Security Onion is a popular Linux distribution pre-loaded with numerous Network Security Monitoring tools such as Snort, Bro, and Suricata. Security Onion uses ELSA (Enterprise Log Search and Archive) to store all the IDS alerts from Snort, Bro and Suricata. This app collects the events and event details from ELSA into Phantom containers and artifacts.
First, create an ELSA asset in Phantom and supply the Device URL, the User name and the Apikey. The
User name and ApiKey are found in the /etc/elsa_web.conf file on the Security Onion machine. You
will need to have root privileges to access this file. See the below screenshot for an example of
the /etc/elsa_web.conf file that you are looking for.
You will also need to the set the "event type" you want to pull in from ELSA. Currently, three basic
queries are supported as shown below.
The other values can be left in the default state for now.
Select a label for the containers that this asset will create. Either pick from the existing list, or select New Entry and type a new label. In this screenshot we are using Event :
Once the asset is saved, run Test Connectivity and make sure it passes. The Test Connectivity action attempts to validate the User name and the ApiKey that the user has provided by connecting to the configured Device URL. The connection is tested by running a basic query and checking that the HTTP response is valid.
The app will create a single container for each event that it ingests with a single artifact called Event Artifact.
The details regarding the event that are acquired from the API call to ELSA will be collected and
the data that are related to the type of event are all stored into the CEF fields and are added to
the artifact. There are some default CEF field mappings in the app for Snort and BRO_CONN and
BRO_HTTP event types. The fields that are present in the artifact greatly depend upon the type of
the event that was created. Different events will have different types of values in the artifacts.
Finally, there is a "run query" action that enables the user to run a query in ELSA either as a manual action or as a chained action in a playbook in order to gather more data. This action allows the user to fill in the details for the exact query string to run. This can be as simple as an IP address or use the ELSA query language to get back more specific information. For information, click here for some tips on what to use for query strings in ELSA. The action also takes a JSON formatted "cef_map" parameter that allows the user to properly map the fields they expect to the proper CEF field so the output results can be used to further chain actions in a playbook. The following is an example "cef_map" parameter:
{"program": "deviceEventCategory", "dstport": "destinationPort", "dstip": "destinationAddress", "srcip": "sourceAddress", "srcport": "sourcePort", "site": "destinationDnsName", "uri": "requestURL", "bytesout": "bytesOut"}
The other parameters are fairly self-explanatory.
