diff --git a/administration.rst b/administration.rst index 8638b2cb..18524182 100644 --- a/administration.rst +++ b/administration.rst @@ -46,9 +46,9 @@ The Configuration page allows you to configure various components of your grid. .. image:: images/87_config.png :target: _images/87_config.png -The most common configuration options are shown in the quick links on the right side. On the left side, you can click on a component in the tree view to drill into it and show all available settings for that component. You can then click on a setting to show the current setting or modify it if necessary. If you make a mistake, you can easily revert back to the default value. If a blue question mark appears on the setting page, you can click it to go to the documentation for that component. +The most common configuration options are shown in the quick links on the right side. On the left side, click on a component in the tree view to drill into it and show all available settings for that component. You can then click on a setting to show the current setting or modify it if necessary. If you make a mistake, you can easily revert back to the default value. If a blue question mark appears on the setting page, click it to go to the documentation for that component. -If you're not sure of which component a particular setting may belong to, you can use the Filter at the top of the list to look for a particular setting. To the right of the Filter field are buttons that do the following: +If unsure of which component a particular setting may belong to, use the Filter at the top of the list to look for a particular setting. To the right of the Filter field are buttons that do the following: - apply the search filter - expand all settings @@ -58,16 +58,18 @@ If you're not sure of which component a particular setting may belong to, you ca .. note:: - If you see a key that includes ``_x_``, it is a placeholder value used to represent a period (``.``). + Keys that include ``_x_`` indicate a placeholder value used to represent a period (``.``). -Some settings can be applied across the entire grid or to specific nodes. If you apply a setting to a specific node, it will override the grid setting. +Some settings can be applied across the entire grid or to specific nodes. Applying a setting to a specific node will override the grid setting. .. _administration-advanced-settings: Advanced Settings ~~~~~~~~~~~~~~~~~ -By default, the Configuration page only shows the most widely used settings. If you want to see all settings, you can go to the Options bar at the top of the page and then click the toggle labeled ``Show all configurable settings, including advanced settings``. +By default, the Configuration page excludes settings that are not intended to be adjusted by most grid administrators. These advanced settings can cause loss of data and other issues if adjusted incorrectly. To see the advanced settings, go to the Options bar at the top of the page and then click the toggle labeled ``Show advanced settings``. + +Enabling advanced settings will result in longer load times when viewing the Configuration screen. .. warning:: @@ -79,14 +81,14 @@ By default, the Configuration page only shows the most widely used settings. If Duplicate Settings ~~~~~~~~~~~~~~~~~~ -Starting in Security Onion 2.4.70, some settings can be duplicated to more easily create new settings. If a setting is eligible for duplication, then it will have a DUPLICATE button on the right side of the page, provided the Advanced Option is enabled at the top of the screen. Creating a duplicate setting is a TWO-STEP process. +Starting in Security Onion 2.4.70, some settings can be duplicated to more easily create new settings. If a setting is eligible for duplication, then it will have a DUPLICATE button on the right side of the page, provided the ``Show advanced settings`` option is enabled at the top of the screen. Creating a duplicate setting is a TWO-STEP process. -1. Click the DUPLICATE button and provide a name for the new setting, then click the CREATE SETTING button. +1. Click the ``DUPLICATE`` button, provide a name for the new setting, and then click the ``CREATE SETTING`` button. 2. The new setting will automatically be shown in the Configuration screen. At this point it is not yet saved to the server. The setting's value must be modified explicitly to persist this new setting. Once the value has been modified, click the green checkmark button to save it. .. note:: - Duplicated settings do not retain their original setting's full behavior. For example, if the original setting only allowed for CIDR values, this new setting will not have the same protections on later views in the Configuration screen. Further, duplicated settings are marked as advanced settings. In order to see the new setting at a later time the Advanced Option toggle must be enabled under the Configuration Options at the top of the Configuration screen. + Duplicated settings do not retain their original setting's full behavior. For example, if the original setting only allowed for CIDR values, this new setting will not have the same protections on later views in the Configuration screen. Further, duplicated settings are marked as advanced settings. In order to see the new setting at a later time the ``Show advanced settings`` option must be enabled under the Configuration Options at the top of the Configuration screen. Finally, please note that duplicated settings cannot be removed or renamed via the SOC user interface. License Key ----------- @@ -94,4 +96,4 @@ License Key .. image:: images/91_licensekey.png :target: _images/91_licensekey.png -Starting in Security Onion 2.4.70, you will have the option of adding a license key for :ref:`pro`. +Starting in Security Onion 2.4.70 a new option will be available to add a license key for :ref:`pro`. diff --git a/alerts.rst b/alerts.rst index 682ed56b..eb0dcbe0 100644 --- a/alerts.rst +++ b/alerts.rst @@ -89,17 +89,17 @@ Clicking a value in the page brings up a context menu that allows you to refine Include ~~~~~~~ -Clicking the ``Include`` option will add the selected value to your existing search to only show search results that include that value. +Clicking the ``Include`` option will add the selected field:value pair to your existing search with an ``AND``. This will only show search results that include that value in that field. Exclude ~~~~~~~ -Clicking the ``Exclude`` option will exclude the selected value from your existing search results. +Clicking the ``Exclude`` option will add the selected field:value pair to your existing search with an ``AND NOT``. This will only show search results that do not include that value in that field. Only ~~~~ -Clicking the ``Only`` option will start a new search for the selected value and retain any existing groupby terms. +Clicking the ``Only`` option will start a new search for the selected value in any field. It will remove any existing filters but retain any existing groupby terms. Drilldown ~~~~~~~~~ diff --git a/cases.rst b/cases.rst index 582d6f4d..b951b7b5 100644 --- a/cases.rst +++ b/cases.rst @@ -191,7 +191,7 @@ To configure an analyzer, navigate to :ref:`administration` --> Configuration -- .. image:: images/config-item-sensoroni.png :target: _images/config-item-sensoroni.png -At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to sensoroni --> analyzers. +At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to sensoroni --> analyzers. Developing Analyzers ~~~~~~~~~~~~~~~~~~~~ diff --git a/dashboards.rst b/dashboards.rst index 46942686..32850707 100644 --- a/dashboards.rst +++ b/dashboards.rst @@ -110,17 +110,17 @@ Clicking a value in the page brings up a context menu that allows you to refine Include ~~~~~~~ -Clicking the ``Include`` option will add the selected value to your existing search to only show search results that include that value. +Clicking the ``Include`` option will add the selected field:value pair to your existing search with an ``AND``. This will only show search results that include that value in that field. Exclude ~~~~~~~ -Clicking the ``Exclude`` option will exclude the selected value from your existing search results. +Clicking the ``Exclude`` option will add the selected field:value pair to your existing search with an ``AND NOT``. This will only show search results that do not include that value in that field. Only ~~~~ -Clicking the ``Only`` option will start a new search for the selected value and retain any existing groupby terms. +Clicking the ``Only`` option will start a new search for the selected value in any field. It will remove any existing filters but retain any existing groupby terms. Group By ~~~~~~~~ diff --git a/detections.rst b/detections.rst index 4e9a9d1a..f085ff58 100644 --- a/detections.rst +++ b/detections.rst @@ -14,7 +14,7 @@ Starting in Security Onion 2.4.70, :ref:`soc` includes our Detections interface .. note:: - Check out our Detections sneak peek video at https://youtu.be/oxR4q53N6OI! + Check out our Detections video at https://youtu.be/DelAmqtU2hg! Rule Engine Status ------------------ @@ -33,7 +33,9 @@ Here is the list of possible status messages and what they mean: - **Rule Mismatch**: An integrity check process detected a mismatch between the deployed rules and the enabled rules. The SOC log will note the specific mismatched rules. One possible reason for this is if you had previously added custom rules to /opt/so/saltstack/local/salt/idstools/rules/local.rules. If this is the case, you can remove the rules from that file and then re-add them using the Detections interface. Another possible reason is if you have