Update documentation for 2.4.70

_static/theme_overrides.js

@@ -1,11 +1,11 @@
 const banner_text = `
-NOTICE: You are viewing documentation for an older version of Security Onion.
+NOTICE: You are viewing documentation for a development version of Security Onion.
 <br>
-View the <a href="https://docs.securityonion.net/">latest documentation</a>.
+View the <a href="https://docs.securityonion.net/">documentation for the latest stable release</a>.
 `;
 
 function show_banner() {
-    if (READTHEDOCS_DATA['version'] == '2.4') return;
+    if (READTHEDOCS_DATA['version'] != 'dev') return;
 
     const banner = document.createElement('div');
     banner.className = "so-banner";
@@ -15,4 +15,4 @@ function show_banner() {
     rst.prepend(banner);
 }
 
-window.setTimeout(show_banner, 100);
+window.setTimeout(show_banner, 100);

about.rst

@@ -38,21 +38,21 @@ This documentation is published online at https://securityonion.net/docs. If you
 
 This documentation is also available in PDF format at https://readthedocs.org/projects/securityonion/downloads/pdf/2.4/.
 
-Many folks have asked for a printed version of our documentation.  Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.  Thanks to Richard Bejtlich for writing the inspiring foreword!  Proceeds go to the Rural Technology Fund! You can purchase your copy at https://securityonion.net/book.
+Many folks have asked for a printed version of our documentation. Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for. Thanks to Richard Bejtlich for writing the inspiring foreword! Proceeds go to the Rural Technology Fund! You can purchase your copy at https://securityonion.net/book.
 
 Authors
 ~~~~~~~
 
-Security Onion Solutions is the primary author and maintainer of this documentation.  Some content has been contributed by members of our community.  Thanks to all the folks who have contributed to this documentation over the years!
+Security Onion Solutions is the primary author and maintainer of this documentation. Some content has been contributed by members of our community. Thanks to all the folks who have contributed to this documentation over the years!
 
 Contributing
 ~~~~~~~~~~~~
 
-We welcome your contributions to our documentation!  We will review any suggestions and apply them if appropriate.
+We welcome your contributions to our documentation! We will review any suggestions and apply them if appropriate.
 
-If you are accessing the online version of the documentation and notice that a particular page has incorrect information, you can submit corrections by clicking the ``Edit on GitHub`` button in the upper right corner of each page.
+If you are accessing the online version of the documentation and notice that a particular page has incorrect information, you can submit corrections by clicking the ``Edit on GitHub`` button in the upper-right corner of each page. Once you have made your corrections, you will need to submit your pull request (PR) to the ``dev`` branch.
 
-To submit a new page, you can submit a pull request (PR) to the 2.4 branch of the ``securityonion-docs`` repo at https://github.com/Security-Onion-Solutions/securityonion-docs.
+To submit a new page, you can submit a pull request (PR) to the ``dev`` branch of the ``securityonion-docs`` repo at https://github.com/Security-Onion-Solutions/securityonion-docs.
 
 Pages are written in RST format and you can find several RST guides on the Internet including https://thomas-cokelaer.info/tutorials/sphinx/rest_syntax.html.
 

accounts.rst

@@ -20,4 +20,3 @@ OS accounts are controlled by standard Linux account utilities. SOC accounts are
    disabling-accounts
    rbac
    kratos
-   oidc

adding-accounts.rst

@@ -12,20 +12,25 @@ If you need to add a new OS user account, you can use the ``adduser`` command.
 
     sudo adduser tom
 
-We recommend creating usernames in lower case for consistency.
+.. tip::
+
+        We recommend creating OS usernames in lower case for consistency.
 
-For more information, please see the adduser manual by typing ``man adduser``.
+For more information about adding OS user accounts, please see the adduser manual by typing ``man adduser``.
 
 SOC
 ---
 
 If you need to add a new account to :ref:`soc`, navigate to the :ref:`administration` interface, and then click ``Users``.
 
-.. image:: images/59_users.png
-  :target: _images/59_users.png
+.. image:: images/81_users.png
+  :target: _images/81_users.png
 
 Click the ``+`` button, fill out the necessary information, and then click the ``ADD`` button.
 
