HELK 6.2.3-041018

Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 02:56:28 -04:00 · 2018-04-10 02:56:28 -04:00 · 6054e2be9a
parent c43eaa08e3
commit 6054e2be9a
66 changed files with 568 additions and 28500 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,10 +1,9 @@
 version: '3'

 services:
-
-  helk-elk:
-    image: cyb3rward0g/helk-elk:6.2.3
-    container_name: helk-elk
+  helk-elasticsearch:
+    image: cyb3rward0g/helk-elasticsearch:6.2.3
+    container_name: helk-elasticsearch
    volumes:
      - esdata:/var/lib/elasticsearch
    environment:
@ -14,18 +13,52 @@ services:
        soft: -1
        hard: -1
    ports:
-      - "80:80"
-      - "5044:5044"
      - "9000:9000"
-      - "8082:8082"
    restart: always
    networks:
      helk:
        ipv4_address: 172.18.0.2
        aliases:
-          - helk_elk.hunt.local
+          - helk_elasticsearch.hunt.local
+  helk-logstash:
+    image: cyb3rward0g/helk-logstash:6.2.3
+    container_name: helk-logstash
+    ports:
+      - "5044:5044"
+    restart: always
+    depends_on:
+      - helk-elasticsearch
+    networks:
+      helk:
+        ipv4_address: 172.18.0.5
+        aliases:
+          - helk_logstash.hunt.local
+  helk-kibana:
+    image: cyb3rward0g/helk-kibana:6.2.3
+    container_name: helk-kibana
+    restart: always
+    depends_on:
+      - helk-elasticsearch
+    networks:
+      helk:
+        ipv4_address: 172.18.0.6
+        aliases:
+          - helk_kibana.hunt.local
+  helk-nginx:
+    image: cyb3rward0g/helk-nginx:0.0.1
+    container_name: helk-nginx
+    ports:
+      - "80:80"
+    restart: always
+    depends_on:
+      - helk-elasticsearch
+    networks:
+      helk:
+        ipv4_address: 172.18.0.7
+        aliases:
+          - helk_nginx.hunt.local
  helk-kafka:
-    image: cyb3rward0g/helk-kafka:1.0.1
+    image: cyb3rward0g/helk-kafka:0.0.1
    container_name: helk-kafka
    env_file: ./helk.env
    ports:
@ -35,21 +68,21 @@ services:
      - "9094:9094"
    restart: always
    depends_on:
-      - helk-elk
+      - helk-elasticsearch
    networks:
      helk:
        ipv4_address: 172.18.0.3
        aliases:
          - helk_kafka.hunt.local
  helk-analytics:
-    image: cyb3rward0g/helk-analytics:0.0.2
+    image: cyb3rward0g/helk-analytics:0.0.3
    container_name: helk-analytics
    ports:
      - "8880:8880"
      - "4040:4040"
    restart: always
    depends_on:
-      - helk-elk
+      - helk-elasticsearch
    networks:
      helk:
        ipv4_address: 172.18.0.4
--- a/helk-analytics/Dockerfile
+++ b/helk-analytics/Dockerfile
@ -3,7 +3,7 @@
 # Author: Roberto Rodriguez (@Cyb3rWard0g)
 # License: BSD 3-Clause

-FROM phusion/baseimage
+FROM cyb3rward0g/helk-base:0.0.1
 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
 LABEL description="Dockerfile base for HELK Analytics."