changed the default metadata engine setting from :ref:`zeek` to :ref:`suricata`. When using :ref:`suricata` as the metadata engine, there are some metadata rules that are enabled which cause the mismatch. This issue will be resolved in a future release. - **OK**: No known issues with the rule engine. -Clicking the status text will navigate to :ref:`hunt` and attempt to find related logs. +.. tip:: + + Clicking the status text will navigate to :ref:`hunt` and attempt to find related logs. If the status is reporting some kind of failure, then you might want to use :ref:`hunt` to hone in on things like ``integrity check failed`` or other errors. As part of the sync process, Detections checks for duplicates. If duplicates are found, Detections will log information about the duplicate. diff --git a/elastalert.rst b/elastalert.rst index 166707d6..fe275e64 100644 --- a/elastalert.rst +++ b/elastalert.rst @@ -38,7 +38,7 @@ Elastalert diagnostic logs are in ``/opt/so/log/elastalert/`` and may also appea sudo docker logs so-elastalert -ElastAlert 2 stores rule status information, such as number of hits, times each rule last ran, etc to :ref:`elasticsearch` indices. This data can helpful in assisting with troubleshooting custom rules. Searching in :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`. :ref:`soc` does not automatically include the ``elastalert`` indices by default. To include them adjust the appropriate configuration setting. Find it in the Administration --> Configuration screen by filtering for ``elastic.index`` and selecting Options (at the top) and toggle on "Show all configurable settings". Add ``*:elastalert*`` to the ``index`` setting. The new setting value should resemble the following: +ElastAlert 2 stores rule status information, such as number of hits, times each rule last ran, etc to :ref:`elasticsearch` indices. This data can helpful in assisting with troubleshooting custom rules. Searching in :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`. :ref:`soc` does not automatically include the ``elastalert`` indices by default. If you would like to include them, you can adjust the appropriate configuration setting. In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then filter for ``elastic.index`` to locate the setting. On the right side of the screen, add ``*:elastalert*`` to the existing ``index`` setting. The updated setting should resemble the following: :: diff --git a/elastic-agent.rst b/elastic-agent.rst index 9fbc5387..4176dba0 100644 --- a/elastic-agent.rst +++ b/elastic-agent.rst @@ -25,7 +25,7 @@ Once there, select the ``elastic_agent_endpoint`` option. .. note:: - If you'd like to see this in action, check out our Youtube video at https://youtu.be/cGmQMsFuAvw. + Check out our Elastic Agent video at https://youtu.be/cGmQMsFuAvw! Linux ~~~~~ @@ -70,6 +70,16 @@ Integrations You can read more about integrations in the :ref:`elastic-fleet` section and at https://docs.elastic.co/integrations. +Reinstalling +------------ + +If for some reason you need to uninstall and reinstall the Elastic Agent on one of your Security Onion grid members, you can do so as follows: + +:: + + sudo elastic-agent uninstall + sudo salt-call state.apply elasticfleet.install_agent_grid + More Information ---------------- diff --git a/elastic-fleet.rst b/elastic-fleet.rst index e980bec0..f39d436e 100644 --- a/elastic-fleet.rst +++ b/elastic-fleet.rst @@ -175,7 +175,7 @@ First, go to :ref:`administration` --> Configuration --> elasticfleet. .. image:: images/config-item-elasticfleet.png :target: _images/config-item-elasticfleet.png -At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then, navigate to elasticfleet --> config --> server --> custom_fqdn and set your custom FQDN. Within 15 minutes, the grid will apply these new settings and you should see the new FQDNs show up in Elastic Fleet settings. New agent installers will also be regenerated to use this new setting. +At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then, navigate to elasticfleet --> config --> server --> custom_fqdn and set your custom FQDN. Within 15 minutes, the grid will apply these new settings and you should see the new FQDNs show up in Elastic Fleet settings. New agent installers will also be regenerated to use this new setting. More Information ---------------- diff --git a/elasticsearch.rst b/elasticsearch.rst index 7ff45421..8ceece1b 100644 --- a/elasticsearch.rst +++ b/elasticsearch.rst @@ -84,7 +84,7 @@ so-elasticsearch-indices-delete ``so-elasticsearch-indices-delete`` manages size-based deletion of Elasticsearch indices based on the value of the ``elasticsearch.retention.retention_pct`` setting. This setting is checked against the total disk space available for ``/nsm/elasticsearch`` across all nodes in the Elasticsearch cluster. If your indices are using more than ``retention_pct``, then ``so-elasticsearch-indices-delete`` will delete old indices until available disk space is back under ``retention_pct``. The default value for this setting is ``50`` percent so that standalone deployments have sufficient space for not only Elasticsearch but also full packet capture and other logs. For distributed deployments with dedicated search nodes where Elasticsearch is main consumer of disk space, you may want to increase this default value. -To modify the ``retention_pct`` value, first navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to elasticsearch --> retention --> retention_pct. Once you make the change and save it, the new setting will take effect at the next 15 minute interval. If you would like to make the change immediately, you can click the ``SYNCHRONIZE GRID`` button under the ``Options`` menu at the top of the page. +To modify the ``retention_pct`` value, first navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to elasticsearch --> retention --> retention_pct. Once you make the change and save it, the new setting will take effect at the next 15 minute interval. If you would like to make the change immediately, you can click the ``SYNCHRONIZE GRID`` button under the ``Options`` menu at the top of the page. ILM ~~~ @@ -102,7 +102,7 @@ ILM settings can be found by navigating to :ref:`administration` --> Configurati To edit the global policy that applies to ALL indices, navigate to global_overrides --> policy --> phases and there you will see the cold, delete, hot, and warm ILM phases. -To edit the policy for an individual index, first click the ``Options`` menu at the top of the page and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to $index --> policy --> phases. There you will see the cold, delete, hot, and warm ILM phases for that particular index. +To edit the policy for an individual index, first click the ``Options`` menu at the top of the page and then enable the ``Show advanced settings`` option. Then navigate to $index --> policy --> phases. There you will see the cold, delete, hot, and warm ILM phases for that particular index. It's important to note that settings like ``min_age`` are calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete ``min_age`` set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before deletion. @@ -147,7 +147,7 @@ If you want to set certain search nodes to the ``data_hot``, ``data_warm``, or ` Elasticsearch node roles is an advanced setting and you should be careful to avoid disruption to your cluster! -To see and modify Elasticsearch node roles, first navigate to :ref:`administration` --> Configuration, click the ``Options`` menu at the top of the page, and enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to elasticsearch --> so_roles and select the desired role. Finally, navigate to config --> node --> roles and the list of roles should appear on the right side of the page. +To see and modify Elasticsearch node roles, first navigate to :ref:`administration` --> Configuration, click the ``Options`` menu at the top of the page, and enable the ``Show advanced settings`` option. Then navigate to elasticsearch --> so_roles and select the desired role. Finally, navigate to config --> node --> roles and the list of roles should appear on the right side of the page. Templates --------- @@ -246,15 +246,18 @@ If you want to clear all Elasticsearch data including documents and indices, you GeoIP ----- -Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP databases for Elasticsearch so that all users will have GeoIP functionality. If your search nodes have Internet access and can reach geoip.elastic.co and storage.googleapis.com, then you can opt-in to database updates if you want more recent information. To do this, add the following to your Elasticsearch :ref:`salt` config: +Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP databases for Elasticsearch so that all users will have GeoIP functionality. If your search nodes have Internet access and can reach geoip.elastic.co and storage.googleapis.com, then you can opt-in to database updates if you want more recent information. In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to elasticsearch --> advanced and add the following config on the right side of the screen. :: - config: - ingest: - geoip: - downloader: - enabled: true + elasticsearch: + config: + ingest: + geoip: + downloader: + enabled: true + +Once the config is added, click the green check mark to save the configuration. Diagnostic Logging ------------------ diff --git a/faq.rst b/faq.rst index dd2b0a5a..8ff4708a 100644 --- a/faq.rst +++ b/faq.rst @@ -194,11 +194,26 @@ Should I backup my Security Onion box? Security Onion automatically backs up some important configuration as described in the :ref:`backup` section. However, there is no automated data backup. Network Security Monitoring as a whole is considered "best effort". It is not a "mission critical" resource like a file server or web server. Since we're dealing with "big data" (potentially terabytes of full packet capture) of a transient nature, backing up the data would be prohibitively expensive. Most organizations don't do any data backups and instead just rebuild boxes when necessary. +What happened to Filebeat? +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Filebeat has been replaced by :ref:`elastic-agent`. + +What happened to Grafana? +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Grafana has been replaced by :ref:`grid`. + What happened to Playbook? ~~~~~~~~~~~~~~~~~~~~~~~~~~ Playbook has been replaced by :ref:`detections`. +What happened to Wazuh? +~~~~~~~~~~~~~~~~~~~~~~~ + +Wazuh has been replaced by :ref:`elastic-agent`. + How can I add local rules? ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/fips.rst b/fips.rst index c45f5000..8c11d7e2 100644 --- a/fips.rst +++ b/fips.rst @@ -7,7 +7,7 @@ FIPS stands for Federal Information Processing Standards and you can read more a .. note:: - This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable this feature. + This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable this feature. Enabling FIPS During the ISO Install ------------------------------------ diff --git a/firewall.rst b/firewall.rst index 5de2a7c2..e1430eae 100644 --- a/firewall.rst +++ b/firewall.rst @@ -136,14 +136,14 @@ The default allow rules for each node are defined by its role (manager, searchno Advanced Firewall Config ------------------------ -When you go to :ref:`administration` --> Configuration --> firewall, you will only see ``hostgroups`` by default. If you need to modify port groups, then you will need to click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +When you go to :ref:`administration` --> Configuration --> firewall, you will only see ``hostgroups`` by default. If you need to modify port groups, then you will need to click the ``Options`` menu and then enable the ``Show advanced settings`` option. Modifying a default port group ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The analyst hostgroup is allowed access to the nginx ports which are 80 and 443 by default. In this example, we will extend the default nginx port group to include a custom port. -#. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +#. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. #. On the left side, go to ``firewall``, select ``portgroups``, locate the ``nginx`` portgroup, and then select ``tcp``. #. On the right side, select the manager node, specify your custom port to be added, and then click the checkmark to save the value. #. If you would like to apply the rules immediately, click the ``SYNCHRONIZE GRID`` button under the ``Options`` menu at the top of the page. @@ -153,7 +153,7 @@ Creating a custom host group with a custom port group In this example, we will add a new custom hostgroup to allow a custom set of hosts to connect to a custom port on an IDH node. -#. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +#. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. #. On the left side, go to ``firewall``, select ``hostgroups``, and then select ``customhostgroup0``. #. On the right side, select the IDH node that you want to allow access to, add the list of hosts that require access, and then click the checkmark to save the value. #. On the left side, go to ``firewall``, select ``portgroups``, select ``customportgroup0``, and then select the appropriate protocol. diff --git a/hunt.rst b/hunt.rst index 45409260..a3a7a831 100644 --- a/hunt.rst +++ b/hunt.rst @@ -9,3 +9,5 @@ Hunt :target: _images/56_hunt.png The main difference between Hunt and :ref:`dashboards` is that Hunt's default queries are more focused than the overview queries in :ref:`dashboards`. A second difference is that most of the default :ref:`dashboards` queries display a separate table for each aggregated field, whereas many of the default queries in Hunt aggregate multiple fields in a single table which can be beneficial when hunting for more obscure activity. + +Other than these two differences, Hunt and :ref:`dashboards` are very similar, so for more information please see the :ref:`dashboards` section. diff --git a/idh.rst b/idh.rst index e5a1c660..9d4e50d4 100644 --- a/idh.rst +++ b/idh.rst @@ -96,7 +96,7 @@ For example, suppose that we already have the HTTP service running but we want t Please be very careful when making changes! - Go to :ref:`administration` --> Configuration. -- At the top of the page, click the ``Options`` menu and enable the ``Show all configurable settings, including advanced settings.`` option. +- At the top of the page, click the ``Options`` menu and enable the ``Show advanced settings`` option. - On the left side, navigate to idh --> opencanary --> config --> http_x_port. - On the right side, change the port value and then click the checkmark to save the change. - At the top of the page, click the ``SYNCHRONIZE GRID`` button under the ``Options`` menu. diff --git a/images/01_grub.png b/images/01_grub.png index 8354bdfb..8d79dcaf 100644 Binary files a/images/01_grub.png and b/images/01_grub.png differ diff --git a/images/02_initial_install.png b/images/02_initial_install.png index 6541df23..6c1baa73 100644 Binary files a/images/02_initial_install.png and b/images/02_initial_install.png differ diff --git a/images/04_setup_init.png b/images/04_setup_init.png index 7657fcc6..28f091b5 100644 Binary files a/images/04_setup_init.png and b/images/04_setup_init.png differ diff --git a/images/05_setup_option.png b/images/05_setup_option.png index 5c0254da..2148d128 100644 Binary files a/images/05_setup_option.png and b/images/05_setup_option.png differ diff --git a/images/06_setup_airgap.png b/images/06_setup_airgap.png index dd87e510..b2b1bbb6 100644 Binary files a/images/06_setup_airgap.png and b/images/06_setup_airgap.png differ diff --git a/images/06_setup_type.png b/images/06_setup_type.png index ec23e0bb..7b2f2aa5 100644 Binary files a/images/06_setup_type.png and b/images/06_setup_type.png differ diff --git a/images/07_setup_license.png b/images/07_setup_license.png index 4f351471..5f62103f 100644 Binary files a/images/07_setup_license.png and b/images/07_setup_license.png differ diff --git a/images/08_setup_hostname.png b/images/08_setup_hostname.png index 15447407..e283d3a8 100644 Binary files a/images/08_setup_hostname.png and b/images/08_setup_hostname.png differ diff --git a/images/09_setup_hostname_conflict.png b/images/09_setup_hostname_conflict.png index aca8e1aa..45def9e0 100644 Binary files a/images/09_setup_hostname_conflict.png and b/images/09_setup_hostname_conflict.png differ diff --git a/images/10_setup_mn_nic.png b/images/10_setup_mn_nic.png index 7a782185..f1fc201a 100644 Binary files a/images/10_setup_mn_nic.png and b/images/10_setup_mn_nic.png differ diff --git a/images/11_setup_mn_int.png b/images/11_setup_mn_int.png index c1bf1526..d87d407f 100644 Binary files a/images/11_setup_mn_int.png and b/images/11_setup_mn_int.png differ diff --git a/images/12_setup_cidr.png b/images/12_setup_cidr.png index a890424f..427a7752 100644 Binary files a/images/12_setup_cidr.png and b/images/12_setup_cidr.png differ diff --git a/images/13_setup_gateway.png b/images/13_setup_gateway.png index 91d36937..2b11d053 100644 Binary files a/images/13_setup_gateway.png and b/images/13_setup_gateway.png differ diff --git a/images/14_setup_dns_servers.png b/images/14_setup_dns_servers.png index b0e75f58..726fc212 100644 Binary files a/images/14_setup_dns_servers.png and b/images/14_setup_dns_servers.png differ diff --git a/images/15_setup_dns_domain.png b/images/15_setup_dns_domain.png index 5a6ae844..857ae3f3 100644 Binary files a/images/15_setup_dns_domain.png and b/images/15_setup_dns_domain.png differ diff --git a/images/16_setup_docker_range.png b/images/16_setup_docker_range.png index ff8569b9..eb8e0bd5 100644 Binary files a/images/16_setup_docker_range.png and b/images/16_setup_docker_range.png differ diff --git a/images/18_setup_direct_proxy.png b/images/18_setup_direct_proxy.png index 0d0a6dfe..b009eda9 100644 Binary files a/images/18_setup_direct_proxy.png and b/images/18_setup_direct_proxy.png differ diff --git a/images/20_setup_webuser.png b/images/20_setup_webuser.png index 314f0b71..ce344ee2 100644 Binary files a/images/20_setup_webuser.png and b/images/20_setup_webuser.png differ diff --git a/images/21_setup_webpass1.png b/images/21_setup_webpass1.png index 2bf5e988..7e34b6d5 100644 Binary files a/images/21_setup_webpass1.png and b/images/21_setup_webpass1.png differ diff --git a/images/22_setup_webpass2.png b/images/22_setup_webpass2.png index b2781e7a..2bd20832 100644 Binary files a/images/22_setup_webpass2.png and b/images/22_setup_webpass2.png differ diff --git a/images/23_setup_access_type.png b/images/23_setup_access_type.png index 539697a9..a85ce76e 100644 Binary files a/images/23_setup_access_type.png and b/images/23_setup_access_type.png differ diff --git a/images/26_setup_so_allow.png b/images/26_setup_so_allow.png index aebfa031..63c40eeb 100644 Binary files a/images/26_setup_so_allow.png and b/images/26_setup_so_allow.png differ diff --git a/images/27_setup_so_allow_input.png b/images/27_setup_so_allow_input.png index 22dafd1b..8b132905 100644 Binary files a/images/27_setup_so_allow_input.png and b/images/27_setup_so_allow_input.png differ diff --git a/images/27_telemetry.png b/images/27_telemetry.png index 5aa4d986..92b7972e 100644 