securityonion-sublime

Triage Sublime email alerts inside of Security Onion

NOTE: This integration is intended for use with Security Onion 2.3 and will soon be updated for Security Onion 2.4.

Pivot to Sublime for further investigation

Perform in-depth review of email that generated alert

Submit an email to Sublime for analysis from an observable in SOC Cases using the Sublime SOC analyzer

NOTE: This script is NOT an officially supported Security Onion integration, and is not intended for production use. It is an example of how you can set up similar configuration in your environment.

By default, traffic from the webhook to the Security Onion instance is not encrypted. This requires additional configuration within /opt/so/saltstack/local/salt/logstash/pipelines/config/so/0001_input_sublime.conf.

This script will set up the necessary components to ingest Sublime Security alerts into Security Onion via webhooks, an Elasticsearch ingest pipeline, and an HTTP endpoint published by Logstash on TCP port 8228. Firewall configuration is also configured as necessary, although, you may need to use so-firewall to create additional exceptions.

In addition to the data pipeline, a SOC action is also pre-configured with the provided Sublime server IP address, to allow pivoting from a Sublime Security alert to the referenced email for analysis within the Sublime platform. The address used for pivoting can be changed as desired after installation, if necessary.

Last, an Sublime analyzer is configured, allowing analysts to paste the base64 content of an EML as the value of an observable, and provided the type of eml is chosen, the Sublime analyzer will submit a request to a local or remotely configured Sublime server.

NOTE: This script should be run on a manager or standalone Security Onion node.

Requirements

Security Onion up and running (https://docs.securityonion.net/en/2.3/getting-started.html)
Externally managed Sublime server with a webhook action configured to point to http://$securityonion:8228 (https://docs.sublimesecurity.com/docs/installation). Configuration of certificates is outside of the scope of this integration as it is simply demonstrational, but the webhook address can easily be adjusted if TLS is configured.

Install

git clone https://github.com/weslambert/securityonion-sublime && cd securityonion-sublime && sudo ./install_so-sublime

Post-Install

If running a distributed deployment, run the command below after script completion, or wait 15 minutes for Salt to replicate changes to downstream nodes.

sudo salt "*" state.highstate

Configure the analyzer

To configure the analyzer, the following details should be provided in the sensoroni section of the minion pillar:

sensoroni:
  analyzers:
    sublime:
      api_key: $api_key
      base_url: $if-this-is-a-local-instance # If you are not using a local Sublime instance, this should not be configured.

After the configuration details are provided, sensoroni can be restarted with the following commands:

sudo docker stop so-sensoroni
sudo docker rm so-sensoroni
sudo salt-call state.apply sensoroni queue=True

weslambert / securityonion-sublime

readme