Networkforensic

Threat hunting

Security Onion
Winlogbeat, MS Event logs and Sysmon setup and config files

 29 Marts 2024 

Information:
Dashboards only work  on the old unsupported version of Security Onion - (Do NOT run in production)

Sysmon
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).
Logs send to SIEM systems like Security Onion, Splunk and Elastic works verry well on all versions. The Sysmon config is verry well maintanied. All Sysmon event ID's are covered. And it works on all supported versions of Windows supported by Sysmon

Sysmon Install / Uinstall / Config Update script has been released, Makes it verry easy to Install / uninstall Sysmon and update the Sysmon Config file.

Microsoft Event dashboards
All Microsoft event ID dashboards are working just fine. This have been setup after gudelines from NSACyber guidance 

MITRE attack framework
Sysmon is covering over 52 MITRE attacks, and this is without counting any MITRE numbers in, on what is coverd by Security Onion alone.

You will get 76 dashboards with a total of 652 objects to look at.
Happy hunting.....

Download Files:
 Jason files for dashboards to Kibana and links for the navigation pane.
File name: Dashboards-navigationpane.zip
SHA1:dcb4c78721e95d35e8bede800336c9f8d8b60565

Winlogbeat, registry files and setup instructions.
File name: Install_pack.zip
SHA1: 07fe1e542373ae97a0d907166be28033089d326e

Sysmon 15.14 Config 35
Filename: Sysmon_15.14_Config_35.zip
SHA1: 12a11fc388cfe39b2ff1d47858ae3be69699a2de

Sysmon Cheatsheet
Filename: Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e

Made for: Tested on WIndows 10 and 11 Windows Server 2019 and up
Security Onion - 16.04.7.1
Kibana 6.8.11 management
SNORT 2.9.16.1
Winlogbeat - 6.8.23
Sysmon - 15.14



MISP Integration
 MISP is an Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

For danish companies, take a look at the Danish MISP user Group/Community

Reccormended
I can reccormend to take a look at the MISP framework for an even stronger Security Onion setup. There are different guides on how to set this up

Guides:
Security Onion - https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs - https://github.com/eCrimeLabs/securityonion-ecrimelabs


Latest updates

29-03-2024
Changes:
- Sysmon Config 35

02-03-2024
Changes:
- Sysmon Config 27

01-03-2024
Changes:
- Sysmon Config 26

28-02-2024
Changes:
- Sysmon Config 25

14-02-2024
Changes:
- New dashboards
- Sysmon 15.14
- Sysmon Config 22
- Sysmon Install script
- Sysmon Uninstall script
- Sysmon Config Update script

18-11-2023
Changes:
- New dashboards
- Sysmon 15.11
- Sysmon Config 15

22-07-2023
Changes:
- New dashboard
- Sysmon 15 config 02

06-07-2023
Changes:
- Updated Dashboards
- File Executable Detected dashboard
- Sysmon 15
- Sysmon config 01