EN ▾
Contact us

SECURITY ONION

Your Open-Source Security Command Center

Turn security insights into real defensive action.

Contact Us
Security Onion
Security Onion: Your Open-Source Security Command Center
OVERVIEW

Security Onion: Your Open-Source Security Command Center

Security Onion is an open-source platform built by defenders, for defenders. It provides network visibility, host visibility, intrusion-detection honeypots, and centralized log and incident management.

For network visibility, it offers signature-based detection via Suricata, rich protocol metadata, selective file extraction using Zeek or Suricata, full packet capture via Stenographer, and file analysis through Strelka.

For host visibility, Security Onion integrates the Elastic Agent for data collection, real-time querying via osquery, and centralized management through Elastic Fleet.

With over 2 million downloads, Security Onion is trusted by security teams worldwide to monitor and defend their infrastructures. Its intuitive setup assistant allows you to deploy a distributed grid for your organization in just a few minutes!

Contact Us

Highly Scalable

From a single network appliance to a thousand-node grid, Security Onion adapts to your specific needs.

Contact Us
Highly Scalable
Open Community

Open Community

Security Onion and the tools we integrate are fully open-source and developed by the cybersecurity community.

The source code is available on GitHub , allowing anyone who wants to understand the system’s inner workings to examine it in detail.

Contact Us

Use Cases

01.

Network Visibility

Collect network events from Zeek, Suricata, and other tools for full network coverage. Deploy a wide net to quickly and easily detect malicious actors.

02.

Host Visibility

Collect host events from Zeek, Suricata, and other tools to achieve complete infrastructure coverage. Deploy a wide net to rapidly and efficiently identify malicious activity.

03.

Static Analysis (PCAP & EVTX Import)

Analyze captured data with PCAP and EVTX files to gain deep insights into network and host activity. Quickly detect threats and understand their impact.

04.

Security Onion Desktop

Collect network events via Zeek, Suricata, and other tools for comprehensive infrastructure monitoring. Deploy a wide net to detect malicious actors swiftly and effectively.

Key Feature Highlights

Alert
Hunt
Detections
Playbooks
PCAP
Cases
Dashboards
Analyzers
Onion AI
MCP

Data Types

01

Agent

Information collected directly on the host by agent software.

The Elastic Agent runs on each endpoint to collect logs, process activity, file-integrity events and the results of live osquery checks. It gives deep visibility into what happens inside your systems — not just on the wire — and feeds it back to a central grid for correlation.

  • Host & application logs
  • Process and file-integrity events
  • Real-time osquery results
Source: Elastic Agent →
02

Alert

A judgment made by a detection engine on an observed event.

When network traffic matches a known signature or rule, Suricata raises an alert that names the threat, its severity and the hosts involved. Alerts are the starting point of triage: each one is a lead an analyst can pivot on toward the underlying packets, logs and sessions.

  • Signature-based detections
  • Severity & category
  • Pivot to packets, logs & sessions
Source: Suricata →
03

Asset

Metadata describing the hosts seen on your network.

Zeek passively profiles every device it observes, building an inventory of assets with their addresses, the services they expose and the software they run. This living map helps you spot unknown or rogue hosts and grasp the scope of an incident at a glance.

  • Observed devices & addresses
  • Exposed services and software
  • Rogue / unknown host detection
Source: Zeek →
04

Extracted Content

Reconstructed elements of a session and the metadata extracted from it.

Zeek can carve files and artifacts straight out of network sessions and preserve the metadata around them. Analysts can then inspect transferred documents, executables or scripts, hash them and confirm whether a payload was actually delivered.

  • Files carved from traffic
  • Associated session metadata
  • Hashing & payload confirmation
Source: Zeek →
05

Complete Content

Full packet capture — every byte that crossed the wire.

Stenographer records complete network traffic to disk so nothing is lost. When an alert fires, you can replay the exact packets behind it, reconstruct an entire attack and answer questions your logs alone could never resolve.

  • Full-fidelity PCAP storage
  • Exact replay behind any alert
  • Deep forensic reconstruction
Source: Stenographer →
06

Session

Details about the conversations between hosts.

Session (or flow) records summarize who talked to whom, when, over which protocol and how much data moved. Compact and easy to pivot on, they are ideal for spotting beaconing, data exfiltration or lateral movement across long time windows.

  • Who-talked-to-whom flows
  • Volume, duration & protocol
  • Beaconing & exfiltration hunting
Source: Suricata →
07

Transaction

Structured logs generated from network protocols (protocol logs).

For every protocol it understands — HTTP, DNS, SSL/TLS, SMB and many more — Zeek writes a rich, structured transaction log. These protocol logs turn raw traffic into searchable, analyst-friendly records that power hunting, detection and investigation.

  • HTTP, DNS, SSL, SMB… logs
  • Structured & searchable
  • Foundation for hunting & detection
Source: Zeek →