Binary files a/images/27_telemetry.png and b/images/27_telemetry.png differ diff --git a/images/28_setup_summary.png b/images/28_setup_summary.png index 915450bc..f3bcaded 100644 Binary files a/images/28_setup_summary.png and b/images/28_setup_summary.png differ diff --git a/images/29_setup_finished.png b/images/29_setup_finished.png index 5423074d..e5ecb594 100644 Binary files a/images/29_setup_finished.png and b/images/29_setup_finished.png differ diff --git a/images/38_overview.png b/images/38_overview.png index 57046bc4..9a39d284 100644 Binary files a/images/38_overview.png and b/images/38_overview.png differ diff --git a/images/39_grid.png b/images/39_grid.png index d471afc1..5f17d495 100644 Binary files a/images/39_grid.png and b/images/39_grid.png differ diff --git a/images/40_upload.png b/images/40_upload.png index 1a68eff7..00605331 100644 Binary files a/images/40_upload.png and b/images/40_upload.png differ diff --git a/images/45_import.png b/images/45_import.png index 498f55de..35930c93 100644 Binary files a/images/45_import.png and b/images/45_import.png differ diff --git a/images/50_alerts.png b/images/50_alerts.png index 474ad7cb..81868c71 100644 Binary files a/images/50_alerts.png and b/images/50_alerts.png differ diff --git a/images/51_alerts_options.png b/images/51_alerts_options.png index 820b2e99..a921e0cd 100644 Binary files a/images/51_alerts_options.png and b/images/51_alerts_options.png differ diff --git a/images/53_dashboards.png b/images/53_dashboards.png index e128194a..9796fd2c 100644 Binary files a/images/53_dashboards.png and b/images/53_dashboards.png differ diff --git a/images/54_dashboards_options.png b/images/54_dashboards_options.png index 8e7e8fbf..1e24934b 100644 Binary files a/images/54_dashboards_options.png and b/images/54_dashboards_options.png differ diff --git a/images/56_hunt.png b/images/56_hunt.png index ddd69a80..7710d1c0 100644 Binary files a/images/56_hunt.png and b/images/56_hunt.png differ diff --git a/images/57_0_cases.png b/images/57_0_cases.png index 31dc0f4a..067e5804 100644 Binary files a/images/57_0_cases.png and b/images/57_0_cases.png differ diff --git a/images/57_1_cases_options.png b/images/57_1_cases_options.png index dc9a7ede..e3942adb 100644 Binary files a/images/57_1_cases_options.png and b/images/57_1_cases_options.png differ diff --git a/images/57_2_cases_create.png b/images/57_2_cases_create.png index 1482085a..5f4534da 100644 Binary files a/images/57_2_cases_create.png and b/images/57_2_cases_create.png differ diff --git a/images/57_detections.png b/images/57_detections.png index 2a738d3e..0af86cad 100644 Binary files a/images/57_detections.png and b/images/57_detections.png differ diff --git a/images/58_detections_options.png b/images/58_detections_options.png index 87dfe0f6..b4288f72 100644 Binary files a/images/58_detections_options.png and b/images/58_detections_options.png differ diff --git a/images/59_detection_create.png b/images/59_detection_create.png index bce3510d..96d067e3 100644 Binary files a/images/59_detection_create.png and b/images/59_detection_create.png differ diff --git a/images/60_detection_nids.png b/images/60_detection_nids.png index df7a8326..eecffee1 100644 Binary files a/images/60_detection_nids.png and b/images/60_detection_nids.png differ diff --git a/images/60_detection_nids_0_comments.png b/images/60_detection_nids_0_comments.png index e7a52336..02c46793 100644 Binary files a/images/60_detection_nids_0_comments.png and b/images/60_detection_nids_0_comments.png differ diff --git a/images/60_detection_nids_1_signature.png b/images/60_detection_nids_1_signature.png index 39653ede..38a34c87 100644 Binary files a/images/60_detection_nids_1_signature.png and b/images/60_detection_nids_1_signature.png differ diff --git a/images/60_detection_nids_2_tuning_1.png b/images/60_detection_nids_2_tuning_1.png index 8f41af8a..af905ad3 100644 Binary files a/images/60_detection_nids_2_tuning_1.png and b/images/60_detection_nids_2_tuning_1.png differ diff --git a/images/60_detection_nids_2_tuning_2_add.png b/images/60_detection_nids_2_tuning_2_add.png index dfa3480c..a3a1334f 100644 Binary files a/images/60_detection_nids_2_tuning_2_add.png and b/images/60_detection_nids_2_tuning_2_add.png differ diff --git a/images/60_detection_nids_3_history.png b/images/60_detection_nids_3_history.png index 920c9105..9c919acf 100644 Binary files a/images/60_detection_nids_3_history.png and b/images/60_detection_nids_3_history.png differ diff --git a/images/60_detection_sigma.png b/images/60_detection_sigma.png index cc50969d..2df9e8e1 100644 Binary files a/images/60_detection_sigma.png and b/images/60_detection_sigma.png differ diff --git a/images/60_detection_sigma_2_tuning_1.png b/images/60_detection_sigma_2_tuning_1.png index 28f05533..849c29c7 100644 Binary files a/images/60_detection_sigma_2_tuning_1.png and b/images/60_detection_sigma_2_tuning_1.png differ diff --git a/images/60_detection_sigma_2_tuning_2_add.png b/images/60_detection_sigma_2_tuning_2_add.png index 02b0ed1d..aafdde32 100644 Binary files a/images/60_detection_sigma_2_tuning_2_add.png and b/images/60_detection_sigma_2_tuning_2_add.png differ diff --git a/images/60_detection_yara.png b/images/60_detection_yara.png index 56741a2b..09cf7343 100644 Binary files a/images/60_detection_yara.png and b/images/60_detection_yara.png differ diff --git a/images/62_pcap.png b/images/62_pcap.png index dc275d3a..d9355012 100644 Binary files a/images/62_pcap.png and b/images/62_pcap.png differ diff --git a/images/65_pcap_details.png b/images/65_pcap_details.png index 924cda40..bc2fb423 100644 Binary files a/images/65_pcap_details.png and b/images/65_pcap_details.png differ diff --git a/images/68_cyberchef.png b/images/68_cyberchef.png index 6af090a4..5e68a5a6 100644 Binary files a/images/68_cyberchef.png and b/images/68_cyberchef.png differ diff --git a/images/72_jobs.png b/images/72_jobs.png index 0d69af00..51a8eaf5 100644 Binary files a/images/72_jobs.png and b/images/72_jobs.png differ diff --git a/images/73_jobs_add.png b/images/73_jobs_add.png index 42b1d16a..a5e29707 100644 Binary files a/images/73_jobs_add.png and b/images/73_jobs_add.png differ diff --git a/images/75_grid.png b/images/75_grid.png index b608168a..5f17d495 100644 Binary files a/images/75_grid.png and b/images/75_grid.png differ diff --git a/images/76_grid_options.png b/images/76_grid_options.png index 8044edda..bbc53e60 100644 Binary files a/images/76_grid_options.png and b/images/76_grid_options.png differ diff --git a/images/78_downloads.png b/images/78_downloads.png index fec26633..3aa09c43 100644 Binary files a/images/78_downloads.png and b/images/78_downloads.png differ diff --git a/images/81_users.png b/images/81_users.png index c2ed435d..021942d4 100644 Binary files a/images/81_users.png and b/images/81_users.png differ diff --git a/images/82_users_detail.png b/images/82_users_detail.png index 961acff7..90fc50a3 100644 Binary files a/images/82_users_detail.png and b/images/82_users_detail.png differ diff --git a/images/83_users_add.png b/images/83_users_add.png index 6ebeaaaa..7c7fd8f6 100644 Binary files a/images/83_users_add.png and b/images/83_users_add.png differ diff --git a/images/84_gridmembers.png b/images/84_gridmembers.png index fe5d3d0d..85e15a17 100644 Binary files a/images/84_gridmembers.png and b/images/84_gridmembers.png differ diff --git a/images/87_config.png b/images/87_config.png index ea5612ec..7dcffa67 100644 Binary files a/images/87_config.png and b/images/87_config.png differ diff --git a/images/88_config_options.png b/images/88_config_options.png index a0c38eb1..d0cdfede 100644 Binary files a/images/88_config_options.png and b/images/88_config_options.png differ diff --git a/images/91_licensekey.png b/images/91_licensekey.png index 9a0042ba..243210fb 100644 Binary files a/images/91_licensekey.png and b/images/91_licensekey.png differ diff --git a/images/94_usermenu.png b/images/94_usermenu.png index b91fe000..f52b7ab5 100644 Binary files a/images/94_usermenu.png and b/images/94_usermenu.png differ diff --git a/images/config-item-backup.png b/images/config-item-backup.png index 2e45fea3..d57dd291 100644 Binary files a/images/config-item-backup.png and b/images/config-item-backup.png differ diff --git a/images/config-item-bpf.png b/images/config-item-bpf.png index b0a4866a..22389429 100644 Binary files a/images/config-item-bpf.png and b/images/config-item-bpf.png differ diff --git a/images/config-item-elastalert-alerter.png b/images/config-item-elastalert-alerter.png index 4ddaee4f..a5eac9f2 100644 Binary files a/images/config-item-elastalert-alerter.png and b/images/config-item-elastalert-alerter.png differ diff --git a/images/config-item-elastalert.png b/images/config-item-elastalert.png index e61944eb..9fd612a1 100644 Binary files a/images/config-item-elastalert.png and b/images/config-item-elastalert.png differ diff --git a/images/config-item-elasticfleet.png b/images/config-item-elasticfleet.png index 3ae8ad4c..4b78917c 100644 Binary files a/images/config-item-elasticfleet.png and b/images/config-item-elasticfleet.png differ diff --git a/images/config-item-elasticsearch.png b/images/config-item-elasticsearch.png index 3e37ae5a..ad09070c 100644 Binary files a/images/config-item-elasticsearch.png and b/images/config-item-elasticsearch.png differ diff --git a/images/config-item-firewall.png b/images/config-item-firewall.png index b256f58d..b86a8023 100644 Binary files a/images/config-item-firewall.png and b/images/config-item-firewall.png differ diff --git a/images/config-item-global-url.png b/images/config-item-global-url.png index 877b65d6..8d3e9465 