Networkforensic

Threat hunting

Security Onion - Winlogbeat and Sysmon setup

26 February 2020 

This is a release on how to implemenet Winlogbeat and Sysmon into Security Onion.
Why This.....I could not find any deasint information on how to get all these working parts to work, with the Sysmon setup and Winlogbeat collection to Security Onion. I have invested many hours in testing all this. It is now working in a decent way.

It is free for anyone, and you will get pretty decent monitoring of your Windows hosts. And because it is build on top of the Security Onion framework it will give you a very strong way to monitor your network traffic, Windows Servers and clients host logs.

As a free open source framework, this is proberly some of the best tool sets you will find out there to give visability on what is happening in your enviorement. It is based on NSA best pratice for Windows event log colection and MITRE Attacks framework.

MITRE attack framework
Right now it is covering 81 MITRE attacks, and this is without counting any MITRE numbers in on what is coverd by Security Onion alone.

You will get 49 dashboards with 401 objects to look at. Happy hunting.....

Video Demo file

Download Files:
Jason files for dashboards for Kibana and links for the navigation pane.
Dashboards-navigationpane.zip

Winlogbeat and Sysmon with setup instructions and config files.
Install_pack.zip

Made for:
Security Onion - 16.04.6.4
Kibana 6.8.6 management
Winlogbeat - 6.8.6
Sysmon - 10.0.4.2

MISP Integration
MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies take a look at the Danish MISP user Group/Community

Reccormended
I can reccormend to take a look at the MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Guides:
Security Onion - https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs - https://github.com/eCrimeLabs/securityonion-ecrimelabs


Release  updates

26-02-2020
Changes:
Change in winlogbeat.yml

New Dashboard
Win10 GPO Bypass

49 dashboards 401 Objects

19-02-2020
Changes:
Update to Security Onion 16.04.6.4

New Winlogbeat  6.8.6

18-02-2020
Changes:
More detection for Emotet and Trickbot with JA3

Changes in Sysmonconfig.xml. Removed som OLD Metasploit port detectrtion. Use IDS detection.

48 dashboards 398 Objects.

14-02-2020
Changes:
Sysmon File Create - Corrected an error in sysmonconfig.xml

Adjusted Sysmon service monitor dashboard

48 dashboards 398 Objects

13-02-2020
Changes:
Dashboard error corrections.

48 dashboards 398 Objects

12-02-2020
Changes:
Dashboards-navigationpane zip update to version 1.06

New dashboard:
Terminal Service monitor.

Updates to:
Winlogbeat.yml for terminal service event log collection.
info-install-pack.txt

Other changes:
Windows Event ID slider update.
Wireless Device Activities update

48 dashboard and 397 Objects