To create a new case inSecurity Onionusing the logs from the win-webserver01_logs.zip file, follow these detailed steps:
Step 1: Access Security Onion
URL: https:// /
Step 2: Prepare the Log File
win-webserver01_logs.zip
unzip ~/Desktop/Investigations/win-webserver01_logs.zip -d ~/Desktop/Investigations/win-webserver01_logs
Ensure that the extracted files, including System-logs.evtx, are accessible.
Step 3: Open the Hunt Interface in Security Onion
On the Security Onion dashboard, go to"Hunt"(or"Cases"depending on the version).
Click on"Cases"to manage incident cases.
Step 4: Create a New Case
Case Details:
Windows Webserver Logs - CCOA New Case
TLP (Traffic Light Protocol):
Example Configuration:
Field
Value
Title
Windows Webserver Logs - CCOA New Case
TLP
Green
Summary
(Leave blank if not required)
Step 5: Upload the Log Files
After creating the case, go to the"Files"section of the new case.
Click on"Upload"and select the unzipped log file:
~/Desktop/Investigations/win-webserver01_logs/System-logs.evtx
Once uploaded, the file will be associated with the case.
Step 6: Verify the Case Creation
Go back to theCasesdashboard.
Locate and verify that the case"Windows Webserver Logs - CCOA New Case"exists withTLP: Green.
Check that thelog filehas been successfully uploaded.
Step 7: Document and Report
Document the case details:
Case Title:Windows Webserver Logs - CCOA New Case
TLP:Green
Log File:System-logs.evtx
Include anyinitial observationsfrom the log analysis.
Example Answer:
A new case titled "Windows Webserver Logs - CCOA New Case" with TLP set to Green has been successfully created in Security Onion. The log file System-logs.evtx has been uploaded and linked to the case.
Step 8: Next Steps for Investigation
Analyze the log file:Start hunting for suspicious activities.
Create analysis tasks:Assign team members to investigate specific log entries.
Correlate with other data:Cross-reference with threat intelligence sources.
