions will only appear if you click on a log that contains the ``process.entity_id`` field and the ``Process Ancestors`` action will only appear if you click on a log that contains the ``process.Ext.ancestry`` field. +- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process. This option will only appear if you click on a log that contains the ``process.Ext.ancestry`` field. If you'd like to add your own custom actions, see the :ref:`soc-customization` section. diff --git a/architecture.rst b/architecture.rst index 2d89e9ec..b79da43e 100644 --- a/architecture.rst +++ b/architecture.rst @@ -178,7 +178,6 @@ Heavy nodes perform sensor duties and store their own logs in their own local :r Heavy Nodes run the following components: - :ref:`elasticsearch` -- :ref:`logstash` - :ref:`zeek` - :ref:`suricata` - :ref:`stenographer` diff --git a/dashboards.rst b/dashboards.rst index 6e412fa9..46942686 100644 --- a/dashboards.rst +++ b/dashboards.rst @@ -145,7 +145,7 @@ The ``Clipboard`` sub-menu has several options that allow you to copy selected d Actions ~~~~~~~ -The ``Actions`` sub-menu has several different options: +The ``Actions`` sub-menu has several different options. Please note that some of these actions will only display on the Actions menu if you click on a specific log type. - Clicking the ``Hunt`` option will start a new search for the selected value and will give you a good overview of what types of data are available for that indicator. @@ -153,21 +153,19 @@ The ``Actions`` sub-menu has several different options: - Clicking the ``Correlate`` option will find related logs based on Community ID, uid, fuid, etc. -- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream. +- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream. This option will only appear if you click on a log that contains source IP, source port, destination IP, destination port, etc. - Clicking the ``Google`` option will search Google for the selected value. - Clicking the ``VirusTotal`` option will search VirusTotal for the selected value. -- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field. +- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field. This option will only appear if you click on a log that contains the ``process.entity_id`` field. -- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields (depending on the process, this may show the same logs as the ``Process Info`` option or it may show more). +- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields. Depending on the process, this may show the same logs as the ``Process Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field. -- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field (depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more). +- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field. Depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field. -- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process. - -Please note that some of these actions will only display on the Actions menu if you click on a specific log type. For example, the first three Process actions will only appear if you click on a log that contains the ``process.entity_id`` field and the ``Process Ancestors`` action will only appear if you click on a log that contains the ``process.Ext.ancestry`` field. +- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process. This option will only appear if you click on a log that contains the ``process.Ext.ancestry`` field. If you'd like to add your own custom actions, see the :ref:`soc-customization` section. diff --git a/download.rst b/download.rst index 700e7230..ce8be5f6 100644 --- a/download.rst +++ b/download.rst @@ -13,7 +13,7 @@ Download and verify our ISO image as shown at https://github.com/Security-Onion- .. warning:: - If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in ``SecurityOnion\agrules\``. This is part of :ref:`strelka` and it is being incorrectly flagged as a backdoor when it is really just a Yara ruleset that looks for backdoors. In some cases, the alert may be for a sample EXE that is included in :ref:`strelka` but again a false positive. + If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in ``SecurityOnion\agrules\``. .. note:: diff --git a/faq.rst b/faq.rst index 5bcaea78..dd2b0a5a 100644 --- a/faq.rst +++ b/faq.rst @@ -194,6 +194,11 @@ Should I backup my