+.. image:: images/83_users_add.png
+  :target: _images/83_users_add.png
+
 .. tip::
 
   We recommend specifying email addresses in lower case for consistency.

additional-network.rst

@@ -0,0 +1,12 @@
+.. _additional-network:
+
+Additional Network Visibility
+=============================
+
+In the :ref:`network` section, we looked at network visibility provided by Security Onion itself. The ideal situation would be to have Security Onion network sensors covering each and every one of your network segments. If you're able to achieve that ideal situation, then you may not need any additional network visibility. However, there may be times when you simply can't cover certain network segments with Security Onion network sensors and that's when these additional options can be beneficial. Keep in mind, though, that the data that they provide is nowhere near as comprehensive as a full Security Onion network sensor. One option would be :ref:`netflow` logs from firewalls, switches, or routers showing what traffic was observed by the network device. Another option would be firewall logs showing what traffic was allowed through the firewall and what traffic was denied. An example of that would be :ref:`pfsense` firewall logs. You can find other firewall integrations in the :ref:`third-party-integrations` section.
+
+.. toctree::
+   :maxdepth: 2
+
+   netflow
+   pfsense

administration.rst

@@ -10,19 +10,19 @@ Users
 
 The Users page shows all user accounts that have been created for the grid.
 
-.. image:: images/users.png
-  :target: _images/users.png
+.. image:: images/81_users.png
+  :target: _images/81_users.png
 
 The Note column allows administrators to include a short note on a user's account.
 
 The Role column lists roles assigned to the user as defined in the :ref:`rbac` section.
 
-The Status column will show different icons depending on the status of the account. In the screenshot above:
+The Status column will show different icons depending on the status of the account:
 
-- the first account is enabled and has TOTP :ref:`mfa` enabled
-- the second account is enabled and has changed their password but does not have :ref:`mfa` enabled
-- the third account is enabled but has not yet changed their password and does not have :ref:`mfa` enabled
-- the fourth account is locked
+- orange exclamation point - account enabled but has not yet changed their password and does not have :ref:`mfa` enabled
+- blue icon with shield - account enabled with :ref:`mfa` enabled
+- no icon - account enabled and has changed their password but does not have :ref:`mfa` enabled
+- grey user with slash - account locked
 
 Hovering over the icon in the Status column will show you these details as well.
 
@@ -31,8 +31,8 @@ Grid Members
 
 The Grid Members page shows nodes that have attempted to join the grid and whether or not they have been accepted into the grid by an administrator.
 
-.. image:: images/60_gridmembers.png
-  :target: _images/60_gridmembers.png
+.. image:: images/84_gridmembers.png
+  :target: _images/84_gridmembers.png
 
 Unaccepted members are displayed on the left side and broken into three sections: Pending Members, Denied Members, and Rejected Members. When you accept a member, it will then move to the right side under Accepted Members.
 
@@ -43,13 +43,14 @@ Configuration
 
 The Configuration page allows you to configure various components of your grid.
 
-.. image:: images/61_config.png
-  :target: _images/61_config.png
+.. image:: images/87_config.png
+  :target: _images/87_config.png
 
 The most common configuration options are shown in the quick links on the right side. On the left side, you can click on a component in the tree view to drill into it and show all available settings for that component. You can then click on a setting to show the current setting or modify it if necessary. If you make a mistake, you can easily revert back to the default value. If a blue question mark appears on the setting page, you can click it to go to the documentation for that component.
 
 If you're not sure of which component a particular setting may belong to, you can use the Filter at the top of the list to look for a particular setting. To the right of the Filter field are buttons that do the following:
 
+- apply the search filter
 - expand all settings
 - collapse all settings
 - show settings that have been modified from the default value
@@ -61,17 +62,34 @@ If you're not sure of which component a particular setting may belong to, you ca
 
 Some settings can be applied across the entire grid or to specific nodes. If you apply a setting to a specific node, it will override the grid setting.
 
