Security Onion + Automation + Response Lab including n8n and Velociraptor
This repo was originally created to work in conjunction with the blog article here:
NOTE: The above article has since been deprecated, as TheHive has been removed from Security Onion (as of version 2.3.100
) -- a new article is currently in development to address these changes.
The primary difference with the updated implementation is that instead of adding an observable to TheHive, it should be added to a case within Security Onion Cases. From there, an Elastalert rule will watch for new observable additions, then perform an HTTP POST to the webhook used for automating Hunts for Velociraptor.
- Mark case with label/tag (and/or create an alert inside Security Onion console) once a host is quarantined
This is NOT an officially supported Security Onion integration, so usage is at your own risk.
It is assumed that Security Onion is already running and configured as a standalone, manager, or managersearch node.
To install Security Onion, consult the documentation here:
https://docs.securityonion.net/en/latest/installation.html
After Security Onion is installed, proceed to the lab installation steps.
git clone https://github.com/weslambert/DinoSOARLab
cd DinoSOARLab
sudo ./install_lab
Once setup is complete:
- Velociraptor GUI can be accessed via
https://$securityonion/velociraptor
- n8n can be access via
https://$securityonion/n8n
To add a firewall exception for a particular IP or range of IPs (for Velociraptor clients), you can use the so-firewall script, like so:
sudo so-firewall includehost velociraptor <IP/CIDR>
sudo salt-call state.apply firewall queue=True
Original Velociraptor client binaries and repacked client binaries can be found in /opt/so/conf/velociraptor/clients
.
The client configuration file can be found in /opt/so/conf/velociraptor
.