Networkforensic

Threat hunting

Security Onion - Winlogbeat and Sysmon setup

28 Marts 2020 

This is a release on how to implemenet Winlogbeat and Sysmon into Security Onion.
Why This ? ....I could not find any good information on how to get all these parts to work, with the Sysmon and Winlogbeat for logcollection from Windows hosts to Security Onion.

It is free for anyone, and you will get pretty decent monitoring of your Windows hosts. And because it is build on top of the Security Onion framework, it will give you a very strong way to monitor your network traffic, Windows Servers and Windows clients host logs.

As a free open source framework, this is proberly some of the best tool sets you will find out there to give visability on what is happening in your enviorement. It is based on NSA best pratice for Windows event log colection and MITRE Attacks framework.

MITRE attack framework
Right now it is covering 81 MITRE attacks, and this is without counting any MITRE numbers in on what is coverd by Security Onion alone.

You will get 50 dashboards with 413 objects to look at. Happy hunting.....

Video Demo file

Download Files:
Jason files for dashboards for Kibana and links for the navigation pane.
Dashboards-navigationpane.zip

Winlogbeat and Sysmon with setup instructions and config files.
Install_pack.zip

Made for:
Security Onion - 16.04.6.4
Kibana 6.8.6 management
Winlogbeat - 6.8.6
Sysmon - 10.0.4.2

MISP Integration
MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies take a look at the Danish MISP user Group/Community

Reccormended
I can reccormend to take a look at the MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Guides:
Security Onion - https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs - https://github.com/eCrimeLabs/securityonion-ecrimelabs


Release  updates

28-03-2020
Changes:
Add PowerShell dashboard

50 dashboards and 413 Objects

21-03-2020
Changes:
Add detection to IcedID (BokBOT) in malware hunting

49 dashboards 408 Objects

03-03-2020

Changes:
App hunting dashboard updated.
Wireless Dashboard Updated

49 dashboards 407 Objects

26-02-2020
Changes:
Change in winlogbeat.yml

New Dashboard
Win10 GPO Bypass

49 dashboards 401 Objects

19-02-2020
Changes:
Update to Security Onion 16.04.6.4

New Winlogbeat  6.8.6

18-02-2020
Changes:
More detection for Emotet and Trickbot with JA3

Changes in Sysmonconfig.xml. Removed som OLD Metasploit port detectrtion. Use IDS detection.

48 dashboards 398 Objects.

14-02-2020
Changes:
Sysmon File Create - Corrected an error in sysmonconfig.xml

Adjusted Sysmon service monitor dashboard

48 dashboards 398 Objects

13-02-2020
Changes:
Dashboard error corrections.

48 dashboards 398 Objects

12-02-2020
Changes:
Dashboards-navigationpane zip update to version 1.06

New dashboard:
Terminal Service monitor.

Updates to:
Winlogbeat.yml for terminal service event log collection.
info-install-pack.txt

Other changes:
Windows Event ID slider update.
Wireless Device Activities update

48 dashboard and 397 Objects