Security Onion box? Security Onion automatically backs up some important configuration as described in the :ref:`backup` section. However, there is no automated data backup. Network Security Monitoring as a whole is considered "best effort". It is not a "mission critical" resource like a file server or web server. Since we're dealing with "big data" (potentially terabytes of full packet capture) of a transient nature, backing up the data would be prohibitively expensive. Most organizations don't do any data backups and instead just rebuild boxes when necessary. +What happened to Playbook? +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Playbook has been replaced by :ref:`detections`. + How can I add local rules? ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/images/01_grub.png b/images/01_grub.png index 7d73bb03..8354bdfb 100644 Binary files a/images/01_grub.png and b/images/01_grub.png differ diff --git a/images/04_setup_init.png b/images/04_setup_init.png index 8c532041..7657fcc6 100644 Binary files a/images/04_setup_init.png and b/images/04_setup_init.png differ diff --git a/images/05_setup_option.png b/images/05_setup_option.png index b9c9259f..5c0254da 100644 Binary files a/images/05_setup_option.png and b/images/05_setup_option.png differ diff --git a/images/06_setup_airgap.png b/images/06_setup_airgap.png index 9f67b2c5..dd87e510 100644 Binary files a/images/06_setup_airgap.png and b/images/06_setup_airgap.png differ diff --git a/images/06_setup_type.png b/images/06_setup_type.png index 1f05ada2..ec23e0bb 100644 Binary files a/images/06_setup_type.png and b/images/06_setup_type.png differ diff --git a/images/07_setup_license.png b/images/07_setup_license.png index 177ca724..4f351471 100644 Binary files a/images/07_setup_license.png and b/images/07_setup_license.png differ diff --git a/images/08_setup_hostname.png b/images/08_setup_hostname.png index 4dd2bf23..15447407 100644 Binary files a/images/08_setup_hostname.png and b/images/08_setup_hostname.png differ diff --git a/images/09_setup_hostname_conflict.png b/images/09_setup_hostname_conflict.png index 2db0ab4b..aca8e1aa 100644 Binary files a/images/09_setup_hostname_conflict.png and b/images/09_setup_hostname_conflict.png differ diff --git a/images/10_setup_mn_nic.png b/images/10_setup_mn_nic.png index 1d4ba315..7a782185 100644 Binary files a/images/10_setup_mn_nic.png and b/images/10_setup_mn_nic.png differ diff --git a/images/11_setup_mn_int.png b/images/11_setup_mn_int.png index 85da4f9e..c1bf1526 100644 Binary files a/images/11_setup_mn_int.png and b/images/11_setup_mn_int.png differ diff --git a/images/12_setup_cidr.png b/images/12_setup_cidr.png index a35626e8..a890424f 100644 Binary files a/images/12_setup_cidr.png and b/images/12_setup_cidr.png differ diff --git a/images/13_setup_gateway.png b/images/13_setup_gateway.png index 36475b4c..91d36937 100644 Binary files a/images/13_setup_gateway.png and b/images/13_setup_gateway.png differ diff --git a/images/14_setup_dns_servers.png b/images/14_setup_dns_servers.png index 8c1d7e6a..b0e75f58 100644 Binary files a/images/14_setup_dns_servers.png and b/images/14_setup_dns_servers.png differ diff --git a/images/15_setup_dns_domain.png b/images/15_setup_dns_domain.png index ebdb5168..5a6ae844 100644 Binary files a/images/15_setup_dns_domain.png and b/images/15_setup_dns_domain.png differ diff --git a/images/16_setup_docker_range.png b/images/16_setup_docker_range.png index 9a0d29e4..ff8569b9 100644 Binary files a/images/16_setup_docker_range.png and b/images/16_setup_docker_range.png differ diff --git a/images/18_setup_direct_proxy.png b/images/18_setup_direct_proxy.png index 72e7a6ac..0d0a6dfe 100644 Binary files a/images/18_setup_direct_proxy.png and b/images/18_setup_direct_proxy.png differ diff --git a/images/20_setup_webuser.png b/images/20_setup_webuser.png index 8f4dee86..314f0b71 100644 Binary files a/images/20_setup_webuser.png and b/images/20_setup_webuser.png differ diff --git a/images/21_setup_webpass1.png b/images/21_setup_webpass1.png index eeedbc74..2bf5e988 100644 Binary files a/images/21_setup_webpass1.png and b/images/21_setup_webpass1.png differ diff --git a/images/22_setup_webpass2.png b/images/22_setup_webpass2.png index b5c7a84e..b2781e7a 100644 Binary files a/images/22_setup_webpass2.png and b/images/22_setup_webpass2.png differ diff --git