@ -16,20 +16,12 @@ RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
  && echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
  && apt-get install -qqy \
  openjdk-8-jre-headless \
-  wget \
-  sudo \
-  nano \
  python3-pip \
  python-tk \
-  unzip \
-  zip \
-  locales
+  unzip

-RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
-    locale-gen
 RUN apt-get -qy clean \
-  autoremove \
-  && rm -rf /var/lib/apt/lists/*
+  autoremove

 # *********** Upgrading PIP ***************
 RUN pip3 install --upgrade pip
@ -55,7 +47,7 @@ RUN pip3 install scipy==1.0.0 \
  bokeh==0.12.14

 # *********** Creating the right directories ***************
-RUN bash -c 'mkdir -pv /opt/helk/{scripts,training,es-hadoop,spark}'
+RUN bash -c 'mkdir -pv /opt/helk/{training,es-hadoop,spark}'

 # *********** Adding HELK scripts and files to Container ***************
 ADD scripts/analytics-entrypoint.sh /opt/helk/scripts/
--- a/helk-base/Dockerfile
+++ b/helk-base/Dockerfile
@ -0,0 +1,29 @@
+# HELK script: HELK Base Image Dockerfile
+# HELK build version: 0.9 (Alpha)
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+FROM phusion/baseimage:0.10.1
+LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
+LABEL description="Dockerfile base Image.."
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# *********** Installing Prerequisites ***************
+# -qq : No output except for errors
+RUN echo "[HELK-DOCKER-BASE-INFO] Updating Ubuntu base image.." \
+  && apt-get update -qq \
+  && echo "[HELK-DOCKER-BASE-INFO] Extracting templates from packages.." \
+  && apt-get install -qqy \
+  wget \
+  sudo \
+  nano
+
+RUN apt-get -qy clean \
+  autoremove \
+  && rm -rf /var/lib/apt/lists/*
+
+# *********** Creating the right directories ***************
+RUN bash -c 'mkdir -pv /opt/helk/scripts'
+
+CMD ["/sbin/my_init"]
--- a/helk-elasticsearch/Dockerfile
+++ b/helk-elasticsearch/Dockerfile
@ -0,0 +1,70 @@
+# HELK script: HELK Elasticsearch Dockerfile
+# HELK build version: 0.9 (ALPHA)
+# HELK ELK version: 6.2.3
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# References: 
+# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
+# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
+
+FROM cyb3rward0g/helk-base:0.0.1
+LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
+LABEL description="Dockerfile base for the HELK Elasticsearch."
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# *********** Installing Prerequisites ***************
+# -qq : No output except for errors
+RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
+  && apt-get update -qq \
+  && echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
+  && apt-get install -qqy \
+  openjdk-8-jre-headless
+
+RUN apt-get -qy clean \
+  autoremove
+
+# *********** Creating the right directories ***************
+RUN bash -c 'mkdir -pv /opt/helk/{elasticsearch,cerebro}'
+
+# *********** Adding HELK scripts and files to Container ***************
+ADD scripts/entrypoint.sh /opt/helk/scripts/
+RUN chmod +x /opt/helk/scripts/entrypoint.sh
+
+# *********** ELK Version ***************
+ENV ELK_VERSION=6.2.3
+
+# *********** Installing Elasticsearch ***************
+ENV ES_HELK_HOME=/opt/helk/elasticsearch
+ENV ES_HOME=/usr/share/elasticsearch
+ENV ES_PATH_CONF=/etc/elasticsearch
+ENV ES_PATH_DATA=/var/lib/elasticsearch
+ENV ES_PATH_LOGS=/var/log/elasticsearch
+ENV ES_GID=707
+ENV ES_UID=707
+
+RUN wget -qO- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${ES_HELK_HOME} --strip-components=1 \