+Advanced Settings
+~~~~~~~~~~~~~~~~~
+
 By default, the Configuration page only shows the most widely used settings. If you want to see all settings, you can go to the Options bar at the top of the page and then click the toggle labeled ``Show all configurable settings, including advanced settings``.
 
 .. warning::
 
 	Changing advanced settings is unsupported and could result in requiring a full cluster re-installation.
 
+.. image:: images/88_config_options.png
+  :target: _images/88_config_options.png
+
+Duplicate Settings
+~~~~~~~~~~~~~~~~~~
+
+Starting in Security Onion 2.4.70, some settings can be duplicated to more easily create new settings. If a setting is eligible for duplication, then it will have a DUPLICATE button on the right side of the page, provided the Advanced Option is enabled at the top of the screen. Creating a duplicate setting is a TWO-STEP process.
+
+1. Click the DUPLICATE button and provide a name for the new setting, then click the CREATE SETTING button.
+2. The new setting will automatically be shown in the Configuration screen. At this point it is not yet saved to the server. The setting's value must be modified explicitly to persist this new setting. Once the value has been modified, click the green checkmark button to save it.
+
+.. note::
+
+  Duplicated settings do not retain their original setting's full behavior. For example, if the original setting only allowed for CIDR values, this new setting will not have the same protections on later views in the Configuration screen. Further, duplicated settings are marked as advanced settings. In order to see the new setting at a later time the Advanced Option toggle must be enabled under the Configuration Options at the top of the Configuration screen.
+
 License Key
 -----------
 
-In the future, we will offer some new enterprise features for Security Onion. If you are interested in those features and purchase a license key, then this screen will allow you to enter your license key and then show the status of that license key.
-
-.. image:: images/62_licensekey.png
-  :target: _images/62_licensekey.png
+.. image:: images/91_licensekey.png
+  :target: _images/91_licensekey.png
 
+Starting in Security Onion 2.4.70, you will have the option of adding a license key for :ref:`pro`.

airgap.rst

@@ -5,7 +5,7 @@ Airgap
 
 Security Onion is committed to allowing users to run a full install on networks that do not have Internet access. Our ISO image includes everything you need to run without Internet access. Make sure that you choose the airgap option during Setup. 
 
-If your network has Internet access but has overly restrictive proxies, firewalls, or other network devices, then you may want to consider the airgap option as everything will install via the ISO image.
+If your network has Internet access but has overly restrictive proxies, firewalls, or other network devices that might prevent Security Onion from connecting to the sites shown in the :ref:`firewall` section, then you may want to consider the airgap option as everything will install from the ISO image itself.
 
 .. image:: images/06_setup_airgap.png
   :target: _images/06_setup_airgap.png

alert-data-fields.rst

@@ -3,7 +3,7 @@
 Alert Data Fields
 =================
 
-| :ref:`elasticsearch` receives NIDS alerts from :ref:`suricata` via :ref:`elastic-agent` or :ref:`logstash` and parses them using:
+| :ref:`elasticsearch` receives :ref:`nids` alerts from :ref:`suricata` via :ref:`elastic-agent` or :ref:`logstash` and parses them using:
 | ``/opt/so/conf/elasticsearch/ingest/suricata.alert``
 | ``/opt/so/conf/elasticsearch/ingest/common.nids``
 | ``/opt/so/conf/elasticsearch/ingest/common``
@@ -16,7 +16,7 @@ https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/ela
 
 https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest-dynamic/common
 
-You can find parsed NIDS alerts in :ref:`alerts`, :ref:`dashboards`, :ref:`hunt`, and :ref:`kibana` via their predefined queries and dashboards or by manually searching for:
+You can find parsed :ref:`nids` alerts in :ref:`alerts`, :ref:`dashboards`, :ref:`hunt`, and :ref:`kibana` via their predefined queries and dashboards or by manually searching for:
 
 | ``event.module:"suricata"``
 | ``event.dataset:"alert"``

alerts.rst

@@ -13,6 +13,9 @@ Options
 
 At the top of the page, there is an Options menu that allows you to set options such as Acknowledged/Escalated, Automatic Refresh Interval, and Time Zone.
 