a/images/23_setup_access_type.png b/images/23_setup_access_type.png index 7c283e6f..539697a9 100644 Binary files a/images/23_setup_access_type.png and b/images/23_setup_access_type.png differ diff --git a/images/26_setup_so_allow.png b/images/26_setup_so_allow.png index 0c595104..aebfa031 100644 Binary files a/images/26_setup_so_allow.png and b/images/26_setup_so_allow.png differ diff --git a/images/27_setup_so_allow_input.png b/images/27_setup_so_allow_input.png index 5b69979f..22dafd1b 100644 Binary files a/images/27_setup_so_allow_input.png and b/images/27_setup_so_allow_input.png differ diff --git a/images/27_telemetry.png b/images/27_telemetry.png index 9e2146ee..5aa4d986 100644 Binary files a/images/27_telemetry.png and b/images/27_telemetry.png differ diff --git a/images/28_setup_summary.png b/images/28_setup_summary.png index 0bcebe28..915450bc 100644 Binary files a/images/28_setup_summary.png and b/images/28_setup_summary.png differ diff --git a/images/29_setup_finished.png b/images/29_setup_finished.png index 48c06d3d..5423074d 100644 Binary files a/images/29_setup_finished.png and b/images/29_setup_finished.png differ diff --git a/images/38_overview.png b/images/38_overview.png index 22766e47..57046bc4 100644 Binary files a/images/38_overview.png and b/images/38_overview.png differ diff --git a/images/39_grid.png b/images/39_grid.png index f921abcb..d471afc1 100644 Binary files a/images/39_grid.png and b/images/39_grid.png differ diff --git a/images/40_upload.png b/images/40_upload.png index 64d46b71..1a68eff7 100644 Binary files a/images/40_upload.png and b/images/40_upload.png differ diff --git a/images/45_import.png b/images/45_import.png index 1c104422..498f55de 100644 Binary files a/images/45_import.png and b/images/45_import.png differ diff --git a/images/50_alerts.png b/images/50_alerts.png index b6004e0e..474ad7cb 100644 Binary files a/images/50_alerts.png and b/images/50_alerts.png differ diff --git a/images/51_alerts_options.png b/images/51_alerts_options.png index 9a5b08f4..820b2e99 100644 Binary files a/images/51_alerts_options.png and b/images/51_alerts_options.png differ diff --git a/images/53_dashboards.png b/images/53_dashboards.png index 3eaa8d24..e128194a 100644 Binary files a/images/53_dashboards.png and b/images/53_dashboards.png differ diff --git a/images/54_dashboards_options.png b/images/54_dashboards_options.png index f591d5d3..8e7e8fbf 100644 Binary files a/images/54_dashboards_options.png and b/images/54_dashboards_options.png differ diff --git a/images/56_hunt.png b/images/56_hunt.png index ad3e886c..ddd69a80 100644 Binary files a/images/56_hunt.png and b/images/56_hunt.png differ diff --git a/images/57_0_cases.png b/images/57_0_cases.png index 4ff2f6ff..31dc0f4a 100644 Binary files a/images/57_0_cases.png and b/images/57_0_cases.png differ diff --git a/images/57_1_cases_options.png b/images/57_1_cases_options.png index 05155630..dc9a7ede 100644 Binary files a/images/57_1_cases_options.png and b/images/57_1_cases_options.png differ diff --git a/images/57_2_cases_create.png b/images/57_2_cases_create.png index bbcf86af..1482085a 100644 Binary files a/images/57_2_cases_create.png and b/images/57_2_cases_create.png differ diff --git a/images/57_detections.png b/images/57_detections.png index fe5ef480..2a738d3e 100644 Binary files a/images/57_detections.png and b/images/57_detections.png differ diff --git a/images/58_detections_options.png b/images/58_detections_options.png index 0c1e8cf4..87dfe0f6 100644 Binary files a/images/58_detections_options.png and b/images/58_detections_options.png differ diff --git a/images/59_detection_create.png b/images/59_detection_create.png index 968fb13c..bce3510d 100644 Binary files a/images/59_detection_create.png and b/images/59_detection_create.png differ diff --git a/images/60_detection_nids.png b/images/60_detection_nids.png index 5be28395..df7a8326 100644 Binary files a/images/60_detection_nids.png and b/images/60_detection_nids.png differ diff --git a/images/60_detection_nids_0_comments.png b/images/60_detection_nids_0_comments.png index ceea2ffa..e7a52336 100644 Binary files a/images/60_detection_nids_0_comments.png and b/images/60_detection_nids_0_comments.png differ diff --git a/images/60_detection_nids_1_signature.png b/images/60_detection_nids_1_signature.png index 7225cf5a..39653ede 100644 Binary files