20 Juni Marts 2024
Information:
Dashboards only work on the old unsupported version
of Security Onion - (Do NOT run in production)
You will get 76 dashboards with a
total of 652 objects to look at.
Microsoft Event dashboards
All Microsoft event ID dashboards are working just fine. This have
been setup after gudelines from
NSACyber guidance
MITRE attack framework
Sysmon is covering over 52
MITRE attacks,
and this is without counting any MITRE numbers in, on what is coverd
by
Security
Onion alone.
Sysmon
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).
Logs send to SIEM systems like Security Onion, Splunk or Elastic
works verry well on all versions. The Sysmon config is verry well maintanied. All
Sysmon event ID's are covered. And it works on all supported
versions of Windows supported by
Sysmon
Sysmon install / uninstall / Auto update Config file
Sysmon Install / Uinstall / Config Update script has been released,
Makes it verry easy to Install / uninstall Sysmon and update the
Sysmon Config file on clients and servers. You can auto update all
Clients and servers with my lates config file.
Download Files:
Jason files for dashboards to Kibana and links for the navigation
pane.
Filename:
Dashboards-navigationpane.zip
SHA1:35df52492b175273a1897ed36e2a36aca4a16174
Winlogbeat,
registry files and setup instructions.
Filename:
Install_pack.zip
SHA1:
f646b05abfb5018593e81c11430c95540ecd4ed8
Sysmon with install / uninstall scripts and auto update scripts.
Filename:
Sysmon_15.14_Config_50.zip
SHA1: 0e356c2df57ba5f23d4a5e35d3b5b14af7b04174
Sysmon Cheatsheet
Filename:
Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e
Made for: Tested on WIndows 10 and 11 Windows Server 2019 and up
Security Onion - 16.04.7.1
Kibana 6.8.11 management
SNORT 2.9.16.1
Winlogbeat - 6.8.23
Sysmon - 15.14
MISP Integration
MISP is
an Open Source Threat Intelligence Platform & Open Standards For
Threat Information Sharing
For danish companies, take a look at the
Danish MISP user Group/Community
Reccormended
I can reccormend to take a look at the
MISP
framework for an even stronger Security Onion setup. There are
different guides on how to set this up
Guides:
Security Onion -
https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs -
https://github.com/eCrimeLabs/securityonion-ecrimelabs
20-07-2024
Changes:
- Sysmon Config 50
- With
CrowdStrike Falcon driver update Monitor.
02-07-2024
Changes:
- Sysmon Config 48
27-06-2024
Changes:
- Sysmon Config 47
05-06-2024
Changes:
- Sysmon Config 43
- Updated dashboards
29-03-2024
Changes:
- Sysmon Config 35