100644 Binary files a/images/config-item-global-url.png and b/images/config-item-global-url.png differ diff --git a/images/config-item-global.png b/images/config-item-global.png index da23b775..ddaae044 100644 Binary files a/images/config-item-global.png and b/images/config-item-global.png differ diff --git a/images/config-item-host.png b/images/config-item-host.png index dcba9a9c..07aa1428 100644 Binary files a/images/config-item-host.png and b/images/config-item-host.png differ diff --git a/images/config-item-idh.png b/images/config-item-idh.png index 7c9ab96c..b37050e6 100644 Binary files a/images/config-item-idh.png and b/images/config-item-idh.png differ diff --git a/images/config-item-idstools.png b/images/config-item-idstools.png index c1122702..ddbde72b 100644 Binary files a/images/config-item-idstools.png and b/images/config-item-idstools.png differ diff --git a/images/config-item-influxdb.png b/images/config-item-influxdb.png index 4964baa6..622cf7c2 100644 Binary files a/images/config-item-influxdb.png and b/images/config-item-influxdb.png differ diff --git a/images/config-item-kafka.png b/images/config-item-kafka.png index c9f75c90..bcd1f906 100644 Binary files a/images/config-item-kafka.png and b/images/config-item-kafka.png differ diff --git a/images/config-item-kibana.png b/images/config-item-kibana.png index 79d01e0f..3a1aef51 100644 Binary files a/images/config-item-kibana.png and b/images/config-item-kibana.png differ diff --git a/images/config-item-kratos.png b/images/config-item-kratos.png index 3da45204..46373bc4 100644 Binary files a/images/config-item-kratos.png and b/images/config-item-kratos.png differ diff --git a/images/config-item-logstash.png b/images/config-item-logstash.png index 9f45c00e..beba0371 100644 Binary files a/images/config-item-logstash.png and b/images/config-item-logstash.png differ diff --git a/images/config-item-manager.png b/images/config-item-manager.png index f8772ad1..42561ba0 100644 Binary files a/images/config-item-manager.png and b/images/config-item-manager.png differ diff --git a/images/config-item-nginx.png b/images/config-item-nginx.png index 6cdc421e..00bba727 100644 Binary files a/images/config-item-nginx.png and b/images/config-item-nginx.png differ diff --git a/images/config-item-ntp.png b/images/config-item-ntp.png index b9799d3b..1f57e5f2 100644 Binary files a/images/config-item-ntp.png and b/images/config-item-ntp.png differ diff --git a/images/config-item-patch.png b/images/config-item-patch.png index a8cf44a1..6af02a93 100644 Binary files a/images/config-item-patch.png and b/images/config-item-patch.png differ diff --git a/images/config-item-pcap.png b/images/config-item-pcap.png index b26c7660..f65309d0 100644 Binary files a/images/config-item-pcap.png and b/images/config-item-pcap.png differ diff --git a/images/config-item-redis.png b/images/config-item-redis.png index 8783c5b1..7ac47c94 100644 Binary files a/images/config-item-redis.png and b/images/config-item-redis.png differ diff --git a/images/config-item-sensor.png b/images/config-item-sensor.png index 4911096c..7df98f6e 100644 Binary files a/images/config-item-sensor.png and b/images/config-item-sensor.png differ diff --git a/images/config-item-sensoroni.png b/images/config-item-sensoroni.png index 2d8bd549..15cde0b1 100644 Binary files a/images/config-item-sensoroni.png and b/images/config-item-sensoroni.png differ diff --git a/images/config-item-soc-additionalAlerters.png b/images/config-item-soc-additionalAlerters.png index 0c61eefc..8e5c0a0b 100644 Binary files a/images/config-item-soc-additionalAlerters.png and b/images/config-item-soc-additionalAlerters.png differ diff --git a/images/config-item-soc.png b/images/config-item-soc.png index 16115106..97dc7974 100644 Binary files a/images/config-item-soc.png and b/images/config-item-soc.png differ diff --git a/images/config-item-strelka.png b/images/config-item-strelka.png index f4e4438f..a0498aa2 100644 Binary files a/images/config-item-strelka.png and b/images/config-item-strelka.png differ diff --git a/images/config-item-suricata.png b/images/config-item-suricata.png index cd22fc20..58ffe0ec 100644 Binary files a/images/config-item-suricata.png and b/images/config-item-suricata.png differ diff --git a/images/config-item-telegraf.png b/images/config-item-telegraf.png index 4e2f1da2..ccdba388 100644 Binary files a/images/config-item-telegraf.png and b/images/config-item-telegraf.png differ diff --git a/images/config-item-zeek.png b/images/config-item-zeek.png index 6b77137e..43655d76 100644 Binary files a/images/config-item-zeek.png and b/images/config-item-zeek.png differ diff --git a/jupyter.rst b/jupyter.rst index a4d21c51..64b36620 100644 --- a/jupyter.rst +++ b/jupyter.rst @@ -20,7 +20,7 @@ In order to allow network-based access to :ref:`elasticsearch`, you'll need to a .. image:: images/config-item-firewall.png :target: _images/config-item-firewall.png -At the top of the page, click the ``Options`` menu and enable the ``Show all configurable settings, including advanced settings.`` option. On the left side, select the ``elasticsearch_rest`` option. On the right side, add your IP address or CIDR blocks and click the checkmark to save. +At the top of the page, click the ``Options`` menu and enable the ``Show advanced settings`` option. On the left side, select the ``elasticsearch_rest`` option. On the right side, add your IP address or CIDR blocks and click the checkmark to save. Once complete, you should be able to connect to the :ref:`elasticsearch` instance. You can confirm connectivity using tools like curl or Powershell's Test-NetConnection. diff --git a/kafka.rst b/kafka.rst index 31ae0609..c6018eec 100644 --- a/kafka.rst +++ b/kafka.rst @@ -11,7 +11,7 @@ If you need guaranteed message delivery, then you can enable Kafka which replace .. note:: - This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable this feature. + This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable this feature. Guaranteed Message Delivery --------------------------- diff --git a/logstash.rst b/logstash.rst index b47a7c4b..6a6fe0f1 100644 --- a/logstash.rst +++ b/logstash.rst @@ -74,7 +74,7 @@ For example, to forward all :ref:`zeek` events from the ``dns`` dataset, we coul Also keep in mind that when forwarding logs from the manager, some fields may not be set as expected since the events have not yet been processed by the Ingest Node configuration. -In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to logstash --> defined_pipelines --> manager and append the name of your newly created file to the list of config files used for the ``manager`` pipeline: +In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to logstash --> defined_pipelines --> manager and append the name of your newly created file to the list of config files used for the ``manager`` pipeline: :: diff --git a/luks.rst b/luks.rst index 04df3ae4..6d901dfd 100644 --- a/luks.rst +++ b/luks.rst @@ -9,7 +9,7 @@ LUKS disk encryption is a feature that requires the use of the Security Onion Pr .. note:: - This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable this feature. + This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable this feature. Enabling LUKS During the ISO Install ------------------------------------ diff --git a/mfa.rst b/mfa.rst index a482805f..0c601aed 100644 --- a/mfa.rst +++ b/mfa.rst @@ -12,6 +12,8 @@ Time-based One-Time Passwords (TOTP) can be activated on a user account. TOTP re If you have a user account on multiple Security Onion deployments with TOTP activated, they may be listed identically in your authenticator app. If so, you should be able to edit the listing in your authenticator app so that you can distinguish between them. +To require all users setup TOTP upon login, enable the ``Require TOTP`` configuration setting, located on the Configuration screen: ``soc > config > server > Require TOTP``. + .. warning:: Please note that TOTP requires that both the Security Onion manager and the device supplying the TOTP code to have their system time set correctly. Otherwise, the TOTP code may be seen as invalid and rejected. diff --git a/netflow.rst b/netflow.rst index eace6c0d..cfa9fc77 100644 --- a/netflow.rst +++ b/netflow.rst @@ -30,7 +30,7 @@ Next, allow the traffic from the NetFlow exporter through the firewall to the Ne The following instructions assume that this is the first firewall change you have made and therefore refer to ``customhostgroup0`` and ``customportgroup0``. If those have already been used, you can select the next available hostgroup and portgroup. #. Navigate to :ref:`administration` --> Configuration. -#. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +#. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. #. On the left side, go to ``firewall``, select ``hostgroups``, and click the ``customhostgroup0`` group. On the right side, enter the IP address of the NetFlow exporter and click the checkmark to save. #. On the left side, go to ``firewall``, select ``portgroups``, select the ``customportgroup0`` group, and then click ``udp``. On the right side, enter your desired NetFlow listener port (2055 by default) and click the checkmark to save. #. On the left side, go to ``firewall``, select ``role``, and then select the node type that will receive the NetFlow records. Then drill into ``chain`` --> ``INPUT`` --> ``hostgroups`` --> ``customhostgroup0`` --> ``portgroups``. On the right side, enter ``customportgroup0`` and click the checkmark to save. diff --git a/nginx.rst b/nginx.rst index 7e495898..157e69f8 100644 --- a/nginx.rst +++ b/nginx.rst @@ -22,7 +22,7 @@ If you'd like to replace the default certificate with your own cert, then you ca Please be very careful when modifying advanced settings like this! -#. