Source

Today I will show you guys how to install and configure basic Security Onion.
You can choose to install Security Onion as the OS or install on top of Ubuntu or Centos. In this guide, I will install SO as an OS
I use sources below as reference

Requirement

https://docs.securityonion.net/en/2.3/hardware.html#
ISO : https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md

Install Security Onion

Download and ISO and boot your machine with it
Set up the administrator account for the machine
After the installation completed. Restart the machine and enter the credential you create above
Choose the mode that you want to install using <space bar>
Type agree
Setup hostname for SO server
Choose the NIC that will connect with the management network for S0 Server. Default, Security Onion will have 2 NIC
- 1 NIC for management only
- 1 NIC for monitoring
Setup IP for management NIC, recommended using static ip
Setup internet connection
Choose the monitoring NIC
Choose OS patch schedule
Enter home network
Choose type of manager
Keep default Docker IP range: Yes
Create email address, this will be the admin account to log in Security Onion and all the service
Setup way to access the SO web interface. If you choose hostname, make sure you have DNS server or resolver that can resolve the hostname
Setup soremote user
Setup the configuration

Setup search node
- On default, Security Onion will block all access to it. You have to specify the IP address range on management NIC network that have right to access it
Review the configuration and install

Basic Configuration

Status Check

After the reboot, you can check the status of the service by the command

sudo so-status

Access the Console

From a machine that in the same network with management NIC, access the console through

https://`<ip of SO Server>`

Enter the credential that you create from previous steps, it should be an email. Example: admin@gmail.com

Adding Agent to SO

On Download Tab on the left bar, choose the agent that you want to deploy (osquery work the best).
Deliver the install package to your new host and install
The new host will appear in FleetDM console

Security Onion Console

This will be a basic walkthrough of SO console, please view the Security Onion manual for more information

Alert Tab

This will be the main workflow page that security analyst will use to monitoring the network. It contain security arlert that has been automate created by the SO

You can choose to acknowledged (Ignore) the alert if it is FP - False Positive
You can choose to Escalated the alert if you think it is TP - True Positive and it will create a â€œticketâ€ in The Hive

Hunt Tab

This is where the investigate will begin where you looking for supicious information about the alert you got

PCAP Tab

This is where sometime the Packet Capture is store and analyze

Grid Tab

This tab show how many SO-note in the network and how those are connected and what is their role

Downloads

This tab is mainly for download package to deploy new host

Administraion

This tab is for manage user that can access to the SO console and their role

Kibana console

This is the main Kibana console that is used aggregate logs from all your systems and applications, analyze these logs, and create visualizations for application and infrastructure monitoring, faster troubleshooting, security analytics, and more