5. Try out SIEM and dashboarding (i.e Elastic Stack)

Introduction

For the processes and protocols of an organisation, having a SIEM is one of the starting points to ensure good information security. Not only does this tool usually describe the playbook but it also entails what steps need to be taken in order to safeguard the security of an enterprise.

Execution

In my own instance of Security Onion, a SIEM tool called TheHive is included - it is possible to escalate a new alert from the Security Onion dashboard - resulting in the creation of a case in The Hive. Below you will find an example
https://i.imgur.com/ALTOv3i.png

The Hive

I rarely use The Hive in my own private lab because it is tough to maintain this and have a good overview of the baseline of the security in a network. Here are my current cases:
https://i.imgur.com/fu5VX4v.png
Though in our group assignment, which also revolves around blue-teaming activities, we do have cases - some of these contain partials to certain flags and whatnot.
https://i.imgur.com/9mUUBRR.png

Kibana

For our group assigment, prior to my discovery to the Wazuh event tab, I was convinced we needed to create our own dashboard in Kibana; and that’s what I did - this is based on KQL (Kibana Query Language). I took Suricata as an example
https://i.imgur.com/nx1sWl0.png
And here’s the default Security Onion Kibana dashboard, as you can see, it has certain use-cases.
https://i.imgur.com/7tKZUtQ.png