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +#. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. #. On the left side, go to ``nginx``, expand ``ssl``, and then select the ``Replace Default Cert`` setting. #. On the right side, change the setting to ``true`` and then click the checkmark to save the value. #. On the left side, select the ``SSL/TLS Cert File`` setting. diff --git a/nids.rst b/nids.rst index d9da1beb..8c9964b4 100644 --- a/nids.rst +++ b/nids.rst @@ -32,7 +32,7 @@ To tune the detection: Enabling and Disabling with Regex --------------------------------- -In 2.4.90, NIDS rules can now be enabled or disabled in Detections using regex patterns. Navigate to SOC :ref:`administration` - Configuration and filter for ``regex``, then drill down into soc --> config --> server --> modules --> suricataengine --> disableRegex or enableRegex. +Starting in Security Onion 2.4.90, NIDS rules can now be enabled or disabled in Detections using regex patterns. Navigate to SOC :ref:`administration` - Configuration and filter for ``regex``, then drill down into soc --> config --> server --> modules --> suricataengine --> disableRegex or enableRegex. The regex flavor is Google RE2: https://github.com/google/re2/wiki/Syntax @@ -72,7 +72,7 @@ Update Frequency By default, Security Onion checks for new NIDS rules every 24 hours. You can change this value as follows: - Navigate to :ref:`administration` --> Configuration. -- At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +- At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. - Navigate to soc --> config --> server --> modules --> suricataengine --> communityRulesImportFrequencySeconds. Changing to a Different Ruleset @@ -151,7 +151,7 @@ Other - not officially managed/supported by Security Onion - license fee may or may not apply -To add custom rulesets, navigate to :ref:`administration` --> Configuration, enable the ``Show all configurable settings`` option, then search for ``customRulesets``, and drilldown on the left side. +If you would like to add custom rulesets, then you can do this with a configuration setting. In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then filter for ``customRulesets`` and drilldown on the left side. Custom rulesets can be added either via URL or a local file placed on the Manager. diff --git a/notifications.rst b/notifications.rst index c09e47ce..08112285 100644 --- a/notifications.rst +++ b/notifications.rst @@ -5,7 +5,7 @@ Notifications .. note:: - This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable this feature. + This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable this feature. The :ref:`detections` module, specifically :ref:`sigma` rules, can be enabled to send outbound notifications upon an alert being created. By default, no outbound notifications are enabled in a Security Onion installation. However, with the Pro license applied to a grid, notifications can be quickly configured via the Configuration screen. @@ -31,7 +31,7 @@ Notice there are special settings for Jira and SMTP notifications. These are uni The files subtree includes a list of several file settings, which allows for populating the contents of certain files that the alerters can optionally utilize. Most alerters use the files for specifying a custom Certificate Authority, so that :ref:`elastalert` can securely and confidently connect to remote servers that may be using custom SSL/TLS certificates. Again, Security Onion's backend process will handle generating these files from the supplied configuration data provided in the user interface. -Next, the **Alerter Parameters** setting is used to customize each alerter's own parameters. As :ref:`elastalert` already provides detailed documentation on the required parameters for each alerter, this documentation will not cover the same information, but instead will focus on two popular alerters: Slack and SMTP. +Next, the **soc > config > server > modules > elastalertengine > Notifications: Sev 0/Default Parameters** setting is used to customize each alerter's own parameters. As :ref:`elastalert` already provides detailed documentation on the required parameters for each alerter, this documentation will not cover the same information, but instead will focus on two popular alerters: Slack and SMTP. .. note:: @@ -40,7 +40,7 @@ Next, the **Alerter Parameters** setting is used to customize each alerter's own Slack ~~~~~ -To have :ref:`sigma` rules send notifications to Slack, add the following line to the **Alerter Parameters** configuration setting: +To have :ref:`sigma` rules send notifications to Slack, add the following line to the **soc > config > server > modules > elastalertengine > Notifications: Sev 0/Default Parameters** configuration setting: :: @@ -49,7 +49,7 @@ To have :ref:`sigma` rules send notifications to Slack, add the following line t Email (SMTP) ~~~~~~~~~~~~ -To have :ref:`sigma` rules send notifications via email, add the following lines to the **Alerter Parameters** configuration setting: +To have :ref:`sigma` rules send notifications via email, add the following lines to the **soc > config > server > modules > elastalertengine > Notifications: Sev 0/Default Parameters** configuration setting: :: @@ -64,9 +64,9 @@ SOC Detections Once the alerter parameters are configured, as described above, the next step is to configure :ref:`detections` in order to activate one or more notification alerters. -Navigate to the :ref:`administration` -> Configuration screen. Next, locate the ``soc -> config -> server -> modules -> elastalertengine`` settings. +Navigate to the :ref:`administration` -> Configuration screen. Next, locate the ``soc > config > server > modules > elastalertengine`` settings. -In the **Additional Alerters** configuration setting, add the name of each alerter that should be activated, one alerter name per line. For example, to add both slack and email: +In the **Notifications: Sev 0/Default Alerters** configuration setting, add the name of each alerter that should be activated, one alerter name per line. For example, to add both slack and email: :: @@ -80,3 +80,107 @@ Important! After activating (or removing) an alerter from this setting, the :ref .. image:: images/58_detections_options.png :target: _images/58_detections_options.png + +Severity-Based Notifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The instructions above setup the default notification settings, for all outbound notifications. However, as of Security Onion 2.4.100, notification settings can be customized for higher level severities. Severities are specified in Sigma :ref:`detections`. + +Severity levels progress as follows, starting with the lowest, least significant severity: + +0. Unknown Severity +1. Informational Severity +2. Low Severity +3. Medium Severity +4. High Severity +5. Critical Severity + +If notification settings are not specified for a particular severity level then it will use whatever settings are specified at the next lower severity. If that severity is also not specified, then it continues looking for lower severity settings. + +.. note:: + + Higher severity levels do not inherit parameters or alerters from lower severities. Consequently, if ``email`` is specified as the default (Severity 0) alerter, and it's desired to have both ``email`` and ``slack`` notifications sent with **High/Sev 4** severity or above, then both ``email`` and ``slack`` will need to be specified for the ``Notifications: Sev 4/Default Alerters`` setting, one per line. This same principle applies to the parameters, which are also not inherited. In order to inherit default parameters across all severities, the parameters can be specified in the ``elastalert > Custom Configuration Parameters`` setting. + +User-Defined Notifications +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As of Security Onion 2.4.100, individual Sigma detections can be tagged to change the detection's alerting behavior. The tags are set inside the detection source. Tag details are defined below: + +- ``so.notification``: When this tag is present inside of a Sigma tag list, the detection will only perform outbound notifications. It will not add an alert to the SOC Alerts screen. +- ``so.alerters.customAlerters``: When this tag is present inside of a Sigma tag list, the detection will perform notifications for an alternate set of ElastAlert 2 alerters. More information on how to choose these alerters is provided below. +- ``so.params.customAlertersParams``: When this tag is present inside of a Sigma tag list, and when the above tag is also included, then an alternate set of custom parameters will be applied to the ElastAlert 2 alerters. + +To customize the alerters and parameters to use when these tags are specified in a Sigma detection, navigate to the Configuration screen. Find the ``soc > config > server > modules > elastalertengine > additionalUserDefinedNotifications > customAlerters`` setting and add the custom alerters, one per line, similar to what is done for the Severity-Based notifications above. Similarly, find the sibling setting to define custom alerter parameters: ``soc > config > server > modules > elastalertengine > additionalUserDefinedNotifications > customAlertersParams``. + +.. note:: + + User-defined alerters will override severity-based alerters, provided the user-defined alerters are properly configured. If the Sigma tags specify custom alerters but the corresponding setting does not exist in the Configuration then the severity-based notifications will continue to be used. + +To create additional user-defined alerter configurations, enabled Advanced mode and navigate to the same ``customAlerters`` and ``customAlertersParams`` settings mentioned above. With Advanced mode enabled there will be a "Create Duplicate" button that allows for duplicating these settings. Follow the on-screen instructions to create the duplicate settings. Then, to make use of these new settings, in the Sigma tag list replace the ``so.alerters.customAlerters`` tag suffix with the name (case-sensitive) of the duplicated setting. For example, if the duplicated settings are named ``SysAdminAlerters`` and ``SysAdminParams`` then the two tags to specify in the Sigma detection source are ``so.alerters.SysAdminAlerters`` and ``so.params.SysAdminParams``. Only one user-defined alerters and parameters setting will be used if multiple tags match the ``so.alerters.