Skip to content

Latest commit

 

History

History
231 lines (138 loc) · 7.97 KB

first-time-users.rst

File metadata and controls

231 lines (138 loc) · 7.97 KB

First Time Users

Welcome, first time users! You're going to be peeling back the layers of your network in just a few minutes!

First, please note that Security Onion only supports x86-64 architecture (standard Intel or AMD 64-bit processors). If you don't have an x86-64 box available, then one option may be to run Security Onion in the cloud. For more information, please see the :ref:`cloud-amazon`, :ref:`cloud-azure`, and :ref:`cloud-google` sections.

Otherwise, if you have an x86-64 box for your Security Onion IMPORT installation, then check to make sure it meets the MINIMUM hardware requirements of 4GB RAM, 2 CPU cores, and 200GB of storage. If you will be installing Security Onion in a virtual machine, then the VM will need those specs at minimum and the host machine will have higher hardware requirements since it will be running the host operating system and possibly other VMs or apps. For more information about virtualization, please see the :ref:`vmware`, :ref:`virtualbox`, and :ref:`proxmox` sections. Once you've verified that you have an appropriate installation target, you can proceed to download our ISO image as shown in the :ref:`download` section and then install the ISO image as shown in the :ref:`installation` section.

Once you have Security Onion installed either in the cloud or on-prem, you can configure for IMPORT as shown below (also see the :ref:`configuration` section).

Once you're comfortable with your IMPORT installation, then you can move on to more advanced installations as shown in the :ref:`architecture` section.

After booting the ISO image, the boot menu appears:

images/01_grub.png

When prompted, enter your desired username and password:

images/02_initial_install.png

Once installation is complete, you are prompted to reboot:

images/03_initial_install_finished.png

After rebooting, login using the username and password that you specified and then Setup will start automatically:

images/04_setup_init.png

Perform a standard installation:

images/05_setup_option.png

When prompted for installation type, select IMPORT:

images/06_setup_type.png

If your Security Onion machine has full Internet access as described in the :ref:`firewall` section, select Standard. Otherwise, select :ref:`airgap`:

images/06_setup_airgap.png

Review the license and agree:

images/07_setup_license.png

Set the hostname:

images/08_setup_hostname.png

If you use the default hostname of securityonion, you will see a warning:

images/09_setup_hostname_conflict.png

Select your management interface:

images/10_setup_mn_nic.png

Select static IP addressing (recommended) or DHCP:

images/11_setup_mn_int.png

Specify IP address and CIDR mask:

images/12_setup_cidr.png

Set gateway address:

images/13_setup_gateway.png

Enter DNS servers:

images/14_setup_dns_servers.png

Configure DNS search domain:

images/15_setup_dns_domain.png

If necessary, you can change the default Docker IP range:

images/16_setup_docker_range.png

If you are connected to the Internet, select whether it is direct or via proxy:

images/18_setup_direct_proxy.png

Create username for :ref:`soc`:

images/20_setup_webuser.png

Set password for :ref:`soc`:

images/21_setup_webpass1.png

Confirm password for :ref:`soc`:

images/22_setup_webpass2.png

Select how to access :ref:`soc`:

images/23_setup_access_type.png

Allow connections through the host-based firewall if necessary:

images/26_setup_so_allow.png

Specify an IP address or range to allow through the host-based firewall:

images/27_setup_so_allow_input.png

Confirm all options:

images/28_setup_summary.png

Setup complete:

images/29_setup_finished.png

Login to :ref:`soc`:

images/37_login.png

After logging in, you will see the :ref:`soc` Overview page:

images/38_overview.png

Go to the :ref:`grid` page, click the button to expand the node, and then verify all services are running properly:

images/39_grid.png

While on the :ref:`grid` page, you can import a PCAP or EVTX file using the upload button at the bottom of the screen:

images/40_upload.png

Once the import is complete, the :ref:`grid` page should display a message at the of the page and provide a link to :ref:`dashboards` to view all alerts and logs from the import:

images/45_import.png

If you want to see just the alerts, you can go to the :ref:`alerts` page although you may need to manually adjust the time range:

images/50_alerts.png

If you find something interesting on the :ref:`alerts` or :ref:`dashboards` pages, you may want to use the Correlate or Hunt actions to find related logs on the :ref:`hunt` page:

images/56_hunt.png

If you find interesting network traffic, you can pivot to full packet capture via the :ref:`pcap` action:

images/62_pcap.png

You can change the view to ASCII transcript for a more human readable view of the traffic:

images/65_pcap_details.png

If you find an interesting artifact, you can send it to :ref:`cyberchef`:

images/68_cyberchef.png

If you need to refer back to previous PCAP jobs, you can find them on the :ref:`pcap` page:

images/72_jobs.png

IMPORT installations do not support remote agents, but if you were running a production installation you could download the Elastic Agent installer from :ref:`downloads`:

images/78_downloads.png

The :ref:`administration` section allows to you manage user accounts:

images/81_users.png

It also allows you to manage grid members:

images/84_gridmembers.png

The :ref:`administration` section also allows you to configure various aspects of the system:

images/87_config.png

It also allows you to upload a license key for additional enterprise features:

images/91_licensekey.png

All this in a minimal VM with only 4GB RAM!

images/39_grid.png

If you made it to the end of this First Time Users section, congratulations! If you have any questions or problems, please see the :ref:`help` section. If you like Security Onion, please consider sharing on social media about Security Onion to help spread the word. Thanks!