2.4.90

alerts.rst

@@ -134,28 +134,26 @@ The ``Clipboard`` sub-menu has several options that allow you to copy selected d
 Actions
 ~~~~~~~
 
-The ``Actions`` sub-menu has several different options:
+The ``Actions`` sub-menu has several different options. Please note that some of these actions will only display on the Actions menu if you click on a specific log type.
 
 - Clicking the ``Hunt`` option will start a new search for the selected value and will give you a good overview of what types of data are available for that indicator.
 
 - Clicking the ``Add to Case`` option will add an observable to a new or existing case.
 
 - Clicking the ``Correlate`` option will find related logs based on Community ID, uid, fuid, etc.
 
-- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream.
+- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream. This option will only appear if you click on a log that contains source IP, source port, destination IP, destination port, etc.
 
 - Clicking the ``Google`` option will search Google for the selected value. 
 
 - Clicking the ``VirusTotal`` option will search VirusTotal for the selected value.
 
-- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field.
+- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field. This option will only appear if you click on a log that contains the ``process.entity_id`` field.
 
-- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields (depending on the process, this may show the same logs as the ``Process Info`` option or it may show more).
+- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields. Depending on the process, this may show the same logs as the ``Process Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field.
 
-- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field (depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more).
+- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field. Depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field.
 
-- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process.
-
-Please note that some of these actions will only display on the Actions menu if you click on a specific log type. For example, the first three Process actions will only appear if you click on a log that contains the ``process.entity_id`` field and the ``Process Ancestors`` action will only appear if you click on a log that contains the ``process.Ext.ancestry`` field.
+- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process. This option will only appear if you click on a log that contains the ``process.Ext.ancestry`` field.
 
 If you'd like to add your own custom actions, see the :ref:`soc-customization` section.

architecture.rst

@@ -178,7 +178,6 @@ Heavy nodes perform sensor duties and store their own logs in their own local :r
 Heavy Nodes run the following components:
 
 -  :ref:`elasticsearch`
--  :ref:`logstash`
 -  :ref:`zeek`
 -  :ref:`suricata`
 -  :ref:`stenographer`

dashboards.rst

@@ -145,29 +145,27 @@ The ``Clipboard`` sub-menu has several options that allow you to copy selected d
 Actions
 ~~~~~~~
 
-The ``Actions`` sub-menu has several different options:
+The ``Actions`` sub-menu has several different options. Please note that some of these actions will only display on the Actions menu if you click on a specific log type.
 
 - Clicking the ``Hunt`` option will start a new search for the selected value and will give you a good overview of what types of data are available for that indicator.
 
 - Clicking the ``Add to Case`` option will add an observable to a new or existing case.
 
 - Clicking the ``Correlate`` option will find related logs based on Community ID, uid, fuid, etc.
 
-- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream.
+- Clicking the ``PCAP`` option will pivot to the :ref:`pcap` interface to retrieve full packet capture for the selected stream. This option will only appear if you click on a log that contains source IP, source port, destination IP, destination port, etc.
 
 - Clicking the ``Google`` option will search Google for the selected value.
 
 - Clicking the ``VirusTotal`` option will search VirusTotal for the selected value.
 
-- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field.
+- Clicking the ``Process Info`` option will show all logs that include this process's entity_id in the ``process.entity_id`` field. This option will only appear if you click on a log that contains the ``process.entity_id`` field.
 
-- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields (depending on the process, this may show the same logs as the ``Process Info`` option or it may show more).
+- Clicking the ``Process and Child Info`` option will show all logs that include this process's entity_id in either the ``process.entity_id`` or ``process.parent.entity_id`` fields. Depending on the process, this may show the same logs as the ``Process Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field.
 
-- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field (depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more).
+- Clicking the ``Process All Info`` option will show all logs that include this process's entity_id in any field. Depending on the process, this may show the same logs as the ``Process and Child Info`` option or it may show more. This option will only appear if you click on a log that contains the ``process.entity_id`` field.
 
-- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process.
-
-Please note that some of these actions will only display on the Actions menu if you click on a specific log type. For example, the first three Process actions will only appear if you click on a log that contains the ``process.entity_id`` field and the ``Process Ancestors`` action will only appear if you click on a log that contains the ``process.Ext.ancestry`` field.
+- Clicking the ``Process Ancestors`` option will show all parent processes for the selected process. This option will only appear if you click on a log that contains the ``process.Ext.ancestry`` field.
 