`` and ``so.params.`` prefixes. In other words, attempting to specify multiple user-defined alerters within a single Sigma detection will result in an ambiguous outcome. + +Example: + +.. code:: + + title: Security Onion - Grid Node Login Failure (SSH) (copy) + id: 0c880a39-f2cc-4e80-af26-eb08e2fe4b0a + status: experimental + description: Detects when a user fails to login to a grid node via SSH. Review associated logs for username and source IP. + author: Security Onion Solutions + date: 2024/08/27 + logsource: + product: linux + service: auth + detection: + selection: + event.outcome: failure + process.name: sshd + tags|contains: so-grid-node + filter: + system.auth.ssh.method: '*' + condition: selection and not filter + tags: + - so.alerters.SysAdminAlerters + - so.params.SysAdminParams + - so.notification + falsepositives: + - none + level: high + license: Elastic-2.0 + +Notification Formatting +----------------------- + +There are a wide range of capabilities to format notification messages to the various endpoints supported by ElastAlert 2. Refer to the ElastAlert 2 documentation for all available formatting parameters: https://elastalert2.readthedocs.io/en/latest/alerts.html#alert-subject + +Below is an example of customizing the notification message. This format is compatible with most of the ElastAlert 2 alerters but may only work with specific connection-related alerts, due to it referencing specific connection fields. To use, paste these settings into the desired configuration alerter params field, as discussed earlier in this section. Change the hostname as necessary in the included URLs. + +.. code:: + + alert_subject: "Alert: {0} {1}" + alert_subject_args: + - rule.name + - "@timestamp" + alert_text: | + Alert details are available in Security Onion Console: https://manager/#/hunt?q=log.id.uid%3A{0}&rt=1&rtu=days + + Source: {1}:{2} + Destination: {3}:{4} + + Investigate the network community ID: https://manager/#/hunt?q=network.community_id%3A"{5}"&rt=1&rtu=days + alert_text_type: alert_text_only + alert_text_args: ["log.id.uid", "source.ip", "source.port", "destination.ip", "destination.port", "network.community_id"] + +Applying Changes +---------------- + +In order for alerters and parameters to take effect, multiple synchronizations must occur. These are done automatically on a set schedule, but it is possible to force them earlier, if needed. Specifically, the following must take place for the changes to be applied to the ElastAlert 2 rules: + +1. Changes are saved in Configuration screen by the SOC Admin. +2. Configuration is synchronized across the grid. To manually force a grid sync, go to the Configuration screen, open the ``Options`` dropdown at the top, and click ``Synchronize``. +3. Sigma Detection edits are saved, such as adding the user-defined notification tags, or changing the severity. +4. Sigma Detections are synchronized. Click Full Synchronize for ElastAlert rules, or to force a single detection sync go to the Detection Source tab, make an edit to the source, and click ``Update``. + +.. note:: + + It may take a minute or two for the ElastAlert 2 process to detect the changed rules, and then another few minutes for ElastAlert 2 to run that rule. diff --git a/oidc.rst b/oidc.rst index 7d7b5b6e..27874131 100644 --- a/oidc.rst +++ b/oidc.rst @@ -7,13 +7,12 @@ Starting with Security Onion version 2.4.30, SOC supports single sign-on (SSO) a .. note:: - This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable this feature. + This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable this feature. .. warning:: Integrating Security Onion into an organization's global identity management platform is generally not recommended. If an attacker compromises the identity management platform, which is typically a high priority target, then that attacker could use compromised SSO credentials to access Security Onion and potentially undermine the benefits provided by Security Onion. This integration is made available for those who understand these risks and have appropriate mitigations in place. - Configuration ------------- @@ -174,7 +173,7 @@ Conversely, locally logged in users that have not logged in via SSO yet can link .. image:: images/oidc/oidc_link.png :target: _images/oidc_link.png -Administrators may choose to disable password logins when using SSO, to ensure all logins must go through the external OIDC provider. On the SOC Configuration screen, enter ``password.enabled`` into the filter to locate that Advanced setting (ensure the *Show all configurable settings* toggle is enabled). +If you would like to ensure that all logins go through the external OIDC provider, then you can disable password logins. In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then filter for ``password.enabled`` to locate the setting. Similarly, the TOTP MFA and Passwordless options can also be disabled, if there is a desire to prevent users from altering all local authentication methods. Search for ``totp.enabled`` and ``webauthn.enabled``, respectively, to disable those authentication methods. diff --git a/pfsense.rst b/pfsense.rst index 173fe8ea..5872a316 100644 --- a/pfsense.rst +++ b/pfsense.rst @@ -3,7 +3,7 @@ pfSense ======= -pfSense is a free and open firewall that can be found at https://www.pfsense.org/. Security Onion has a couple of options for ingesting logs from pfSense firewalls: a simple parser and the more comprehensive Elastic Integration for pfSense. We recommend using the more comprehensive option by following the steps in the Elastic Integration section below. You can also follow along with our Youtube video at https://www.youtube.com/watch?v=aoH8qZwAxek. +pfSense is a free and open firewall that can be found at https://www.pfsense.org/. Security Onion has a couple of options for ingesting logs from pfSense firewalls: a simple parser and the more comprehensive Elastic Integration for pfSense. We recommend using the more comprehensive option by following the steps in the Elastic Integration section below. You can also follow along with our video at https://www.youtube.com/watch?v=aoH8qZwAxek. Simple Parser ------------- @@ -44,7 +44,7 @@ Next, allow the traffic from the pfSense firewall to port 9001. These instructio used, select the next available hostgroup and portgroup. #. Navigate to :ref:`administration` --> Configuration. -#. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +#. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. #. On the left side, go to ``firewall``, select ``hostgroups``, and click the ``customhostgroup0`` group. On the right side, enter the IP address of the pfSense firewall and click the checkmark to save. #. On the left side, go to ``firewall``, select ``portgroups``, select the ``customportgroup0`` group, and then click ``udp``. On the right side, enter ``9001`` and click the checkmark to save. #. On the left side, go to ``firewall``, select ``role``, and then select the node type that will receive the pfSense logs. Then drill into ``chain`` --> ``INPUT`` --> ``hostgroups`` --> ``customhostgroup0`` --> ``portgroups``. On the right side, enter ``customportgroup0`` and click the checkmark to save. diff --git a/pro.rst b/pro.rst index 161441c4..90e09df0 100644 --- a/pro.rst +++ b/pro.rst @@ -11,7 +11,7 @@ Starting in Security Onion 2.4.80, licensed Pro users can also enable :ref:`Guar .. note:: - Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable these features. + Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable these features. .. toctree:: :maxdepth: 2 diff --git a/release-notes.rst b/release-notes.rst index 98c43fb4..d8a025e0 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -6,21 +6,56 @@ Release Notes Known Issues ~~~~~~~~~~~~ -If you notice an Elasticsearch status of ``Pending`` in the Grid interface, you can view affected indices by running the following command from the CLI on the manager node: - -:: - - sudo so-elasticsearch-query _cat/shards | grep UN - -The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist. - -To resolve the issue, run the following command for each affected index (replacing ``$index`` with the actual index name): - -:: - - sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT - -After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified. +- The ``malwarehashregistry`` analyzer (Case -> Observables Tab) is no longer working as of 2.4.100. This is due to a stale third-party library that is incompatible with the latest Python version. `#13571 `_ + +2.4.100 [20240829] Changes +-------------------------- + +- FEATURE: Add breadcrumbs to Grid Configuration +- FEATURE: Add SOC Config Quick Link to allow Security Onion Desktop installations through firewall `#13412 `_ +- FEATURE: Add warning to soup about ssh `#13466 `_ +- FEATURE: Elastic Integration for tenable.io +- FEATURE: Optional setting to force users to setup OTP/MFA upon login `#13388 `_ +- FEATURE: Enhanced notifications (Pro) and related configuration updates +- FIX: Admin resetting of a user's password is not removing MFA `#13468 `_ +- FIX: Appliance kickstart updates +- FIX: Detections: YARA Detection tuning pivot should take user to detection source instead of tuning +- FIX: Duplicate variable causing Suricata failure `#13461 `_ +- FIX: Elastic Fleet disable TLS 1.1 by default +- FIX: Exempt desktop nodes from license node count +- FIX: Firewall annotations for Kafka +- FIX: Reduce size of SOC image due to git +- FIX: Reduce SOC Config Loading Time +- FIX: Review and disable outdated ciphers for Fleet `#11145 `_ +- FIX: Salt packages not versionlocked `#13438 `_ +- FIX: SOC logs ILM policy doesn't exist `#13555 `_ +- FIX: Suricata Alerts missing kafka.id field +- FIX: Syntax Check before submitting New Rule `#13385 `_ +- FIX: Tuning details should be included as part of the history item `#13225 `_ +- FIX: Update Agent Builder Dependencies `#13142 `_ +- FIX: Update pipeline version for EVTX `#13563 `_ +- UPGRADE: Docker Registry 2.8.3 `#13510 `_ +- UPGRADE: ElastAlert 2.19.0 `#13496 `_ +- UPGRADE: Elastic 8.14.3 `#13263 `_ +- UPGRADE: Kratos 1.2.0 `#13471 `_ +- UPGRADE: Salt 3006.9 `#13423 `_ +- UPGRADE: SOC dependencies to latest versions `#13488 `_ +- UPGRADE: so-elastic-agent-builder base image `#13505 `_ +- UPGRADE: so-elastic-fleet-package-registry base image +- UPGRADE: so-idh base image `#13503 `_ +- UPGRADE: so-idstools base image `#13500 `_ +- UPGRADE: so-influxdb base image and InfluxDB 2.7.9 `#13494 `_ +- UPGRADE: so-kafka base image and Kafka 3.8.0 `#13497 `_ +- UPGRADE: so-nginx base image `#13491 `_ +- UPGRADE: so-pcaptools base image `#13495 `_ +- UPGRADE: so-redis base image and Redis 7.2.5 `#13501 `_ +- UPGRADE: so-steno base image `#13498 `_ +- UPGRADE: so-strelka-backend base image +- UPGRADE: so-strelka base images `#13504 `_ +- UPGRADE: so-suricata base image `#13492 `_ +- UPGRADE: so-tcpreplay base image `#13499 `_ +- UPGRADE: so-telegraf base image and Telegraf 1.31.3 `#13502 `_ +- UPGRADE: so-zeek base image `#13493 `_ 2.4.90 [20240729] Changes ------------------------- diff --git a/sigma.rst b/sigma.rst index 9a4e880a..f53ba563 100644 --- a/sigma.rst +++ b/sigma.rst @@ -63,7 +63,7 @@ Sigma Configuration ------------------- - Navigate to :ref:`administration` --> Configuration. -- At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +- At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. - Navigate to soc --> config --> server --> modules --> elastalertengine. Once you've reached this location, here are some common settings. diff --git a/soup.rst b/soup.rst index 984c3784..5b4e2d34 100644 --- a/soup.rst +++ b/soup.rst @@ -72,10 +72,12 @@ Log If ``soup`` displays any errors, you can check ``/root/soup.log`` for additional clues. -ssh +SSH --- -If you run soup via ssh and the ssh session terminates, then any processes running in that session would terminate. You should avoid leaving soup unattended especially if the machine you are ssh'ing from is configured to sleep after a period of time. You might also consider using something like screen or tmux so that if your ssh session terminates, the processes will continue running on the server. +.. warning:: + + If you run soup via an :ref:`ssh` session and that :ref:`ssh` session terminates, then any processes running in that session would terminate. You should avoid leaving soup unattended especially if the machine you are SSHing from is configured to sleep after a period of time. You might also consider using something like screen or tmux so that if your :ref:`ssh` session terminates, the processes will continue running on the server. Airgap ------ diff --git a/stig.rst b/stig.rst index 649fdd72..808d9b41 100644 --- a/stig.rst +++ b/stig.rst @@ -7,7 +7,7 @@ STIG stands for Security Technical Implementation Guide. For more information ab .. note:: - This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a Security Onion Pro license to enable this feature. + This is an enterprise-level feature of Security Onion. Contact Security Onion Solutions, LLC via our website at https://securityonion.com/pro for more information about purchasing a Security Onion Pro license to enable this feature. STIG During the ISO Install --------------------------- @@ -50,4 +50,4 @@ With the STIG feature enabled, you can find OpenSCAP reports under ``/opt/so/log More information ---------------- For more information about OpenSCAP see: https://www.open-scap.org/ -For more information about STIGs see: https://public.cyber.mil/stigs/ \ No newline at end of file +For more information about STIGs see: https://public.cyber.mil/stigs/ diff --git a/suricata.rst b/suricata.rst index 330e1de2..065b1a7f 100644 --- a/suricata.rst +++ b/suricata.rst @@ -132,7 +132,7 @@ If you switch to Suricata PCAP, it will write all network traffic to PCAP by def PCAP Configuration Options ~~~~~~~~~~~~~~~~~~~~~~~~~~ -Here are some other PCAP configuration options that can be found at :ref:`administration` --> Configuration --> Suricata -> pcap. Some settings are considered advanced settings so you will only see them if you enable the ``Show all configurable settings, including advanced settings.`` option. +Here are some other PCAP configuration options that can be found at :ref:`administration` --> Configuration --> Suricata -> pcap. Some settings are considered advanced settings so you will only see them if you enable the ``Show advanced settings`` option. - compression: Set to ``none`` to disable compression. Set to ``lz4`` to enable lz4 compression but note that this requires more CPU cycles. - lz4-level: lz4 compression level of PCAP files. Set to ``0`` for no compression. Set to ``16`` for maximum compression. diff --git a/third-party-integrations.rst b/third-party-integrations.rst index 14727573..044f06a0 100644 --- a/third-party-integrations.rst +++ b/third-party-integrations.rst @@ -110,6 +110,7 @@ sophos_central https://docs.elastic.co/en/integrations/sophos_c symantec_endpoint https://docs.elastic.co/en/integrations/symantec_endpoint system https://docs.elastic.co/en/integrations/system tcp https://docs.elastic.co/en/integrations/tcp +tenable_io https://docs.elastic.co/en/integrations/tenable_io tenable_sc https://docs.elastic.co/en/integrations/tenable_sc ti_abusech https://docs.elastic.co/en/integrations/ti_abusech ti_anomali https://docs.elastic.co/en/integrations/ti_anomali @@ -232,6 +233,10 @@ zscaler_zpa https://docs.elastic.co/en/integrations/zscaler_ - CEF + Security Onion 2.4.100 supports these additional Elastic integrations: + + - tenable_io + More Information ---------------- diff --git a/vmware.rst b/vmware.rst index a2eaeb4c..42bd9c36 100644 --- a/vmware.rst +++ b/vmware.rst @@ -62,6 +62,8 @@ If you're using VMware ESXi, then you're likely familiar with VM creation and in - You may need to set your monitoring interface in the vSwitch to VLAN ID 4095 to allow all traffic through. You can read more about this at https://github.com/Security-Onion-Solutions/securityonion/discussions/7185. - If you're trying to monitor multiple network interfaces, then you may need to enable the ``Allow MAC Changes`` option at both the vSwitch and Port Group levels. You can read more about this at https://github.com/Security-Onion-Solutions/securityonion/discussions/2676. + +- If you happen to notice after rebooting that the :ref:`elastic-agent` takes signifantly longer than 15 minutes to initialize, then you may need to enable the following option in ESXi: Settings > VM Options > VMWare Tools > Synchronise Guest Time. You can read more about this at https://github.com/Security-Onion-Solutions/securityonion/discussions/13285. VMware Tools ------------ diff --git a/yara.rst b/yara.rst index 9bd0dec9..e5d61f16 100644 --- a/yara.rst +++ b/yara.rst @@ -41,7 +41,7 @@ YARA Rules Options You can configure YARA rules options as follows: - Navigate to :ref:`administration` --> Configuration. -- At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. +- At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. - Navigate to soc --> config --> server --> modules --> strelkaengine. Once you've reached this location, here are some common settings. diff --git a/zeek.rst b/zeek.rst index 9beb2819..9db1bf72 100644 --- a/zeek.rst +++ b/zeek.rst @@ -131,7 +131,7 @@ Other Zeek logs Zeek also provides other logs by default and you can read more about them at https://docs.zeek.org/en/latest/script-reference/log-files.html. -In addition to Zeek's default logs, we also include protocol analyzers for STUN, TDS, and Wireguard traffic and several different ICS/SCADA protocols. These analyzers are enabled by default. +In addition to Zeek's default logs, we also include protocol analyzers for STUN, TDS, and Wireguard traffic. We also include support for ICS/SCADA protocols such as BACnet, BSAP, CIP, COTP, DNP3, ECAT, ENIP, Modbus, OPC UA, Profinet, and S7. All of these analyzers are enabled by default and you can find corresponding dashboards for each of them in :ref:`dashboards`. We also include MITRE BZAR scripts and you can read more about them at https://github.com/mitre-attack/bzar. Please note that the MITRE BZAR scripts are disabled by default. If you would like to enable them, you can do so via :ref:`administration` --> Configuration --> zeek. Once enabled, you can then check for BZAR detections by going to :ref:`dashboards` and selecting the Zeek Notice dashboard.