a/images/60_detection_nids_1_signature.png and b/images/60_detection_nids_1_signature.png differ diff --git a/images/60_detection_nids_2_tuning_1.png b/images/60_detection_nids_2_tuning_1.png index 321d9028..8f41af8a 100644 Binary files a/images/60_detection_nids_2_tuning_1.png and b/images/60_detection_nids_2_tuning_1.png differ diff --git a/images/60_detection_nids_2_tuning_2_add.png b/images/60_detection_nids_2_tuning_2_add.png index 5ec71843..dfa3480c 100644 Binary files a/images/60_detection_nids_2_tuning_2_add.png and b/images/60_detection_nids_2_tuning_2_add.png differ diff --git a/images/60_detection_nids_3_history.png b/images/60_detection_nids_3_history.png index 0e68473e..920c9105 100644 Binary files a/images/60_detection_nids_3_history.png and b/images/60_detection_nids_3_history.png differ diff --git a/images/60_detection_sigma.png b/images/60_detection_sigma.png index 4c2b7092..cc50969d 100644 Binary files a/images/60_detection_sigma.png and b/images/60_detection_sigma.png differ diff --git a/images/60_detection_sigma_2_tuning_1.png b/images/60_detection_sigma_2_tuning_1.png index a0565f30..28f05533 100644 Binary files a/images/60_detection_sigma_2_tuning_1.png and b/images/60_detection_sigma_2_tuning_1.png differ diff --git a/images/60_detection_sigma_2_tuning_2_add.png b/images/60_detection_sigma_2_tuning_2_add.png index 66381b43..02b0ed1d 100644 Binary files a/images/60_detection_sigma_2_tuning_2_add.png and b/images/60_detection_sigma_2_tuning_2_add.png differ diff --git a/images/60_detection_yara.png b/images/60_detection_yara.png index 440e3a4c..56741a2b 100644 Binary files a/images/60_detection_yara.png and b/images/60_detection_yara.png differ diff --git a/images/62_pcap.png b/images/62_pcap.png index 5cd07034..dc275d3a 100644 Binary files a/images/62_pcap.png and b/images/62_pcap.png differ diff --git a/images/65_pcap_details.png b/images/65_pcap_details.png index 7b4dda55..924cda40 100644 Binary files a/images/65_pcap_details.png and b/images/65_pcap_details.png differ diff --git a/images/68_cyberchef.png b/images/68_cyberchef.png index 91ed55ea..6af090a4 100644 Binary files a/images/68_cyberchef.png and b/images/68_cyberchef.png differ diff --git a/images/72_jobs.png b/images/72_jobs.png index 0567c8cc..0d69af00 100644 Binary files a/images/72_jobs.png and b/images/72_jobs.png differ diff --git a/images/73_jobs_add.png b/images/73_jobs_add.png index abc37dea..42b1d16a 100644 Binary files a/images/73_jobs_add.png and b/images/73_jobs_add.png differ diff --git a/images/75_grid.png b/images/75_grid.png index 50737c7b..b608168a 100644 Binary files a/images/75_grid.png and b/images/75_grid.png differ diff --git a/images/76_grid_options.png b/images/76_grid_options.png index 3eaf5311..8044edda 100644 Binary files a/images/76_grid_options.png and b/images/76_grid_options.png differ diff --git a/images/78_downloads.png b/images/78_downloads.png index 1f1779b8..fec26633 100644 Binary files a/images/78_downloads.png and b/images/78_downloads.png differ diff --git a/images/81_users.png b/images/81_users.png index 94c47f6a..c2ed435d 100644 Binary files a/images/81_users.png and b/images/81_users.png differ diff --git a/images/82_users_detail.png b/images/82_users_detail.png index a76428e7..961acff7 100644 Binary files a/images/82_users_detail.png and b/images/82_users_detail.png differ diff --git a/images/83_users_add.png b/images/83_users_add.png index aa9058c3..6ebeaaaa 100644 Binary files a/images/83_users_add.png and b/images/83_users_add.png differ diff --git a/images/84_gridmembers.png b/images/84_gridmembers.png index f7fc4c0f..fe5d3d0d 100644 Binary files a/images/84_gridmembers.png and b/images/84_gridmembers.png differ diff --git a/images/87_config.png b/images/87_config.png index ff3dc812..ea5612ec 100644 Binary files a/images/87_config.png and b/images/87_config.png differ diff --git a/images/88_config_options.png b/images/88_config_options.png index 3318c1af..a0c38eb1 100644 Binary files a/images/88_config_options.png and b/images/88_config_options.png differ diff --git a/images/91_licensekey.png b/images/91_licensekey.png index c108304f..9a0042ba 100644 Binary files a/images/91_licensekey.png and b/images/91_licensekey.png differ diff --git a/images/94_usermenu.png b/images/94_usermenu.png index 77f4f82d..b91fe000 100644 Binary files a/images/94_usermenu.png and b/images/94_usermenu.png