Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It has been downloaded over 2 million times and is being used by security teams worldwide. Security Onion 2.4 comes with many updates, and the hotfix 2.4.10 release is available on GitHub.
For network visibility, they offer signature-based detection via Suricata, rich protocol metadata and file extraction using Zeek or Suricata, full packet capture via Stenographer, and file analysis via Strelka.
For host visibility, Security Onion offers the Elastic Agent, which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All these logs flow into Elasticsearch, and they’ve built their own UIs for alerts, dashboards, threat hunting, case management, and grid management.
New features in Security Onion 2.4
Over the past year of developing Security Onion 2.4, the developers added new features to give you a better experience and make you more efficient:
Security Onion Console (SOC) has many new features to make you more efficient as a defender:
- SOC now allows you to add a value directly from a record in Hunt, Dashboards, or Alerts as an observable to an existing or new case
- SOC includes a new DNS lookup capability
- SOC includes pivots for relational operators on numbers
- SOC Cases support dynamic observable extraction
- SOC can import PCAP and EVTX files
SOC has many new administration features, so you can spend less time managing your deployment and more time hunting adversaries.
- You can manage users via SOC’s Administration section
- SOC’s Administration section also includes a new Grid Members Interface to manage adding and removing nodes
- You can configure most aspects of your deployment via the Configuration interface
- SOC’s Grid interface has been improved to show more status information about your nodes
- The installer has been simplified and configuring new members of the grid will take place in the Grid Members interface
- SOC authentication has been upgraded to include additional authentication protections, such as rate-limiting login requests. It also supports passwordless login via Webauthn
Endpoint telemetry is more powerful and easier to manage.
- The primary endpoint agent is now Elastic Agent and it provides data collection and live queries via embedded osquery. It replaces the previous osquery, Beats, and Wazuh
- Elastic Agent is managed in Elastic Fleet
- Elastic Agent and Elastic Fleet support Elastic Integrations
- Grafana has been removed and all health metrics can be found in InfluxDB
- The Security Onion ISO image has upgraded from CentOS 7 to Oracle Linux 9