Sysmon & Security Onion, Part 4: Integrating Security Onion and Sysmon

This is part four of a series of posts that contain key excerpts of my paper, Using Sysmon to Enrich Security Onion’s Host-Level Capabilities.

Security Onion is a NSM platform built on existing tools, maintained primarily by Doug Burks and Scott Runnels. It is based on Ubuntu, and integrates a number of tools for both network and host-level detection and analysis, including: (Burks, 2012)

  • Snort – Open source network IDS from Sourcefire.
  • Suricata – Open source network IDS from the Open Information Security      
  • OSSEC – Open source host IDS.
  • ELSA – Open source centralized log management application.
  • Sguil – Open source analyst console for NSM practitioners.
  • Bro – Open source network analysis framework.
  • Squert – Open source web application used to query and view event data in Sguil.
  • Snorby – Open source web application console for NSM practitioners.

            Security Onion is built such that as these tools integrate and work together, the full range of NSM data and certain types of host data can be collected, viewed, analyzed and escalated efficiently. The host-level data is provided primarily through the use of OSSEC and ELSA. This paper will focus on enriching this capability through the integration of Sysinternal’s Sysmon, so as to augment the detection and response blinded by encrypted traffic as well as gain access to additional host-level indicators.


The type of host data that Sysmon covers is three-fourths of the data types from the Pyramid of Pain – Hash values (of all executables that are running), IP Addresses, Domain Names, and some Network/Host Artifacts. Finding another free, lightweight, and feature-rich tool that has the backing of a team like Sysinternals, is an almost impossible task. These reasons are what make Sysmon a good choice for enriching the host-level capabilities of Security Onion.

     How will Sysmon data be integrated into Security Onion? For historical queries and manual hunting, Sysmon data will be accessible in ELSA. For generating alerts based on real-time incoming Sysmon events, OSSEC will be utilized.


Burks, D. (2012, December 13). A list of tools included in Security Onion… Retrieved from Security Onion on Google Code:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close