Networkforensic

Threat hunting

Security Onion - Winlogbeat and Sysmon setup

 13 Maj 2022 

Information:
(Working for the old unsupported version of Security Onion - do NOT run in production)

Made to work for malware hunting and log analysis.

MITRE attack framework
Right now it is covering 89
MITRE attacks, and this is without counting any MITRE numbers in, on what is coverd by Security Onion alone.

You will get 65 dashboards with a total of 524 objects to look at. Happy hunting.....

Video Demo file

Download Files:
Jason files for dashboards to Kibana and links for the navigation pane.
File name:
Dashboards-navigationpane.zip
SHA1:
c266922eda0c424f8b82ae1b5afe7456793bf00b

Winlogbeat and Sysmon with setup instructions and config files.
File name:
Install_pack.zip
SHA1: 457103d503662e1aee5b18b8e84c2f6f55ca9892

Please read the info-install-pack.txt and the install.txt before sending me any questions.

Made for:
Security Onion - 16.04.7.1
Kibana 6.8.11 management
SNORT 2.9.16.1
Winlogbeat - 6.8.11
Sysmon - 13.24



MISP Integration
MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies, take a look at the
Danish MISP user Group/Community

Reccormended
I can reccormend to take a look at the
MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Guides:
Security Onion -
https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs - https://github.com/eCrimeLabs/securityonion-ecrimelabs


Latest updates

13-05-2022
Changes:
- Credman dashboard

27-03-2022
Changes:
- New Wireless dashboard
- New Malware hunting
- New VHD Imagemount
- Update Sysmon Service
- Update JA3 Hunting
- Update Windows Defender
- Update Windows Boot
- Sysmon Config

05-02-2022
Changes:
- New dashboards
- Updated Dashboards

13-10-2021
Changes:
- Update to Logon Monitor

02-10-2021
Changes:
- QUIC Monitor Dasboard.
- Updated malware hunting.

29-08-2021

Changes:
- Sysmon Version 13.24
- Dashboards updates
- Install pack updated