-
|
There are many companies using AWS that are primarily Linux-based. Very grateful that Auditbeat now works pretty much out of the box with Security Onion today. Auditbeat is the closest thing to Sysmon for Linux users and far superior to auditd or "Sysmon for Linux" (though Sysmon for Linux does look interesting, it's very new). It would be amazing to have support for Auditbeat in Hunt and Dashboards. Syscalls people would be most interested in would be execve, setuid, init_module. Auditbeat also has support for network flows, so it would be cool to tie Suri/Zeek 5-tuples to Auditbeat flows and correlate user activity similar to how you can do with Sysmon. As always appreciate all the hard work you all put in :) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
You can add your own queries to Hunt and Dashboards as shown here: If you would like to contribute queries to the project, please see: |
Beta Was this translation helpful? Give feedback.
You can add your own queries to Hunt and Dashboards as shown here:
https://docs.securityonion.net/en/2.3/soc-customization.html#custom-queries
If you would like to contribute queries to the project, please see:
https://github.com/Security-Onion-Solutions/securityonion/blob/master/CONTRIBUTING.md#contributing-code