differ diff --git a/images/config-item-backup.png b/images/config-item-backup.png index b4a8b5ad..2e45fea3 100644 Binary files a/images/config-item-backup.png and b/images/config-item-backup.png differ diff --git a/images/config-item-bpf.png b/images/config-item-bpf.png index eca506b9..b0a4866a 100644 Binary files a/images/config-item-bpf.png and b/images/config-item-bpf.png differ diff --git a/images/config-item-elastalert-alerter.png b/images/config-item-elastalert-alerter.png index 19faa6a7..4ddaee4f 100644 Binary files a/images/config-item-elastalert-alerter.png and b/images/config-item-elastalert-alerter.png differ diff --git a/images/config-item-elastalert.png b/images/config-item-elastalert.png index 510cb4b7..e61944eb 100644 Binary files a/images/config-item-elastalert.png and b/images/config-item-elastalert.png differ diff --git a/images/config-item-elasticfleet.png b/images/config-item-elasticfleet.png index 06ba000a..3ae8ad4c 100644 Binary files a/images/config-item-elasticfleet.png and b/images/config-item-elasticfleet.png differ diff --git a/images/config-item-elasticsearch.png b/images/config-item-elasticsearch.png index eb7b01a3..3e37ae5a 100644 Binary files a/images/config-item-elasticsearch.png and b/images/config-item-elasticsearch.png differ diff --git a/images/config-item-firewall.png b/images/config-item-firewall.png index 547094dc..b256f58d 100644 Binary files a/images/config-item-firewall.png and b/images/config-item-firewall.png differ diff --git a/images/config-item-global-url.png b/images/config-item-global-url.png new file mode 100644 index 00000000..877b65d6 Binary files /dev/null and b/images/config-item-global-url.png differ diff --git a/images/config-item-global.png b/images/config-item-global.png index 3df175c6..da23b775 100644 Binary files a/images/config-item-global.png and b/images/config-item-global.png differ diff --git a/images/config-item-host.png b/images/config-item-host.png index 52799277..dcba9a9c 100644 Binary files a/images/config-item-host.png and b/images/config-item-host.png differ diff --git a/images/config-item-idh.png b/images/config-item-idh.png index 7ed34f93..7c9ab96c 100644 Binary files a/images/config-item-idh.png and b/images/config-item-idh.png differ diff --git a/images/config-item-idstools.png b/images/config-item-idstools.png index 20bfad19..c1122702 100644 Binary files a/images/config-item-idstools.png and b/images/config-item-idstools.png differ diff --git a/images/config-item-influxdb.png b/images/config-item-influxdb.png index 914f5a63..4964baa6 100644 Binary files a/images/config-item-influxdb.png and b/images/config-item-influxdb.png differ diff --git a/images/config-item-kafka.png b/images/config-item-kafka.png index 23ffacaf..c9f75c90 100644 Binary files a/images/config-item-kafka.png and b/images/config-item-kafka.png differ diff --git a/images/config-item-kibana.png b/images/config-item-kibana.png index 13e2cd25..79d01e0f 100644 Binary files a/images/config-item-kibana.png and b/images/config-item-kibana.png differ diff --git a/images/config-item-kratos.png b/images/config-item-kratos.png index 22770875..3da45204 100644 Binary files a/images/config-item-kratos.png and b/images/config-item-kratos.png differ diff --git a/images/config-item-logstash.png b/images/config-item-logstash.png index 15211beb..9f45c00e 100644 Binary files a/images/config-item-logstash.png and b/images/config-item-logstash.png differ diff --git a/images/config-item-manager.png b/images/config-item-manager.png index 175d2163..f8772ad1 100644 Binary files a/images/config-item-manager.png and b/images/config-item-manager.png differ diff --git a/images/config-item-nginx.png b/images/config-item-nginx.png index 8c3df456..6cdc421e 100644 Binary files a/images/config-item-nginx.png and b/images/config-item-nginx.png differ diff --git a/images/config-item-ntp.png b/images/config-item-ntp.png index 94878155..b9799d3b 100644 Binary files a/images/config-item-ntp.png and b/images/config-item-ntp.png differ diff --git a/images/config-item-patch.png b/images/config-item-patch.png index 427c9e2b..a8cf44a1 100644 Binary files a/images/config-item-patch.png and b/images/config-item-patch.png differ diff --git a/images/config-item-pcap.png b/images/config-item-pcap.png index 24933eae..b26c7660 100644 Binary files a/images/config-item-pcap.png and