Threat hunting

Security Onion - Winlogbeat and Sysmon setup

28 Marts 2020 

This is a release on how to implemenet Winlogbeat and Sysmon into Security Onion.
Why This ? ....I could not find any good information on how to get all these parts to work, with the Sysmon and Winlogbeat for logcollection from Windows hosts to Security Onion.

It is free for anyone, and you will get pretty decent monitoring of your Windows hosts. And because it is build on top of the Security Onion framework, it will give you a very strong way to monitor your network traffic, Windows Servers and Windows clients host logs.

As a free open source framework, this is proberly some of the best tool sets you will find out there to give visability on what is happening in your enviorement. It is based on NSA best pratice for Windows event log colection and MITRE Attacks framework.

MITRE attack framework
Right now it is covering 81 MITRE attacks, and this is without counting any MITRE numbers in on what is coverd by Security Onion alone.

You will get 50 dashboards with 413 objects to look at. Happy hunting.....

Video Demo file

Download Files:
Jason files for dashboards for Kibana and links for the navigation pane.

Winlogbeat and Sysmon with setup instructions and config files.

Made for:
Security Onion -
Kibana 6.8.6 management
Winlogbeat - 6.8.6
Sysmon -

MISP Integration
MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies take a look at the Danish MISP user Group/Community

I can reccormend to take a look at the MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Security Onion -
eCrimeLabs -

Release  updates

Add PowerShell dashboard

50 dashboards and 413 Objects

Add detection to IcedID (BokBOT) in malware hunting

49 dashboards 408 Objects


App hunting dashboard updated.
Wireless Dashboard Updated

49 dashboards 407 Objects

Change in winlogbeat.yml

New Dashboard
Win10 GPO Bypass

49 dashboards 401 Objects

Update to Security Onion

New Winlogbeat  6.8.6

More detection for Emotet and Trickbot with JA3

Changes in Sysmonconfig.xml. Removed som OLD Metasploit port detectrtion. Use IDS detection.

48 dashboards 398 Objects.

Sysmon File Create - Corrected an error in sysmonconfig.xml

Adjusted Sysmon service monitor dashboard

48 dashboards 398 Objects

Dashboard error corrections.

48 dashboards 398 Objects

Dashboards-navigationpane zip update to version 1.06

New dashboard:
Terminal Service monitor.

Updates to:
Winlogbeat.yml for terminal service event log collection.

Other changes:
Windows Event ID slider update.
Wireless Device Activities update

48 dashboard and 397 Objects