Skip to content

Commit

Permalink
Merge pull request #103 from Security-Onion-Solutions/dev
Browse files Browse the repository at this point in the history
Merge dev to 2.4
  • Loading branch information
dougburks authored Jun 10, 2024
2 parents 980ac40 + 0acb56d commit f67a8f3
Show file tree
Hide file tree
Showing 8 changed files with 36 additions and 14 deletions.
2 changes: 2 additions & 0 deletions alerts.rst
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ Query Bar

The query bar defaults to ``Group By Name, Module`` which groups the alerts by ``rule.name`` and ``event.module``. You can click the dropdown box to select other queries which will group by other fields. If you want to send your current Alerts query to :ref:`hunt`, you can click the crosshair icon to the right of the query bar.

If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.

Time Picker
-----------

Expand Down
2 changes: 2 additions & 0 deletions cases.rst
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ The query bar defaults to Open Cases. Clicking the drop-down box reveals other o

Under the query bar, you’ll notice colored bubbles that represent the individual components of the query and the fields to group by. If you want to remove part of the query, you can click the X in the corresponding bubble to remove it and run a new search.

If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.

Time Picker
-----------

Expand Down
2 changes: 2 additions & 0 deletions dashboards.rst
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ Query Bar

The easiest way to get started is to click the query drop down box and select one of the pre-defined dashboards. These pre-defined dashboards cover most of the major data types that you would expect to see in a Security Onion deployment: :ref:`nids` alerts from :ref:`suricata`, protocol metadata logs from :ref:`zeek` or :ref:`suricata`, endpoint logs, and firewall logs.

Under the query bar, you’ll notice colored bubbles that represent the individual components of the query. If you want to remove part of the query, you can click the X in the corresponding bubble to remove it and run a new search.

If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.

Time Picker
Expand Down
2 changes: 2 additions & 0 deletions detections.rst
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ The query bar defaults to ``All Detections``. Clicking the drop-down box reveals

Under the query bar, you’ll notice colored bubbles that represent the individual components of the query. If you want to remove part of the query, you can click the X in the corresponding bubble to remove it and run a new search.

If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.

Group Metrics
-------------

Expand Down
5 changes: 2 additions & 3 deletions firewall.rst
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,6 @@ Elastic Fleet nodes to Receiver nodes:

- TCP/5056 - Logstash-to-Logstash for Elastic Agent data ingest


Host Firewall
-------------

Expand All @@ -100,10 +99,10 @@ You can configure the firewall by going to :ref:`administration` --> Configurati
.. image:: images/config-item-firewall.png
:target: _images/config-item-firewall.png

If for some reason you can't access :ref:`soc`, you can use the so-firewall command to allow your IP address to connect (replacing ``<IP ADDRESS>`` with your actual IP address):
If for some reason you can't access :ref:`soc` at all, you can use the so-firewall command to allow the IP address of your web browser to connect (replacing ``<IP ADDRESS>`` with the actual IP address of your web browser):
::

so-firewall includehost analyst <IP ADDRESS>
sudo so-firewall includehost analyst <IP ADDRESS>

Reviewing Host Firewall
-----------------------
Expand Down
6 changes: 5 additions & 1 deletion kibana.rst
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,11 @@ Authentication

Log into Kibana using the same username and password that you use for :ref:`soc`.

You can add new user accounts to both Kibana and :ref:`soc` at the same time as shown in the :ref:`adding-accounts` section. Please note that if you instead create accounts directly in Kibana, then those accounts will only have access to Kibana and not :ref:`soc`.
You can add new user accounts to both Kibana and :ref:`soc` at the same time as shown in the :ref:`adding-accounts` section.

.. warning::

If you create accounts directly in Kibana (rather than in SOC), then those accounts will NOT be able to log into SOC.

Kibana Dashboards
-----------------
Expand Down
23 changes: 15 additions & 8 deletions post-installation.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,21 @@
After Installation
==================

Adjust firewall rules
---------------------

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to make other adjustments to firewall rules, you can do so by going to :ref:`administration` --> Configuration --> firewall --> hostgroups.

.. image:: images/config-item-firewall.png
:target: _images/config-item-firewall.png

If for some reason you can't access :ref:`soc` at all, you can use the so-firewall command to allow the IP address of your web browser to connect (replacing ``<IP ADDRESS>`` with the actual IP address of your web browser):
::

sudo so-firewall includehost analyst <IP ADDRESS>

For more information, please see the :ref:`firewall` section.

Services
--------

Expand All @@ -21,14 +36,6 @@ You can also verify services are running from the command line with the :ref:`so

sudo so-status
Adjust firewall rules
---------------------

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to make other adjustments to firewall rules, you can do so by going to :ref:`administration` --> Configuration --> firewall --> hostgroups.

.. image:: images/config-item-firewall.png
:target: _images/config-item-firewall.png

SSH
---

Expand Down
8 changes: 6 additions & 2 deletions soc-customization.rst
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,15 @@ The default timeout for user login sessions is 24 hours. This is a fixed timespa
Custom Queries
--------------

If you'd like to add your own custom queries to :ref:`alerts`, :ref:`dashboards`, or :ref:`hunt`, you can go to :ref:`administration` --> Configuration --> soc --> server --> client and then select the specific app you'd like to modify.
If you'd like to add your own custom queries to :ref:`alerts`, :ref:`cases`, :ref:`dashboards`, :ref:`detections` or :ref:`hunt`, you can go to :ref:`administration` --> Configuration --> soc --> config --> server --> client and then select the specific app you'd like to modify.

.. warning::

When you save your custom queries, SOC saves the entire list of queries (including our default queries included in the product). So if you update to a new version which includes new or updated default queries, you won't see the new or updated default queries since your custom query list is overriding the default.

To see all available fields for your queries, go down to the Events table and then click the arrow to expand a row. It will show all of the individual fields from that particular event.

For example, suppose you want to add GeoIP information like ``source.geo.region_iso_code`` or ``destination.geo.region_iso_code`` to :ref:`alerts`. You would go to :ref:`administration` --> Configuration --> soc --> server --> client --> alerts --> queries and insert the following line wherever you want it show up in the query list:
For example, suppose you want to add GeoIP information like ``source.geo.region_iso_code`` or ``destination.geo.region_iso_code`` to :ref:`alerts`. You would go to :ref:`administration` --> Configuration --> soc --> config --> server --> client --> alerts --> queries and insert the following line wherever you want it show up in the query list:

::

Expand Down

0 comments on commit f67a8f3

Please sign in to comment.