Security Onion
What is Security Onion?
Security OnionA free, open-source Linux distribution for threat hunting, network security monitoring, and log management, created by Doug Burks and maintained by Security Onion Solutions.
Security Onion is a free SOC platform built on Ubuntu and Elastic (with OpenSearch options) that integrates leading open-source security tools: Suricata or Zeek for network IDS, Wazuh for HIDS, Stenographer for full packet capture, Strelka and CyberChef for file inspection, Elastic Stack for storage and search, and a custom SOC web UI for case management and pivoting. Originally released by Doug Burks in 2008 and now developed by Security Onion Solutions LLC, the distribution is widely used for training (SANS SEC503), small and mid-sized SOCs, and incident response labs. Security Onion 2.x supports distributed deployments with manager, search, sensor, and storage nodes, and ships with thousands of pre-built detection rules.
● Examples
- 01
Investigating an alert from Suricata in Security Onion by pivoting to the Zeek connection log and PCAP for the same flow.
- 02
Using the built-in Wazuh module to detect file-integrity changes on a Linux web server.
● Frequently asked questions
What is Security Onion?
A free, open-source Linux distribution for threat hunting, network security monitoring, and log management, created by Doug Burks and maintained by Security Onion Solutions. It belongs to the Defense & Operations category of cybersecurity.
What does Security Onion mean?
A free, open-source Linux distribution for threat hunting, network security monitoring, and log management, created by Doug Burks and maintained by Security Onion Solutions.
How does Security Onion work?
Security Onion is a free SOC platform built on Ubuntu and Elastic (with OpenSearch options) that integrates leading open-source security tools: Suricata or Zeek for network IDS, Wazuh for HIDS, Stenographer for full packet capture, Strelka and CyberChef for file inspection, Elastic Stack for storage and search, and a custom SOC web UI for case management and pivoting. Originally released by Doug Burks in 2008 and now developed by Security Onion Solutions LLC, the distribution is widely used for training (SANS SEC503), small and mid-sized SOCs, and incident response labs. Security Onion 2.x supports distributed deployments with manager, search, sensor, and storage nodes, and ships with thousands of pre-built detection rules.
How do you defend against Security Onion?
Defences for Security Onion typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Security Onion?
Common alternative names include: SO, Security Onion 2.
● Related terms
- defense-ops№ 372
Elastic Stack (ELK)
An open-source platform from Elastic N.V. combining Elasticsearch, Logstash, Kibana, and Beats for ingesting, indexing, searching, and visualizing security and operational logs at scale.
- defense-ops№ 1225
Wazuh
An open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard.
- defense-ops№ 1117
Suricata
An open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF).
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.