b/images/config-item-pcap.png differ diff --git a/images/config-item-redis.png b/images/config-item-redis.png index 34cecbd5..8783c5b1 100644 Binary files a/images/config-item-redis.png and b/images/config-item-redis.png differ diff --git a/images/config-item-sensor.png b/images/config-item-sensor.png index c7b2fca5..4911096c 100644 Binary files a/images/config-item-sensor.png and b/images/config-item-sensor.png differ diff --git a/images/config-item-sensoroni.png b/images/config-item-sensoroni.png index b7700e78..2d8bd549 100644 Binary files a/images/config-item-sensoroni.png and b/images/config-item-sensoroni.png differ diff --git a/images/config-item-soc-additionalAlerters.png b/images/config-item-soc-additionalAlerters.png index c59f5fec..0c61eefc 100644 Binary files a/images/config-item-soc-additionalAlerters.png and b/images/config-item-soc-additionalAlerters.png differ diff --git a/images/config-item-soc.png b/images/config-item-soc.png index 96041475..16115106 100644 Binary files a/images/config-item-soc.png and b/images/config-item-soc.png differ diff --git a/images/config-item-strelka.png b/images/config-item-strelka.png index 53321760..f4e4438f 100644 Binary files a/images/config-item-strelka.png and b/images/config-item-strelka.png differ diff --git a/images/config-item-suricata.png b/images/config-item-suricata.png index b7b415b8..cd22fc20 100644 Binary files a/images/config-item-suricata.png and b/images/config-item-suricata.png differ diff --git a/images/config-item-telegraf.png b/images/config-item-telegraf.png index 9247c26a..4e2f1da2 100644 Binary files a/images/config-item-telegraf.png and b/images/config-item-telegraf.png differ diff --git a/images/config-item-zeek.png b/images/config-item-zeek.png index 94098693..6b77137e 100644 Binary files a/images/config-item-zeek.png and b/images/config-item-zeek.png differ diff --git a/images/diagrams/heavy-distributed.png b/images/diagrams/heavy-distributed.png index 66456065..885a12cc 100644 Binary files a/images/diagrams/heavy-distributed.png and b/images/diagrams/heavy-distributed.png differ diff --git a/ingest.rst b/ingest.rst index 921cae45..270d095d 100644 --- a/ingest.rst +++ b/ingest.rst @@ -56,7 +56,7 @@ Manager Search Heavy ----- -| Pipeline: Elastic Agent [Heavy Node] --> Logstash [Heavy] --> Redis [Heavy] <--> Logstash [Heavy] --> Elasticsearch Ingest [Heavy] +| Pipeline: Elastic Agent [Heavy Node] --> Elasticsearch Ingest [Heavy] | Logs: Zeek, Suricata, syslog Search diff --git a/release-notes.rst b/release-notes.rst index b7927b03..98c43fb4 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -22,6 +22,31 @@ To resolve the issue, run the following command for each affected index (replaci After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified. +2.4.90 [20240729] Changes +------------------------- + +- FEATURE: Add new action to SOC Actions list to allow users to more easily add their own actions `#13346 `_ +- FEATURE: Include new Security Onion appliance images for v2 refresh +- FEATURE: Provide maximize button on configuration screen +- FEATURE: Support suricata regex enable | disable +- FEATURE: Visualize diff of history edits +- FIX: Better Timeout Error message `#12534 `_ +- FIX: Custom defined template causes SLS rendering error in base:elasticsearch.enabled `#13328 `_ +- FIX: Detections - Bulk Performance Revisit +- FIX: Disable logstash on heavynodes `#13073 `_ +- FIX: Exclude policy phases if not defined in defaults `#13354 `_ +- FIX: Heavynode architecture documentation +- FIX: Improve displayed metrics for Kafka in influxdb `#13235 `_ +- FIX: Refactor Sync Process +- FIX: Update MOTD `#13317 `_ +- FIX: Update SOC MOTD `#13320 `_ +- UPGRADE: Base image for so-steno container to oracle9:latest `#13344 `_ +- UPGRADE: Base image for so-tcpreplay container to oracle9:latest `#13345 `_ +- UPGRADE: CyberChef 10.19.0 `#13267 `_ +- UPGRADE: so-idh to newer base image `#13265 `_ +- UPGRADE: so-nginx to nginx:1.26.1-alpine `#13264 `_ +- UPGRADE: Suricata 7.0.6 `#13283 `_ + 2.4.80 [20240624] Changes ------------------------- diff --git a/suricata.rst b/suricata.rst index 27a788a3..330e1de2 100644 --- a/suricata.rst +++ b/suricata.rst @@ -177,7 +177,7 @@ Troubleshooting Alerts If you're not seeing the Suricata alerts that you expect to see, here are some things that you can check: -- If you have metadata enabled, check to see