By default, traffic from the webhook to the Security Onion instance is not encrypted. This requires additional configuration within /opt/so/saltstack/local/salt/logstash/pipelines/config/so/0001_input_sublime.conf
.
This script will set up the necessary components to ingest Sublime Security alerts into Security Onion via webhooks, an Elasticsearch ingest pipeline, and an HTTP endpoint published by Logstash on TCP
port 8228
. Firewall configuration is also configured as necessary, although, you may need to use so-firewall
to create additional exceptions.
In addition to the data pipeline, a SOC action is also pre-configured with the provided Sublime server IP address, to allow pivoting from a Sublime Security alert to the referenced email for analysis within the Sublime platform. The address used for pivoting can be changed as desired after installation, if necessary.
Last, an Sublime analyzer is configured, allowing analysts to paste the base64 content of an EML as the value of an observable, and provided the type of eml
is chosen, the Sublime analyzer will submit a request to a local or remotely configured Sublime server.
http://$securityonion:8228
(https://docs.sublimesecurity.com/docs/installation). Configuration of certificates is outside of the scope of this integration as it is simply demonstrational, but the webhook address can easily be adjusted if TLS is configured. git clone https://github.com/weslambert/securityonion-sublime && cd securityonion-sublime && sudo ./install_so-sublime
If running a distributed deployment, run the command below after script completion, or wait 15 minutes for Salt to replicate changes to downstream nodes.
sudo salt "*" state.highstate
To configure the analyzer, the following details should be provided in the sensoroni section of the minion pillar:
sensoroni:
analyzers:
sublime:
api_key: $api_key
base_url: $if-this-is-a-local-instance # If you are not using a local Sublime instance, this should not be configured.
After the configuration details are provided, sensoroni
can be restarted with the following commands:
sudo docker stop so-sensoroni
sudo docker rm so-sensoroni
sudo salt-call state.apply sensoroni queue=True