 If you'd like to add your own custom actions, see the :ref:`soc-customization` section.
 

download.rst

@@ -13,7 +13,7 @@ Download and verify our ISO image as shown at https://github.com/Security-Onion-
 
 .. warning::
 
-   If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in ``SecurityOnion\agrules\``. This is part of :ref:`strelka` and it is being incorrectly flagged as a backdoor when it is really just a Yara ruleset that looks for backdoors. In some cases, the alert may be for a sample EXE that is included in :ref:`strelka` but again a false positive.
+   If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in ``SecurityOnion\agrules\``.
 
 .. note::
 

faq.rst

@@ -194,6 +194,11 @@ Should I backup my Security Onion box?
 
 Security Onion automatically backs up some important configuration as described in the :ref:`backup` section. However, there is no automated data backup. Network Security Monitoring as a whole is considered "best effort". It is not a "mission critical" resource like a file server or web server. Since we're dealing with "big data" (potentially terabytes of full packet capture) of a transient nature, backing up the data would be prohibitively expensive. Most organizations don't do any data backups and instead just rebuild boxes when necessary.
 
+What happened to Playbook?
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Playbook has been replaced by :ref:`detections`.
+
 How can I add local rules?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 

ingest.rst

@@ -56,7 +56,7 @@ Manager Search
 Heavy
 -----
 
-| Pipeline: Elastic Agent [Heavy Node] --> Logstash [Heavy] --> Redis [Heavy] <--> Logstash [Heavy] --> Elasticsearch Ingest [Heavy] 
+| Pipeline: Elastic Agent [Heavy Node] --> Elasticsearch Ingest [Heavy] 
 | Logs: Zeek, Suricata, syslog
 
 Search

release-notes.rst

@@ -22,6 +22,31 @@ To resolve the issue, run the following command for each affected index (replaci
 
 After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified. 
 
+2.4.90 [20240729] Changes
+-------------------------
+
+- FEATURE: Add new action to SOC Actions list to allow users to more easily add their own actions `#13346 <https://github.com/Security-Onion-Solutions/securityonion/issues/13346>`_
+- FEATURE: Include new Security Onion appliance images for v2 refresh
+- FEATURE: Provide maximize button on configuration screen
+- FEATURE: Support suricata regex enable | disable
+- FEATURE: Visualize diff of history edits
+- FIX: Better Timeout Error message `#12534 <https://github.com/Security-Onion-Solutions/securityonion/issues/12534>`_
+- FIX: Custom defined template causes SLS rendering error in base:elasticsearch.enabled `#13328 <https://github.com/Security-Onion-Solutions/securityonion/issues/13328>`_
+- FIX: Detections - Bulk Performance Revisit
+- FIX: Disable logstash on heavynodes `#13073 <https://github.com/Security-Onion-Solutions/securityonion/issues/13073>`_
+- FIX: Exclude policy phases if not defined in defaults `#13354 <https://github.com/Security-Onion-Solutions/securityonion/issues/13354>`_
+- FIX: Heavynode architecture documentation
+- FIX: Improve displayed metrics for Kafka in influxdb `#13235 <https://github.com/Security-Onion-Solutions/securityonion/issues/13235>`_
+- FIX: Refactor Sync Process
+- FIX: Update MOTD `#13317 <https://github.com/Security-Onion-Solutions/securityonion/issues/13317>`_
+- FIX: Update SOC MOTD `#13320 <https://github.com/Security-Onion-Solutions/securityonion/issues/13320>`_
+- UPGRADE: Base image for so-steno container to oracle9:latest `#13344 <https://github.com/Security-Onion-Solutions/securityonion/issues/13344>`_
+- UPGRADE: Base image for so-tcpreplay container to oracle9:latest `#13345 <https://github.com/Security-Onion-Solutions/securityonion/issues/13345>`_
+- UPGRADE: CyberChef 10.19.0 `#13267 <https://github.com/Security-Onion-Solutions/securityonion/issues/13267>`_
+- UPGRADE: so-idh to newer base image `#13265 <https://github.com/Security-Onion-Solutions/securityonion/issues/13265>`_
+- UPGRADE: so-nginx to nginx:1.26.1-alpine `#13264 <https://github.com/Security-Onion-Solutions/securityonion/issues/13264>`_
+- UPGRADE: Suricata 7.0.6 `#13283 <https://github.com/Security-Onion-Solutions/securityonion/issues/13283>`_
+
 2.4.80 [20240624] Changes
 -------------------------
 

suricata.rst

@@ -177,7 +177,7 @@ Troubleshooting Alerts
 
 If you're not seeing the Suricata alerts that you expect to see, here are some things that you can check:
 
