Question about Security Onion and MITRE ATTACK Navigator

[pdwheelerjr]

Version

2.4.170

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

64GB

Storage for /

300GB

Storage for /nsm

700GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Not sure the answers I'm providing are accurate for a distributed environment. These are the specs for the central server. The sensor nodes, search nodes, etc. have their own specs. This is more about the integration between Security Onion and MITRE ATTACK. Navigator seems to report that we are seeing "hits" on some techniques but the attempt to find the related alerts via "view related alerts" never seems to find anything. I haven't been able to find any alerts that show a reference in the alert detail to an ATTACK technique. Is this expected? Are Zeke and Suricata looking for a tagging MITRE alerts? I found information about enabling BZAR? features for Zeke, but haven't been able to find it through the Administration console.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Just so I am clear, when you right click on one of those and select view related alerts you don't pivot to Alerts?

For BZAR, In SOC > Administration > Configuration > zeek > config > local > load add bzar to the list and hit the green check mark. Then synchronize the grid. Zeek should load the BZAR scripts. You can check /nsm/zeek/logs/current/loaded_scripts.log for BZAR to validate once Zeek restarts.

[pdwheelerjr]

Thank you for replying. The "view related alerts" does pivot to Alerts, but it never finds any results. It's doing the search via the T- technique designator. I've not been able to find any alerts where the technique designator actually seems to appear in the message details or the suricata signature. I'll keep trying, but this seems to be consistent.

I'll try loading the BZAR scripts, thanks for the information.

[pdwheelerjr]

Just a side note, when I backed out to the Dashboard view and started looking for MITRE techniques, I am able to find the data. It's just not showing up in the Alerts query as formatted. It just spins then times out without producing any results. I'll keep playing with this.

[cm-ops]

When you go to Dashboards you are seeing data that has the tag alert?

[pdwheelerjr]

I'm trying to determine the best way to answer this. Can I find these alerts through the Dashboards, yes. I have to change the query to specifically look for them. Can I find them through the Alerts view, yes, but again I have to change the query. I'm going to try to paste some pictures into this so it makes sense. I've attached four images. If you look at Navigator1 you see the techniques we have hits on. Navigator2 shows me picking a specific technique and drilling down. Alerts1 shows what happens when I click on "View related Alerts". It just times out. When I alter the qeury to specifically look for a MITRE technique then I get an immediate response (Alerts2). I'm wondering if it would be possible to change the Navigator screen link so that it opens Alerts with the query: rule.metadata.mitre_technique_id:T1189 rather than just "T1189*. I think there may just be too much data for the search to find a hit on 5 characters, but it works perfectly when told to look in a specific field in the data.

[defensivedepth]

As you can see from my screenshots, pivoting from the Alerts layer to the Alerts console, does work. The timeout you are seeing is concerning. Try bumping that 15 days back to 5 days; also, how much data do you have, and what are the hardware specs for your Search Nodes?

[pdwheelerjr]

Okay, there are two search nodes currently. One is a virtual machine with 8 processors, 64GB memory and 2TB of disk allocated. The other is a physical server (a retired VMWare host) with 32 processors, 136GB memory and 30TB of disk. This is a fairly busy environment that covers north/south traffic for two manufacturing facilities. Over 200 million records a day in the dashboard, more on weekdays, a little less most weekends. It retains data for a while. :-) It doesn't keep the full PCAP for very long.

I do tend to clear Elasticsearch using so-elastic-clear after updating Security Onion in most cases. It can take days for the Elasticsearch status to change from Pending to Normal. It helps to just reset it every so often. It's very seldom that I've had to go further back than a week and look for data.

I can add another virtual search node if you think that would help. I don't have another physical server to throw at it.

I love this product and what you've done with it.