Security Onion basic questions

[Estefania Yanez]

Hi guys

I want to perform insider threat detection, but I would like to know if with security onion I can collect logs of loggin workstation events, removable devices events, I need to know the number of attachments in an email. File access, I'm not very familiar with this tool but I'm interested in use it.

Regards

[Wes Lambert]

Estefania,

You could install an OSSEC agent on your endpoints to have it forward logs  to your OSSEC manager on your Security Onion machine.

https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC

Some of the functionality (file access, removable devices) you are looking for is configurable within OSSEC.  You can have a look here for more information:

http://ossec.github.io/docs/

You could also configure Windows Event Forwarding to forward logs to a subscription server and have OSSEC monitor and alert on those logs.

As far as monitoring files in email, you could look at the following if you want to perform automated analysis:

https://tribalchicken.com.au/technical/automated-mail-server-cuckoo-analysis-v2-0/

Otherwise, you should be able to pivot to a PCAP (CapMe, Wireshark, NetworkMiner) and see/extract the files for the particular email.

Bro also logs files it extracts from traffic to /nsm/bro/extracted.

Hope that helps!

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Estefania Yanez]

Thank you very much !!! It is soo helpful :)