Security Onion + Automation + Response Lab including n8n and Velociraptor
This repo was created to work in conjunction with the blog article here:
This is NOT an officially supported Security Onion integration, so usage is at your own risk.
It is assumed that Security Onion is already running and configured as a standalone, manager, or managersearch node.
To install Security Onion, consult the documentation here:
https://docs.securityonion.net/en/latest/installation.html
After Security Onion is installed, proceed to the lab installation steps.
git clone https://github.com/weslambert/SOARLab
cd SOARLab
sudo ./install_lab
Once setup is complete:
- Velociraptor GUI can be accessed via
https://$securityonion/velociraptor - n8n can be access via
https://$securityonion/n8n
To add a firewall exception for a particular IP or range of IPs (for Velociraptor clients), you can use the so-firewall script, like so:
sudo so-firewall includehost velociraptor <IP/CIDR>
sudo salt-call state.apply firewall queue=True
Original Velociraptor client binaries and repacked client binaries can be found in /opt/so/conf/velociraptor/clients.
The client configuration file can be found in /opt/so/conf/velociraptor.