Hi Ric,

Thanks for the kind words! While Security Onion includes the Elastic Stack as part of the platform, it’s power lies in combining various free and open tools to collect host-based telemetry, along with network metadata (Suricata/Zeek) and full packet capture (Stenographer), as well as generate alerts based on network traffic with both a signature-based (Suricata) and policy-neutral IDS (Zeek Notices).

Aside from that, analysts can slice and dice their logs within the Hunt interface inside of SOC (Security Onion Console), as well as manage their detection playbooks with Playbook. Strelka also provides analysis of files extracted from the network by Suricata or Zeek. Furthermore, if analysts wish to escalate the alerts or events they are seeing in SOC, they can do so by pushing an alert/event to a case inside of TheHive. From there, Cortex can be utilized to provide greater context around observables like IP addresses, domains, etc, and analysts can track their investigations. All of this is wrapped up into a single package that is meant to be easy to deploy and maintain.