+.. image:: images/51_alerts_options.png
+  :target: _images/51_alerts_options.png
+
 Toggles
 ~~~~~~~
 
@@ -37,20 +40,12 @@ Alerts will try to detect your local time zone via your browser. You can manuall
 Query Bar
 ---------
 
-The query bar defaults to ``Group By Name, Module`` which groups the alerts by ``rule.name`` and ``event.module``. If you want to send your current Alerts query to :ref:`hunt`, you can click the crosshair icon to the right of the query bar.
-
-.. image:: images/alerts-query-bar.png
-  :target: _images/alerts-query-bar.png
-
-You can click the dropdown box to select other queries which will group by other fields.
+The query bar defaults to ``Group By Name, Module`` which groups the alerts by ``rule.name`` and ``event.module``. You can click the dropdown box to select other queries which will group by other fields. If you want to send your current Alerts query to :ref:`hunt`, you can click the crosshair icon to the right of the query bar.
 
-.. image:: images/alerts-queries.png
-  :target: _images/alerts-queries.png
-
 Time Picker
 -----------
 
-By default, Alerts searches the last 24 hours. If you want to search a different time frame, you can change it in the upper right corner of the screen.
+By default, Alerts searches the last 24 hours. If you want to search a different time frame, you can change it in the upper-right corner of the screen.
 
 Data Table
 ----------
@@ -72,23 +67,15 @@ Grouped View
 
 By default, alerts are grouped by whatever criteria is selected in the query bar. Clicking a field value and then selecting the Drilldown option allows you to drill down into that value which switches to the detailed view. You can also click the value in the Count column to perform a quick drilldown. Note that this quick drilldown feature is only enabled for certain queries.
 
-.. image:: images/alerts-grouped.png
-  :target: _images/alerts-grouped.png
-
 If you'd like to remove a particular field from the grouped view, you can click the trash icon at the top of the table to the right of the field name.
 
 Detailed View
 ~~~~~~~~~~~~~
 
 If you click a value in the grouped view and then select the Drilldown option, the display will switch to the detailed view. This shows all search results and allows you to then drill into individual search results as necessary. Clicking the table headers allows you to sort ascending or descending. Starting from the left side of each row, there is an arrow which will expand the result to show all of its fields. To the right of that arrow is the ``Timestamp`` field. Next, a few standard fields are shown: ``rule.name``, ``event.severity_label``, ``source.ip``, ``source.port``, ``destination.ip``, and ``destination.port``. Depending on what kind of data you're looking at, there may be some additional data-specific fields as well. 
 
-.. image:: images/alerts-detailed.png
-  :target: _images/alerts-detailed.png
-
-When you click the arrow to expand a row in the Events table, it will show all of the individual fields from that event. Field names are shown on the left and field values on the right. When looking at the field names, there is an icon to the left that will add that field to the ``groupby`` section of your query. You can click on values on the right to bring up the context menu to refine your search or pivot to other pages. 
-
-.. image:: images/alerts-expanded.png
-  :target: _images/alerts-expanded.png
+When you click the arrow to expand a row in the Events table, it will show all of the individual fields from that event. Field names are shown on the left and field values on the right. When looking at the field names, there are two icons to the left. Th
+e Groupby icon, the left most icon, will add a new groupby table for that field. The Toggle Column icon, to the right of the Groupby icon, will toggle that column in the Events table, and the icon will be a blue color if the column is visible. You can click on values on the right to bring up the context menu to refine your search or pivot to other pages. 
 
 Context Menu
 ------------
@@ -110,6 +97,16 @@ Only
 
 Clicking the ``Only`` option will start a new search for the selected value and retain any existing groupby terms.
 
+Drilldown
+~~~~~~~~~
+
+Clicking the ``Drilldown`` option will drill down into a group of alerts to show each individual alert.
+
+Tune Detection
+~~~~~~~~~~~~~~
+
+Clicking the ``Tune Detection`` option will take you to :ref:`detections` and allow you disable or modify the detection that fired the alert.
+
 Group By
 ~~~~~~~~