-- If you have metadata enabled, check to see if you have metadata for the connections. Depending on your configuration, this could be Suricata metadata or :ref:`zeek` metadata.
+- If you have metadata enabled, check to see if you have metadata for the connections. Depending on your configuration, this could be Suricata metadata or :ref:`zeek` metadata. Go to :ref:`dashboards`, click the dropdown menu, select the ``Connections seen by Zeek or Suricata`` dashboard, and see if the connections you expect to see in your network traffic are listed there.
 
 - If you have metadata enabled but aren't seeing any metadata, then something may be preventing the process from seeing the traffic. Check to see if you have any :ref:`bpf` configuration that may cause the process to ignore the traffic. If you're sniffing traffic from the network, verify that the traffic is reaching the NIC using tcpdump. If importing a pcap file, verify that file contains the traffic you expect and that the Suricata process can read the file and any parent directories.
 

url-base.rst

@@ -3,9 +3,7 @@
 Web Access URL
 ==============
 
-If you need to change the URL for web access to Security Onion (for example, from IP to FQDN), go to :ref:`administration` --> Configuration --> global.
+If you need to change the URL for web access to Security Onion (for example, from IP to FQDN), go to :ref:`administration` --> Configuration --> global --> url_base. Enter the new URL in the field on the right and then click the checkmark to save the new setting.
 
-.. image:: images/config-item-global.png
-  :target: _images/config-item-global.png
-
-Then select the ``url_base`` option.
+.. image:: images/config-item-global-url.png
+  :target: _images/config-item-global-url.png

vmware.rst

@@ -10,7 +10,7 @@ In this section, we'll cover creating a virtual machine (VM) for our ISO image i
 
 .. note::
 
-   With the sniffing interface in ``bridged`` mode, you will be able to see all traffic to and from the host machine's physical NIC. If you would like to see **ALL** the traffic on your network, you will need a method of forwarding that traffic to the interface to which the virtual adapter is bridged. This can be achieved with a tap or SPAN port.
+   If you want to sniff live traffic, then you will need a second network interface dedicated to sniffing. You will need to set this sniffing interface to sniff from whatever network you want to monitor. With the sniffing interface in ``bridged`` mode, you should be able to see all traffic to and from the host machine's physical NIC. If you would like to see **ALL** the traffic on your network, you will need a method of forwarding that traffic to the interface to which the virtual adapter is bridged. This can be achieved with a tap or SPAN port. If you want to sniff traffic from other VMs, then the virtual sniffing interface needs to be set to the same virtual network that those VMs are set to (this may be ``NAT`` or ``bridged`` depending on how they are configured).
 
 Workstation Pro
 ---------------
@@ -24,8 +24,8 @@ VMware Workstation is available for many different host operating systems, inclu
 #. Specify virtual machine name and click ``Next``.
 #. Specify disk size (minimum 200GB), store as single file, click ``Next``.
 #. Customize hardware and increase Memory and Processors based on the :ref:`hardware` section.
-#. Network Adapter (NAT or Bridged -- if you want to be able to access your Security Onion machine from other devices in the network, then choose Bridged, otherwise choose NAT to leave it behind the host) -- in this tutorial, this will be the management interface.
-#. Add >> Network Adapter (Bridged) - this will be the sniffing (monitor) interface.
+#. Network Adapter (``NAT`` or ``Bridged`` -- if you want to be able to access your Security Onion machine from other devices in the network then choose Bridged, otherwise choose NAT to leave it behind the host). This will be the management interface.
+#. Add >> Network Adapter (``NAT`` or ``Bridged``). This will be the sniffing (monitor) interface.
 #. Click ``Close``.
 #. Click ``Finish``.
 #. Power on the virtual machine and then follow the installation steps for your desired installation type in the :ref:`installation` section.