+  && cp -r ${ES_HELK_HOME}/ ${ES_HOME}/ \
+  && mkdir -pv ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS} \
+  && mv /usr/share/elasticsearch/config/* ${ES_PATH_CONF}
+ADD elasticsearch /etc/default/elasticsearch
+ADD elasticsearch-init /etc/init.d/elasticsearch
+ADD elasticsearch.yml /etc/elasticsearch/
+RUN groupadd -r elasticsearch -g ${ES_GID} \
+  && useradd -r -s /usr/sbin/nologin -M -c "Elasticsearch user" -u ${ES_UID} -g elasticsearch elasticsearch \
+  && chown -R elasticsearch:elasticsearch ${ES_HOME} ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS}
+
+VOLUME /var/lib/elasticsearch
+
+# *********** Install Cerebro ***************
+ENV CEREBRO_HOME=/opt/helk/cerebro
+ENV CEREBRO_LOGS_PATH=/var/log/cerebro
+RUN wget -qO- https://github.com/lmenezes/cerebro/releases/download/v0.7.2/cerebro-0.7.2.tgz | sudo tar xvz -C ${CEREBRO_HOME} \
+  && mkdir -v $CEREBRO_LOGS_PATH
+ADD cerebro-init /etc/init.d/cerebro
+
+# *********** RUN HELK ***************
+EXPOSE 9000
+WORKDIR "/opt/helk/scripts/"
+ENTRYPOINT ["./entrypoint.sh"]
--- a/helk-elasticsearch/cerebro-init
+++ b/helk-elasticsearch/cerebro-init
--- a/helk-elk/elasticsearch/elasticsearch
+++ b/helk-elk/elasticsearch/elasticsearch
--- a/helk-elk/elasticsearch/elasticsearch-init
+++ b/helk-elk/elasticsearch/elasticsearch-init
--- a/helk-elk/elasticsearch/elasticsearch.yml
+++ b/helk-elk/elasticsearch/elasticsearch.yml
--- a/helk-elasticsearch/scripts/entrypoint.sh
+++ b/helk-elasticsearch/scripts/entrypoint.sh
@ -0,0 +1,41 @@
+#!/bin/sh
+
+# HELK script: entrypoint.sh
+# HELK script description: Restarts and runs elasticsearch service
+# HELK build version: 0.9 (Alpha)
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# Start graceful termination of elasticsearch service that might be running before running the entrypoint script.
+_term() {
+  echo "Terminating elasticsearch service"
+  service elasticsearch stop
+  service cerebro stop
+  exit 0
+}
+trap _term SIGTERM
+
+# Removing PID files just in case the graceful termination fails
+rm -f /var/run/elasticsearch/elasticsearch.pid
+
+# *********** Setting ES Heap Size***************
+# https://serverfault.com/questions/881383/automatically-set-java-heap-size-for-elasticsearch-on-linux
+memoryInKb="$(awk '/MemTotal/ {print $2}' /proc/meminfo)"
+heapSize="$(expr $memoryInKb / 1024 / 1000 / 2)"
+sed -i "s/#*-Xmx[0-9]\+g/-Xmx${heapSize}g/g" /etc/elasticsearch/jvm.options
+sed -i "s/#*-Xms[0-9]\+g/-Xms${heapSize}g/g" /etc/elasticsearch/jvm.options
+
+# *********** Start elasticsearch services ***************
+echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Elasticsearch service"
+service elasticsearch start
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
+until curl -s localhost:9200 -o /dev/null; do
+    sleep 1
+done
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Cerebro service"
+service cerebro start
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Elasticsearch Logs to console.."
+tail -f /var/log/elasticsearch/*.log
--- a/helk-elk/Dockerfile
+++ b/helk-elk/Dockerfile
@ -1,144 +0,0 @@
-# HELK script: HELK ELK Dockerfile
-# HELK build version: 0.9 (ALPHA)
-# HELK ELK version: 6.2.3
-# Author: Roberto Rodriguez (@Cyb3rWard0g)
-# License: BSD 3-Clause
-
-# References: 
-# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
-# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
-
-FROM phusion/baseimage
-LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
-LABEL description="Dockerfile base for the HELK ELK."
