Questions about Elastic Detection Rules and Sigma Correlation in Security Onion

[nayadmohamed]

Version

2.4.211

Installation Method

Other (please provide detail below)

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

128GB

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello,

I am currently working on detection rules in Security Onion, using Elastic (Kibana) and experimenting with SSH-related detections (brute force, off-hours login, correlation, etc.).

I have a few questions to better understand how detection engineering should be handled in Security Onion.

1. Elastic Detection Rules and SOC UI Integration

I created several detection rules directly in Kibana (Elastic Security), and I can see the generated alerts in:

• Security → Alerts

However, these alerts do not appear in the Security Onion SOC interface.

My questions:

• Is it expected that Elastic detection rules (signals) do NOT automatically appear in the SOC UI?
• Is there a specific configuration required to forward these alerts into the SOC interface?
• Should we create a custom pipeline or index to make them visible?

2. Sigma Rules and Thresholds

I am also exploring Sigma rules, especially for use cases like:

• SSH brute force (multiple failures within a time window)
• Detecting repeated suspicious activity

My questions:

• Is it possible to define threshold-based detections in Sigma (e.g., X events within Y minutes)?
• Or is Sigma limited to single-event detections in Security Onion?

3. Sigma Correlation (Advanced Detection)

I looked into Sigma correlation rules (multi-event sequences), such as:

• Multiple failed SSH logins followed by a successful login
• Behavior-based detection across several events

My questions:

• Are Sigma correlation rules supported in Security Onion?
• If not, what is the recommended way to implement this type of detection?
  • Elastic EQL?
  • Threshold rules?
  • Other approaches?

4. SOC Workflow (Security Onion vs Kibana)

One important question about workflow:

• Are analysts supposed to mainly work within the Security Onion SOC interface only?
• Or is it expected to switch between:
  • SOC UI (monitoring / triage)
  • Kibana (detection engineering / rule creation / advanced analysis)?

In other words:

• What is the recommended workflow in Security Onion?
• SOC UI only?
• Or SOC UI + Kibana together?

I tried multiple approaches but I am unsure what is considered best practice in Security Onion.

Summary:

1. Do Elastic detection rules show up in SOC UI by default?
2. Can Sigma rules implement thresholds?
3. Are Sigma correlation rules supported?
4. What is the best workflow (SOC UI vs Kibana)?

Thank you in advance for your help.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

To answer your summary questions.

1. No, Elastic detection rule alerts will end up in .alerts-security.alerts-default with a Data View that is .alerts-security.alerts-default and Detections will look in logs-* You might be able to add the Data View here soc > config > server > modules > elastic > index [adv] for SOC to search for records.
2. Sigma rules thresholds would be correlations, currently we don't support correlations, but it is on the roadmap.
3. See 2
4. We support using Detections.

[nayadmohamed]

Hi,
Thank you very much for your detailed explanation, it really helped me a lot to better understand how Elastic detections and indices work within Security Onion.
With your guidance, I was able to get everything working on my side.
This is really helping me progress in my learning and in getting more comfortable with the platform.
Thanks again for your support!