cxleb0/Building-an-AI-Driven-Threat-Hunting-Workflow-with-Security-Onion

# Table of Contents 1. [Inspiration](#orgec7f558) 2. [Components](#org68d66c8) 3. [Setup](#org0d29280) 1. [Security Onion](#org0b8c995) 2. [Elasticsearch MCP](#org9979551) 3. [AI Agent](#org0f8f1fa) 4. [Testing the workflow](#org6e0273c) 5. [Results](#org713e19c) 6. [Closing thoughts](#orgdd4fadc) # Inspiration - A senior analyst at my workplace sent me an article that explained a similar workflow using Security Onion and the Elasticsearch MCP server: - I was instantly interested because I am already a huge fan of Security Onion. My implementation varies a little bit from the original article, but it did help serve as a reference point to getting this set up. # Components - Security Onion Virtual Machine. - I used a Security Onion import node for this project. - Docker Engine and Docker Compose. - Used to containerize and deploy the Elasticsearch MCP server. - Coding agent of your choice. - For this workflow, I chose opencode. - LLM of your choice. # Setup - I recommed reading over the official documentation for each component before setting up this workflow. The installs are straightforward. - The following steps will serve as a high-level overview on how I set up my environment. For the technical implementation details, refer to the documentation. ## Security Onion - The Security Onion does not have the “elasticsearch_rest” firewall hostgroup by default. I manually added the group and add the IP I wanted to allow access to Elasticsearch. It is also to important to allow UDP port 9200 as well in the portgroup. - Once the firewall configurations were completed, I navigated to Kibana -> Security -> API keys. - I created the API key that would later be used by the Elasticsearch MCP server for authentication. ## Elasticsearch MCP - I creted a working directory containing: - A ’.env’ file - A ’docker-compose.yml’ file - The .env file stored: - Elasticsearch URL - Elasticsearch API key - Elasticsearch credentials - I then deployed the MCP server using Docker Compose. - The compose file used for this project can be found here: ## AI Agent - I used opencode as my AI coding agent for this project and referenced the official documentation heavily for installation and configuration. - Once installed, I configured: - The Elasticsearch MCP server connection - My preferred LLMs # Testing the workflow - To validate my workflow, these are the steps I took: 1. Start my Security Onion virtual machine. 2. Import a pcap containing known malicious activity. 3. Launch opencode which automatically starts the Docker container and connects to the MCP server. 4. Query the LLM based on findings obserced within the PCAP data. 5. Cross reference the AI-generated analysis against telemetry within Security Onion to validate accuracy. # Results # Closing thoughts - This project was a lot of fun and a big learning experience with MCP servers, workflow automation and AI-assisted analysis. I look forward to experimenting with additional tools and platforms to expand on this concept and build similar workflows. Give this setup a try and thank you for reading!