-
-ENV DEBIAN_FRONTEND noninteractive
-
-# *********** Installing Prerequisites ***************
-# -qq : No output except for errors
-RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
-  && apt-get update -qq \
-  && echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
-  && apt-get install -qqy \
-  openjdk-8-jre-headless \
-  wget \
-  sudo \
-  nano \
-  python \
-  python-pip \
-  unzip
-
-RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
-    locale-gen
-RUN apt-get -qy clean \
-  autoremove
-
-# *********** Upgrading PIP ***************
-RUN pip install --upgrade pip
-
-# *********** Installing HELK python packages ***************
-RUN pip install \
-  OTXv2 \
-  pandas==0.22.0
-
-# *********** Creating the right directories ***************
-#RUN bash -c 'mkdir -pv /opt/helk/{scripts,training,otx,es-hadoop,spark,output_templates,dashboards,kafka,elasticsearch,logstash,kibana,cerebro,ksql}'
-RUN bash -c 'mkdir -pv /opt/helk/{scripts,otx,output_templates,dashboards,elasticsearch,logstash,kibana,cerebro,ksql}'
-
-# *********** Adding HELK scripts and files to Container ***************
-ADD scripts/helk_otx.py /opt/helk/scripts/
-ADD scripts/elk-kibana-setup.sh /opt/helk/scripts/
-ADD scripts/elk-entrypoint.sh /opt/helk/scripts/
-RUN chmod +x /opt/helk/scripts/elk-kibana-setup.sh
-RUN chmod +x /opt/helk/scripts/elk-entrypoint.sh
-
-# *********** ELK Version ***************
-ENV ELK_VERSION=6.2.3
-
-# *********** Installing Elasticsearch ***************
-ENV ES_HELK_HOME=/opt/helk/elasticsearch
-ENV ES_HOME=/usr/share/elasticsearch
-ENV ES_PATH_CONF=/etc/elasticsearch
-ENV ES_PATH_DATA=/var/lib/elasticsearch
-ENV ES_PATH_LOGS=/var/log/elasticsearch
-ENV ES_GID=707
-ENV ES_UID=707
-
-RUN wget -qO- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${ES_HELK_HOME} --strip-components=1 \
-  && cp -r ${ES_HELK_HOME}/ ${ES_HOME}/ \
-  && mkdir -pv ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS} \
-  && mv /usr/share/elasticsearch/config/* ${ES_PATH_CONF}
-ADD elasticsearch/elasticsearch /etc/default/elasticsearch
-ADD elasticsearch/elasticsearch-init /etc/init.d/elasticsearch
-ADD elasticsearch/elasticsearch.yml /etc/elasticsearch/
-RUN groupadd -r elasticsearch -g ${ES_GID} \
-  && useradd -r -s /usr/sbin/nologin -M -c "Elasticsearch user" -u ${ES_UID} -g elasticsearch elasticsearch \
-  && chown -R elasticsearch:elasticsearch ${ES_HOME} ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS}
-
-VOLUME /var/lib/elasticsearch
-
-# *********** Installing Kibana ***************
-ENV KIBANA_HELK_HOME=/opt/helk/kibana
-ENV KIBANA_HOME=/usr/share/kibana
-ENV KIBANA_PATH_CONF=/etc/kibana
-ENV KIBANA_PATH_LOGS=/var/log/kibana
-ENV KIBANA_GID=708
-ENV KIBANA_UID=708
-
-RUN wget -qO- https://artifacts.elastic.co/downloads/kibana/kibana-${ELK_VERSION}-linux-x86_64.tar.gz | sudo tar xvz -C ${KIBANA_HELK_HOME} --strip-components=1 \
-  && cp -r ${KIBANA_HELK_HOME}/ ${KIBANA_HOME}/ \
-  && mkdir -pv ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} \
-  && mv /usr/share/kibana/config/* ${KIBANA_PATH_CONF}
-ADD kibana/kibana-init /etc/init.d/kibana
-ADD kibana/kibana.yml ${KIBANA_PATH_CONF}
-ADD kibana/dashboards/ /opt/helk/dashboards/
-RUN groupadd -r kibana -g ${KIBANA_GID} \
-  && useradd -r -s /usr/sbin/nologin -M -c "Kibana user" -u ${KIBANA_UID} -g kibana kibana \
-  && chown -R kibana:kibana ${KIBANA_HOME} ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} /opt/helk/dashboards
