SecurityOnion Cluster

Problems Solved

SecurityOnion Cluster provides network security monitoring, intrusion detection, and threat analysis for Yandex Cloud infrastructure. The product addresses the following challenges:

• Real-time network intrusion detection using Suricata (IDS/IPS) and Zeek network traffic analysis
• Centralized collection, indexing, and searching of security events via Elasticsearch
• Incident visualization and investigation through SOC (Security Onion Console) and Kibana
• Suspicious file analysis using Strelka (static and dynamic analysis)
• Agent fleet management through Elastic Fleet

Key Features

Distributed architecture. The cluster consists of 1 ManagerSearch node (central control plane + local Elasticsearch) and N SearchNode nodes (dedicated Elasticsearch data nodes). The number of search nodes is specified at deployment time (1 to 10).

SaltStack configuration management. All configuration is managed via Salt — changes on the manager are automatically propagated to all cluster nodes. Updates, certificate rotation, and scaling are performed through Salt states.

Built-in security tools. SecurityOnion integrates Suricata, Zeek, Elasticsearch, Kibana, Logstash, Redis, Strelka, ElastAlert, Elastic Fleet, Docker registry, and other components into a unified platform with centralized management.

Advantages

• Production-ready cluster in 25-30 minutes: all components are configured automatically
• Scalable storage: adding search nodes increases indexing and search capacity
• Offline boot without internet: all dependencies are pre-installed in the image

Preparation

1. Create a Yandex Virtual Private Cloud network and subnets in three availability zones: ru-central1-a, ru-central1-b, and ru-central1-d. You may also use existing ones. The manager is placed in zone a; search nodes are distributed across all three zones.

2. Create a Yandex Lockbox secret with the admin password. The secret must contain an entry with the key admin_password:

yc lockbox secret create \
  --name so-admin-password \
  --payload "[{\"key\": \"admin_password\", \"text_value\": \"YOUR_ADMIN_PASSWORD\"}]"

Note: use strong passwords. Minimum length is 9 characters.

3. Make sure you have an SSH key for VM access.

Installation

• In the management console, select the folder where you want to deploy the application.
• Navigate to Cloud Apps.
• In the left panel, select App Marketplace.
• Select SecurityOnion Cluster and click Use.
• Specify:
  • Resource naming prefix
  • VPC subnet in zone ru-central1-a (for the manager and some search nodes)
  • VPC subnet in zone ru-central1-b (for search nodes)
  • VPC subnet in zone ru-central1-d (for search nodes)
  • Lockbox secret with the admin password (selected from existing secrets, must contain the admin_password key)
  • SSH public key for VM access
  • Number of search nodes (1 to 10)
  • SOC login email
  • Environment type (Production / Development)

Accessing the SOC Console

After deployment completes (25-30 minutes):

1. Open the Yandex Cloud console, navigate to Compute Cloud.
2. Find the manager VM and copy its public IP address.
3. Open https://<manager-ip> in a browser, accept the self-signed certificate warning.
4. Log in with the specified email and the password from the Lockbox secret.

• Network intrusion detection (NIDS): SecurityOnion includes a number of NIDS tools, such as Suricata and Snort, for real-time traffic analysis to detect and report suspicious activities like intrusion, malware infection, and suspicious networking behavior.

• Network security monitoring (NSM): SecurityOnion’s all-round NSM capabilities are enabled through capturing, indexing, and analysis of network traffic. This allows security analysts to detect security incidents, explore security events, and conduct forensic analysis.

• Log analysis: SecurityOnion aggregates and analyses logs from different sources, such as network devices, operating systems, applications, and security tools. This will help you to detect security incidents, monitor user activities, and detect anomalies.

• Incident response: SecurityOnion facilitates incident response actions by providing network traffic, logging, and system activity visibility. Security teams can thus quickly detect, minimize, and address security incidents, such as data leaks, malware infection, and unauthorized access.

• Threat detection: SecurityOnion supports proactive threat detection, allowing your security analysts to search for indicators of compromise (IOC), suspicious patterns, and abnormal network behaviors. This will help you to detect hidden threats and enhance overall security level.

• Forensic analysis: SecurityOnion has tools and features for forensic analysis of network traffic, logs, and system artifacts. This will help you with recovery of security incidents, finding the root causes of security violations, and gathering evidence for court cases.

• Malware analysis: You can use SecurityOnion to analyze and disassemble malware samples in a controlled environment. This will help you to understand malware behavior, discover its capabilities, and develop countermeasures for protection against future infections.

• Vulnerability assessment: SecurityOnion can be integrated with vulnerability scanning tools to identify vulnerabilities in your network infrastructure, systems, and applications. This will help you to prioritize your corrective actions and reduce the attack surface.

• Compliance monitoring: SecurityOnion helps organizations to comply with regulatory requirements through continuous monitoring, logging, and reporting. This will help you to demonstrate compliance with regulations and security frameworks, such as PCI DSS, HIPAA, GDPR.

OpenNix
OpenNix provides support to SecurityOnion users in Yandex Cloud. You can contact their support team by email at support@opennix.ru. Support is available on business days from 9 a.m. to 6 p.m., GMT+3.