infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated a few configs

keyword-vs-text-changes
Roberto Rodriguez 2019-04-06 13:21:29 -04:00
parent b331afdfb8
commit 2b30994493
7 changed files with 56 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docker/helk-logstash/pipeline/1533-winevent-system-filter.conf
View File

@ -17,11 +17,6 @@ filter {
"StartType" => "service_start_type"
}
add_tag => [ "new_service" ]
remove_field => [
"message",
"host",
"process_id"
]
}
}
if [event_id] == 16 {
@ -36,10 +31,10 @@ filter {
}
mutate {
rename => {
"[user][domain]" => "user_domain"
"[user][identifier]" => "user_sid"
"[user][name]" => "user_name"
"[user][type]" => "user_type"
"[user][domain]" => "user_reporter_domain"
"[user][identifier]" => "user_reporter_sid"
"[user][name]" => "user_reporter_name"
"[user][type]" => "user_reporter_type"
"computer_name" => "host_name"
}
}

5
docker/helk-logstash/pipeline/2511-winevent-powershell-filter.conf
View File

@ -237,5 +237,10 @@ filter {
]
}
}
mutate {
rename => {
"computer_name" => "host_name"
}
}
}
}

11
docker/helk-logstash/pipeline/9959-winevent-codeintegrity-output.conf Normal file
View File

@ -0,0 +1,11 @@
output {
if [log_name] == "Microsoft-Windows-CodeIntegrity/Operational"{
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-codeintegrity-%{+YYYY.MM.dd}"
document_id => "%{[@metadata][log_hash]}"
user => 'elastic'
#password => 'elasticpassword'
}
}
}

11
docker/helk-logstash/pipeline/9960-winevent-bits-output.conf Normal file
View File

@ -0,0 +1,11 @@
output {
if [log_name] == "Microsoft-Windows-Bits-Client/Operational"{
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-bits-%{+YYYY.MM.dd}"
document_id => "%{[@metadata][log_hash]}"
user => 'elastic'
#password => 'elasticpassword'
}
}
}

11
docker/helk-logstash/pipeline/9961-winevent-dns-client-output.conf Normal file
View File

@ -0,0 +1,11 @@
output {
if [log_name] == "Microsoft-Windows-DNS-Client/Operational"{
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-dns-client-%{+YYYY.MM.dd}"
document_id => "%{[@metadata][log_hash]}"
user => 'elastic'
#password => 'elasticpassword'
}
}
}

11
docker/helk-logstash/pipeline/9962-winevent-firewall-advanced-output.conf Normal file
View File

@ -0,0 +1,11 @@
output {
if [log_name] == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"{
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-firewall-advanced-%{+YYYY.MM.dd}"
document_id => "%{[@metadata][log_hash]}"
user => 'elastic'
#password => 'elasticpassword'
}
}
}

6
docker/helk_install.sh
View File

@ -134,7 +134,7 @@ install_curl(){
apt install -y curl >> $LOGFILE 2>&1
;;
centos|rhel)
yum install curl >> $LOGFILE 2>&1
yum install -y curl >> $LOGFILE 2>&1
;;
*)
echo "$HELK_INFO_TAG Please install curl for $LSB_DIST $DIST_VERSION.."
@ -157,7 +157,7 @@ install_htpasswd(){
apt install -y apache2-utils>> $LOGFILE 2>&1
;;
centos|rhel)
yum install httpd-tools >> $LOGFILE 2>&1
yum install -y httpd-tools >> $LOGFILE 2>&1
;;
*)
echo "$HELK_INFO_TAG Please install htpasswd for $LSB_DIST $DIST_VERSION.."
@ -461,7 +461,7 @@ show_banner(){
echo "** HELK - THE HUNTING ELK **"
echo "** **"
echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
echo "** HELK build version: v0.1.7-alpha02262019 **"
echo "** HELK build version: v0.1.7-alpha04062019 **"
echo "** HELK ELK version: 6.6.1 **"
echo "** License: GPL-3.0 **"
echo "**********************************************"