Security Onion App (Public Preview)

The Security Onion app ingests data from open source threat intelligence lists and infrastructure as service providers, using Observe pollers.

Observe helps you monitor the public networks that your systems contact by using resource sets that include information about known bad addresses, known infrastructure addresses, and more.

Viewing Security Onion Data in Observe

Resource Sets

Installing the Security Onion app provides the following Datasets to use with your data:

Resource Datasets

  • Suricata Alerts - Network events that match intrusion detection rules

  • Wazuh Alerts - Alerts of discovered compliance concerns

  • Wazuh Data - Raw event data

  • Zeek Broker Logs - Internal logging

  • Zeek Capture Loss Logs - Internal logging

  • Zeek Connections - Observed connections on monitored networks

  • Zeek DHCP Logs - Observed DHCP traffic on monitored networks

  • Zeek DNS Logs - Observed DNS traffic on monitored networks

  • Zeek Ethercat Logs - Observed Ethernet traffic metadata from monitored networks

  • Zeek Event Logs - Raw event data

  • Zeek Notice Logs - Internal logging alerts

  • Zeek Statistics - Internal metrics

Host Monitoring

You can also monitor the event logs and performance metrics of your Security Onion nodes, using the Linux option in the Host Monitoring configuration script to easily configure log forwarding. The Host Monitoring App displays the operational logs and metrics.

Exporting Security Onion Data

As a security analyst, you may want to automatically export lists of threat Indicators of Compromise (IoCs) for further processing or alerting. Observe supports this using an API. For instance, you might want to export a list of the threat-listed IP addresses in contact with your monitored hosts. This creates a dataset with that information if you installed the Threat Intel Basic and Host Monitoring apps and activated the Host Monitoring integration in the Threat Intel Basic app.

Example cURL command for exporting an IP Address list from Observe:

curl "https://$<CUSTOMER_ID>" \
-H "Authorization: Bearer $YOUR_CUSTOMERID $YOUR_TOKEN" \
-H 'Content-Type: application/json' \
-H 'Accept: text/csv' 
-d '
  "query": {
    "stages": [
        "input": [
            "inputName": "Host-OSQuery-Host-Contact-with-Threatening-IPs",
            "datasetId": "$YOUR_DATASET_ID"
        "stageID": "main",
        "pipeline": "statsby count:count()"


Observe does not currently support authenticated links.