Networkforensic

Threat hunting

Security Onion - Winlogbeat and Sysmon setup

03 Juni 2020 

This is a release on how to implemenet Winlogbeat and Sysmon into Security Onion.
Why This ? ....I could not find any good information on how to get all these parts to work, with the Sysmon and Winlogbeat for logcollection from Windows hosts to Security Onion.

It is free for anyone, and you will get pretty good monitoring of your Windows hosts. And because it is build on top of the Security Onion framework, it will give you a very strong way to monitor your network traffic, Windows Servers and Windows clients logs.

As a free open source framework, this is proberly some of the best tool sets you will find out there, to give visability on what is happening in your enviorement. The logcollection is based on NSA best pratice for Windows event log colection and the MITRE Attacks framework.

MITRE attack framework
Right now it is covering 82 MITRE attacks, and this is without counting any MITRE numbers in, on what is coverd by Security Onion alone.

You will get 54 dashboards with a total of 422 objects to look at. Happy hunting.....

Video Demo file

Download Files:
Jason files for dashboards for Kibana and links for the navigation pane.
Dashboards-navigationpane.zip

Winlogbeat and Sysmon with setup instructions and config files.
Install_pack.zip

Please read the info-install-pack.txt and the install.txt before sending any questions.

Made for:
Security Onion - 16.04.6.6
Kibana 6.8.8 management
Winlogbeat - 6.8.8
Sysmon - 11.0




MISP Integration
MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies, take a look at the Danish MISP user Group/Community

Reccormended
I can reccormend to take a look at the MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Guides:
Security Onion - https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs - https://github.com/eCrimeLabs/securityonion-ecrimelabs


5 latest release  updates

03-06-2020
Changes:
- Add Hawkeye to malware hunting dashboard.

22-05-2020
Changs:
- Update to Sysmon service monitor matching the latest Sysmon 11 and config files

21-05-2020
Changes:
- Sysmon changed to version 11.0

- New Sysmon dashboard for FileDelete

- New Sysmon Config file

- Other small updates to dashboards

12-05-2020
Changes:
- New Winlogbeat  6.8.8

- Updates for some dashboards

- Lots of updates in Security onion it self

12 -04-2020
Changes:
- Add Zoloder detection to Malware hunting dashboard