29 Marts 2024
Information:
Dashboards only work on the old unsupported version
of Security Onion - (Do NOT run in production)
Sysmon
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).
Logs send to SIEM systems like Security Onion, Splunk and Elastic
works verry well on all versions. The Sysmon config is verry well maintanied. All
Sysmon event ID's are covered. And it works on all supported
versions of Windows supported by
Sysmon
Sysmon Install / Uinstall / Config Update script has been released,
Makes it verry easy to Install / uninstall Sysmon and update the
Sysmon Config file.
Microsoft Event dashboards
All Microsoft event ID dashboards are working just fine. This have
been setup after gudelines from
NSACyber guidance
MITRE attack framework
Sysmon is covering over 52
MITRE attacks,
and this is without counting any MITRE numbers in, on what is coverd
by
Security
Onion alone.
You will get 76 dashboards with a
total of 652 objects to look at.
Happy
hunting.....
Download Files:
Jason files for dashboards to Kibana and links for the navigation
pane.
File name:
Dashboards-navigationpane.zip
SHA1:dcb4c78721e95d35e8bede800336c9f8d8b60565
Winlogbeat,
registry files and setup instructions.
File name:
Install_pack.zip
SHA1:
07fe1e542373ae97a0d907166be28033089d326e
Sysmon 15.14 Config 35
Filename:
Sysmon_15.14_Config_35.zip
SHA1: 12a11fc388cfe39b2ff1d47858ae3be69699a2de
Sysmon Cheatsheet
Filename:
Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e
Made for: Tested on WIndows 10 and 11 Windows Server 2019 and up
Security Onion - 16.04.7.1
Kibana 6.8.11 management
SNORT 2.9.16.1
Winlogbeat - 6.8.23
Sysmon - 15.14
MISP Integration
MISP is
an Open Source Threat Intelligence Platform & Open Standards For
Threat Information Sharing
For danish companies, take a look at the
Danish MISP user Group/Community
Reccormended
I can reccormend to take a look at the
MISP
framework for an even stronger Security Onion setup. There are
different guides on how to set this up
Guides:
Security Onion -
https://securityonion.readthedocs.io/en/latest/misp.html
eCrimeLabs -
https://github.com/eCrimeLabs/securityonion-ecrimelabs
29-03-2024
Changes:
- Sysmon Config 35
02-03-2024
Changes:
- Sysmon Config 27
01-03-2024
Changes:
- Sysmon Config 26
28-02-2024
Changes:
- Sysmon Config 25
14-02-2024
Changes:
- New dashboards
- Sysmon 15.14
- Sysmon Config 22
- Sysmon Install script
- Sysmon Uninstall script
- Sysmon Config Update script
18-11-2023
Changes:
- New dashboards
- Sysmon 15.11
- Sysmon Config 15
22-07-2023
Changes:
- New dashboard
- Sysmon 15 config 02
06-07-2023
Changes:
- Updated Dashboards
- File Executable Detected dashboard
- Sysmon 15
- Sysmon config 01