Welcome first time users! You're going to be peeling back the layers of your network in just a few minutes!
First, download our ISO image as shown in the :ref:`download` section.
Then install the ISO image and configure for IMPORT as shown below (also see the :ref:`installation` and :ref:`configuration` sections). This can be done in a minimal virtual machine with as little as 4GB RAM, 2 CPU cores, and 200GB of storage. For more information about virtualization, please see the :ref:`vmware`, :ref:`virtualbox`, and :ref:`proxmox` sections.
Once you're comfortable with your IMPORT installation, then you can move on to more advanced installations as shown in the :ref:`architecture` section.
After booting the ISO image, the boot menu appears:
When prompted, enter your desired username and password:
Once installation is complete, you are prompted to reboot:
After rebooting, login using the username and password that you specified and then Setup will start automatically:
Perform a standard installation:
When prompted for installation type, select IMPORT:
If your Security Onion machine has full Internet access as described in the :ref:`firewall` section, select Standard. Otherwise, select :ref:`airgap`:
Review the license and agree:
Set the hostname:
If you use the default hostname of securityonion, you will see a warning:
Select your management interface:
Select static IP addressing (recommended) or DHCP:
Specify IP address and CIDR mask:
Set gateway address:
Enter DNS servers:
Configure DNS search domain:
If necessary, you can change the default Docker IP range:
If you are connected to the Internet, select whether it is direct or via proxy:
Create username for :ref:`soc`:
Set password for :ref:`soc`:
Confirm password for :ref:`soc`:
Select how to access :ref:`soc`:
Allow connections through the host-based firewall if necessary:
Specify an IP address or range to allow through the host-based firewall:
Confirm all options:
Setup complete:
Login to :ref:`soc`:
After logging in, you will see the :ref:`soc` Overview page:
Go to the :ref:`grid` page, click the button to expand the node, and then verify all services are running properly:
While on the :ref:`grid` page, you can import a PCAP or EVTX file using the upload button at the bottom of the screen:
Once the import is complete, the :ref:`grid` page should display a message at the of the page and provide a link to :ref:`dashboards` to view all alerts and logs from the import:
If you want to see just the alerts, you can go to the :ref:`alerts` page although you may need to manually adjust the time range:
If you find something interesting on the :ref:`alerts` or :ref:`dashboards` pages, you may want to use the Correlate or Hunt actions to find related logs on the :ref:`hunt` page:
If you find interesting network traffic, you can pivot to full packet capture via the :ref:`pcap` action:
You can change the view to ASCII transcript for a more human readable view of the traffic:
If you find an interesting artifact, you can send it to :ref:`cyberchef`:
If you need to refer back to previous PCAP jobs, you can find them on the :ref:`pcap` page:
IMPORT installations do not support remote agents, but if you were running a production installation you could download the Elastic Agent installer from :ref:`downloads`:
The :ref:`administration` section allows to you manage user accounts:
It also allows you to manage grid members:
The :ref:`administration` section also allows you to configure various aspects of the system:
It also allows you to upload a license key for additional enterprise features:
All this in a minimal VM with only 4GB RAM!