Networkforensic

Security Onion
Winlogbeat, MS Event logs and Sysmon setup and config files

 20 Juni  Marts 2024 

Information:
Dashboards only work  on the old unsupported version of Security Onion - (Do NOT run in production)
You will get 76 dashboards with a total of 652 objects to look at.

Microsoft Event dashboards
All Microsoft event ID dashboards are working just fine. This have been setup after gudelines from NSACyber guidance

MITRE attack framework
Sysmon is covering over 52 MITRE attacks, and this is without counting any MITRE numbers in, on what is coverd by Security Onion alone.

Sysmon
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).
Logs send to SIEM systems like Security Onion, Splunk or Elastic works verry well on all versions. The Sysmon config is verry well maintanied. All Sysmon event ID's are covered. And it works on all supported versions of Windows supported by Sysmon

Sysmon install / uninstall  / Auto update Config file
Sysmon Install / Uinstall / Config Update script has been released, Makes it verry easy to Install / uninstall Sysmon and update the Sysmon Config file on clients and servers. You can auto update all Clients and servers with my lates config file. 

 

Download Files:
Jason files for dashboards to Kibana and links for the navigation pane.
Filename: Dashboards-navigationpane.zip
SHA1:35df52492b175273a1897ed36e2a36aca4a16174

Winlogbeat, registry files and setup instructions.
Filename: Install_pack.zip
SHA1: f646b05abfb5018593e81c11430c95540ecd4ed8

Sysmon with install / uninstall scripts and auto update scripts.
Filename: Sysmon_15.14_Config_50.zip
SHA1: 0e356c2df57ba5f23d4a5e35d3b5b14af7b04174

Sysmon Cheatsheet
Filename: Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e

Made for: Tested on WIndows 10 and 11 Windows Server 2019 and up
Security Onion - 16.04.7.1
Kibana 6.8.11 management
SNORT 2.9.16.1
Winlogbeat - 6.8.23
Sysmon - 15.14

MISP Integration
MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies, take a look at the Danish MISP user Group/Community

Reccormended
I can reccormend to take a look at the MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Guides:
Security Onion - https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs - https://github.com/eCrimeLabs/securityonion-ecrimelabs

Latest updates  

20-07-2024
Changes:
- Sysmon Config 50
- With CrowdStrike Falcon driver update Monitor.

02-07-2024
Changes:
- Sysmon Config 48 

27-06-2024
Changes:
- Sysmon Config 47 

05-06-2024
Changes:
- Sysmon Config 43
- Updated dashboards

29-03-2024
Changes:
- Sysmon Config 35