Replies: 1 comment 3 replies
-
|
You should be able to accomplish a lot of the asset management using OSQuery/Fleet. You will need to install the OSquery agent on assets to be managed and add them to the fleet already configured in Security Onion. From there, you will be able to build dashboards showing any of the information made available to the OSquery platform. |
Beta Was this translation helpful? Give feedback.
-
|
Wouldn't that mean that the logs will be sent trough osquery? We are using Wazuh, I was looking for comparison between Wazuh and osquery, but in the end I find Wazuh a bit easier to setup and use. I wouldn't like to get double information from two agents. |
Beta Was this translation helpful? Give feedback.
-
|
OSquery can be configured to send specific information back so you shouldn't see any duplication of data between the two (not sure there would be much anyway). Getting the query data back to SecOnion would involve creating a new query in Fleet and adding that query to a Pack (I recommend creating a new Pack). Once that is done, you should see your new pack data getting into Kibana within a few minutes. The rest would be creating searches, visualizations, and dashboards to display what you want. I did a quick test in my home lab to confirm, at a high level, that this should work. HTH, Pat |
Beta Was this translation helpful? Give feedback.
-
|
Hey sorry for late response. Thanks for testing, will check it out then. Cheers! |
Beta Was this translation helpful? Give feedback.
-
Hello everyone,
As we are in process of migrating from OSSIM to Security Onion, there are couple of things that are missing in SO, but that OSSIM have, like for example vulnerability scanning and asset management.
I understand why vulnerability scanning is not included, I believe I've read answer from someone from SO few months ago and that is okay, but I was wandering if there are any plans for adding asset management to the SO? Something similar to the Grid, but only for agents.
To be more specific, I find it a bit hard to track which device is sending logs to the SO, for example to see all hosts with Wazuh agents, I would open event.category:host and then I could see all hosts. But in OSSIM you can add by yourself assets with additional information like IPs, OS, Device Type, Asset Value, etc. Then there is a status field that checks if device with that name have HIDS installed and active.
While I see benefit from this, I am no developer so can't be sure if this require extensive work, nor if it fits in the idea of Security Onion big picture. Saying this only so it is not wrongly interpreted, this is not a request, only question. If you believe there is other way to do this in SO, I am open for suggestion (I am guessing some type of custom dashboard is possible to provide this).
Thanks,
Cheers
Beta Was this translation helpful? Give feedback.
All reactions