if you have metadata for the connections. Depending on your configuration, this could be Suricata metadata or :ref:`zeek` metadata. +- If you have metadata enabled, check to see if you have metadata for the connections. Depending on your configuration, this could be Suricata metadata or :ref:`zeek` metadata. Go to :ref:`dashboards`, click the dropdown menu, select the ``Connections seen by Zeek or Suricata`` dashboard, and see if the connections you expect to see in your network traffic are listed there. - If you have metadata enabled but aren't seeing any metadata, then something may be preventing the process from seeing the traffic. Check to see if you have any :ref:`bpf` configuration that may cause the process to ignore the traffic. If you're sniffing traffic from the network, verify that the traffic is reaching the NIC using tcpdump. If importing a pcap file, verify that file contains the traffic you expect and that the Suricata process can read the file and any parent directories. diff --git a/url-base.rst b/url-base.rst index 8183c8bf..52360fcc 100644 --- a/url-base.rst +++ b/url-base.rst @@ -3,9 +3,7 @@ Web Access URL ============== -If you need to change the URL for web access to Security Onion (for example, from IP to FQDN), go to :ref:`administration` --> Configuration --> global. +If you need to change the URL for web access to Security Onion (for example, from IP to FQDN), go to :ref:`administration` --> Configuration --> global --> url_base. Enter the new URL in the field on the right and then click the checkmark to save the new setting. -.. image:: images/config-item-global.png - :target: _images/config-item-global.png - -Then select the ``url_base`` option. +.. image:: images/config-item-global-url.png + :target: _images/config-item-global-url.png diff --git a/vmware.rst b/vmware.rst index 8dc19d1f..a2eaeb4c 100644 --- a/vmware.rst +++ b/vmware.rst @@ -10,7 +10,7 @@ In this section, we'll cover creating a virtual machine (VM) for our ISO image i .. note:: - With the sniffing interface in ``bridged`` mode, you will be able to see all traffic to and from the host machine's physical NIC. If you would like to see **ALL** the traffic on your network, you will need a method of forwarding that traffic to the interface to which the virtual adapter is bridged. This can be achieved with a tap or SPAN port. + If you want to sniff live traffic, then you will need a second network interface dedicated to sniffing. You will need to set this sniffing interface to sniff from whatever network you want to monitor. With the sniffing interface in ``bridged`` mode, you should be able to see all traffic to and from the host machine's physical NIC. If you would like to see **ALL** the traffic on your network, you will need a method of forwarding that traffic to the interface to which the virtual adapter is bridged. This can be achieved with a tap or SPAN port. If you want to sniff traffic from other VMs, then the virtual sniffing interface needs to be set to the same virtual network that those VMs are set to (this may be ``NAT`` or ``bridged`` depending on how they are configured). Workstation Pro --------------- @@ -24,8 +24,8 @@ VMware Workstation is available for many different host operating systems, inclu #. Specify virtual machine name and click ``Next``. #. Specify disk size (minimum 200GB), store as single file, click ``Next``. #. Customize hardware and increase Memory and Processors based on the :ref:`hardware` section. -#. Network Adapter (NAT or Bridged -- if you want to be able to access your Security Onion machine from other devices in the network, then choose Bridged, otherwise choose NAT to leave it behind the host) -- in this tutorial, this will be the management interface. -#. Add >> Network Adapter (Bridged) - this will be the sniffing (monitor) interface. +#. Network Adapter (``NAT`` or ``Bridged`` -- if you want to be able to access your Security Onion machine from other devices in the network then choose Bridged, otherwise choose NAT to leave it behind the host). This will be the management interface. +#. Add >> Network Adapter (``NAT`` or ``Bridged``). This will be the sniffing (monitor) interface. #. Click ``Close``. #. Click ``Finish``. #. Power on the virtual machine and then follow the installation steps for your desired installation type in the :ref:`installation` section.