From b584c8e35364c8cb2611585ec47a7fbd8fc6a771 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 17 Jun 2024 09:13:17 -0400 Subject: [PATCH 1/4] FEATURE: Add more links and descriptions to SOC MOTD #13216 --- salt/soc/files/soc/motd.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index 005a2be0f..369630e45 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -1,8 +1,24 @@ ## Getting Started -New to Security Onion 2? Click the menu in the upper-right corner and you'll find links for [Help](/docs/) and a [Cheat Sheet](/docs/cheatsheet.pdf) that will help you best utilize Security Onion to hunt for evil! In addition, check out our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website. +New to Security Onion? Click the menu in the upper-right corner and you'll find links for [Help](/docs/) and a [Cheat Sheet](/docs/cheatsheet.pdf) that will help you best utilize Security Onion to hunt for evil! In addition, check out our free Security Onion Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website. -If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Then go to the [Dashboards](/#/dashboards) interface for a general overview of all logs collected or go to the [Hunt](/#/hunt) interface for more focused threat hunting. Once you've found something of interest, escalate it to [Cases](/#/cases) to then collect evidence and analyze observables as you work towards closing the case. +If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. If you find any false positives, then you can tune those in [Detections](/#/detections). + +Next, go to the [Dashboards](/#/dashboards) interface for a general overview of all logs collected. Here are a few overview dashboards to get you started: + +[Overview Dashboard](/#/dashboards) | [Elastic Agent Overview](/#/dashboards?q=event.module%3Aendpoint%20%7C%20groupby%20event.dataset%20%7C%20groupby%20host.name%20%7C%20groupby%20-sankey%20host.name%20user.name%20%7C%20groupby%20user.name%20%7C%20groupby%20-sankey%20user.name%20process.name%20%7C%20groupby%20process.name) | [Network Connection Overview](/#/dashboards?q=tags%3Aconn%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port%20%7C%20groupby%20-sankey%20destination.port%20network.protocol%20%7C%20groupby%20network.protocol%20%7C%20groupby%20network.transport%20%7C%20groupby%20connection.history%20%7C%20groupby%20connection.state%20%7C%20groupby%20connection.state_description%20%7C%20groupby%20source.geo.country_name%20%7C%20groupby%20destination.geo.country_name%20%7C%20groupby%20client.ip_bytes%20%7C%20groupby%20server.ip_bytes%20%7C%20groupby%20client.oui) | [DNS](/#/dashboards?q=tags%3Adns%20%7C%20groupby%20dns.query.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20-sankey%20source.ip%20destination.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port%20%7C%20groupby%20dns.highest_registered_domain%20%7C%20groupby%20dns.parent_domain%20%7C%20groupby%20dns.query.type_name%20%7C%20groupby%20dns.response.code_name%20%7C%20groupby%20dns.answers.name%20%7C%20groupby%20destination_geo.organization_name) | [Files](/#/dashboards?q=tags%3Afile%20%7C%20groupby%20file.mime_type%20%7C%20groupby%20-sankey%20file.mime_type%20file.source%20%7C%20groupby%20file.source%20%7C%20groupby%20file.bytes.total%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination_geo.organization_name) | [HTTP](/#/dashboards?q=tags%3Ahttp%20%7C%20groupby%20http.method%20%7C%20groupby%20-sankey%20http.method%20http.virtual_host%20%7C%20groupby%20http.virtual_host%20%7C%20groupby%20http.uri%20%7C%20groupby%20http.useragent%20%7C%20groupby%20http.status_code%20%7C%20groupby%20http.status_message%20%7C%20groupby%20file.resp_mime_types%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port%20%7C%20groupby%20destination_geo.organization_name) | [SSL](/#/dashboards?q=tags%3Assl%20%7C%20groupby%20ssl.version%20%7C%20groupby%20-sankey%20ssl.version%20ssl.server_name%20%7C%20groupby%20ssl.server_name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port%20%7C%20groupby%20destination_geo.organization_name) + +Click the drop-down menu in Dashboards to find many more dashboards. You might also want to explore the [Hunt](/#/hunt) interface for more focused threat hunting. + +Once you've found something of interest, escalate it to [Cases](/#/cases) to then collect evidence and analyze observables as you work towards closing the case. + +If you want to check the health of your deployment, check out the [Grid](/#/grid) interface. + +For more coverage of your enterprise, you can deploy the Elastic Agent to endpoints in your environment. Just go to the [Downloads](/#/downloads) page to download the agent for your endpoints. + +To add users, head over to the [Users](/#/users) page. + +If you need to change the configuration of your deployment, go to the [Configuration](/#/config) interface. ## What's New From 3bface12e093e4733ec630fd12a0825ed7b7a12b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 17 Jun 2024 09:23:14 -0400 Subject: [PATCH 2/4] FEATURE: Add more links and descriptions to SOC MOTD #13216 --- salt/soc/files/soc/motd.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index 369630e45..fd655f5df 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -16,10 +16,6 @@ If you want to check the health of your deployment, check out the [Grid](/#/grid For more coverage of your enterprise, you can deploy the Elastic Agent to endpoints in your environment. Just go to the [Downloads](/#/downloads) page to download the agent for your endpoints. -To add users, head over to the [Users](/#/users) page. - -If you need to change the configuration of your deployment, go to the [Configuration](/#/config) interface. - ## What's New To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link. From 6f13fa50bf2dcbb6bf752397ba116f9fb7a9fccf Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 17 Jun 2024 09:24:32 -0400 Subject: [PATCH 3/4] FEATURE: Add more links and descriptions to SOC MOTD #13216 --- salt/soc/files/soc/motd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index fd655f5df..ba3e443eb 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -14,7 +14,7 @@ Once you've found something of interest, escalate it to [Cases](/#/cases) to the If you want to check the health of your deployment, check out the [Grid](/#/grid) interface. -For more coverage of your enterprise, you can deploy the Elastic Agent to endpoints in your environment. Just go to the [Downloads](/#/downloads) page to download the agent for your endpoints. +For more coverage of your enterprise, you can deploy the Elastic Agent to endpoints in your environment by going to the [Downloads](/#/downloads) page. ## What's New From 93ced0959cbb0b747903650198ff8c66fbeb1894 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 17 Jun 2024 09:25:01 -0400 Subject: [PATCH 4/4] FEATURE: Add more links and descriptions to SOC MOTD #13216 --- salt/soc/files/soc/motd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index ba3e443eb..c13cbd70b 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -14,7 +14,7 @@ Once you've found something of interest, escalate it to [Cases](/#/cases) to the If you want to check the health of your deployment, check out the [Grid](/#/grid) interface. -For more coverage of your enterprise, you can deploy the Elastic Agent to endpoints in your environment by going to the [Downloads](/#/downloads) page. +For more coverage of your enterprise, you can deploy the Elastic Agent to endpoints by going to the [Downloads](/#/downloads) page. ## What's New