-
-# *********** Installing Logstash ***************
-ENV LOGSTASH_HELK_HOME=/opt/helk/logstash
-ENV LS_HOME=/usr/share/logstash
-ENV LS_SETTINGS_DIR=/etc/logstash
-ENV LS_CONF_PATH=/etc/logstash/pipeline
-ENV LS_LOGS_PATH=/var/log/logstash
-ENV LS_GID=709
-ENV LS_UID=709
-
-RUN wget -qO- https://artifacts.elastic.co/downloads/logstash/logstash-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${LOGSTASH_HELK_HOME} --strip-components=1 \
-  && cp -r ${LOGSTASH_HELK_HOME}/ ${LS_HOME}/ \
-  && mkdir -pv ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} \
-  && mv /usr/share/logstash/config/* ${LS_SETTINGS_DIR}
-ADD logstash/logstash-init /etc/init.d/logstash
-ADD logstash/pipeline/* ${LS_CONF_PATH}/
-ADD logstash/logstash.yml ${LS_SETTINGS_DIR}
-ADD logstash/output_templates/* /opt/helk/output_templates/
-RUN groupadd -r logstash -g ${LS_GID} \
-  && useradd -r -s /usr/sbin/nologin -M -c "Logstash user" -u ${LS_UID} -g logstash logstash \
-  && chown -R logstash:logstash ${LS_HOME} ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} /opt/helk/output_templates
-
-# *********** Installing Nginx ***************
-RUN apt-get install -qqy nginx \
-  && mv /etc/nginx/sites-available/default /etc/nginx/sites-available/backup_default
-ADD nginx/htpasswd.users /etc/nginx/ 
-ADD nginx/default /etc/nginx/sites-available/
-RUN apt-get update -qq
-
-# *********** Copying Intel files to HELK ***************
-ADD enrichments/otx/ /opt/helk/otx/
-
-# *********** Creating Cron Job to run OTX script every monday at 8AM and capture last 30 days of Intel *************
-RUN cronjob="0 8 * * 1 python /opt/helk/scripts/helk_otx.py" \
-  && echo "$cronjob" | crontab
-
-# *********** Install Cerebro ***************
-ENV CEREBRO_HOME=/opt/helk/cerebro
-ENV CEREBRO_LOGS_PATH=/var/log/cerebro
-RUN wget -qO- https://github.com/lmenezes/cerebro/releases/download/v0.7.2/cerebro-0.7.2.tgz | sudo tar xvz -C ${CEREBRO_HOME} \
-  && mkdir -v $CEREBRO_LOGS_PATH
-ADD cerebro/cerebro-init /etc/init.d/cerebro
-
-# *********** RUN HELK ***************
-EXPOSE 80 5044 9000 8082
-WORKDIR "/opt/helk/scripts/"
-ENTRYPOINT ["./elk-entrypoint.sh"]
--- a/helk-elk/enrichments/otx/otx_imphash_.csv
+++ b/helk-elk/enrichments/otx/otx_imphash_.csv
@ -1 +0,0 @@
-E160EF8E55BB9D162DA4E266AFD9EEF3,CBT-Locker ransomeware
--- a/helk-elk/enrichments/otx/otx_ipv4_.csv
+++ b/helk-elk/enrichments/otx/otx_ipv4_.csv
@ -1,263 +0,0 @@
-185.69.153.72,CVE-2016-7262 from Kyrgyzstan
-104.144.207.207,Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions
-138.68.234.128,Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions
-104.237.233.38,A dive into MuddyWater APT targeting Middle-East
-148.251.204.131,A dive into MuddyWater APT targeting Middle-East
-78.129.139.134,A dive into MuddyWater APT targeting Middle-East
-78.129.139.147,A dive into MuddyWater APT targeting Middle-East
-88.99.17.148,A dive into MuddyWater APT targeting Middle-East
-115.68.49.179,UBoatRAT Navigates East Asia
-115.68.49.180,UBoatRAT Navigates East Asia
-115.68.52.66,UBoatRAT Navigates East Asia
-122.147.187.173,UBoatRAT Navigates East Asia
-124.150.140.131,UBoatRAT Navigates East Asia
-60.248.190.36,UBoatRAT Navigates East Asia
-80.211.173.20,A New Mirai Variant is Spreading Quickly on Port 23 and 2323
-93.115.38.178,The New and Improved macOS Backdoor from OceanLotus
-106.187.38.21,Muddying the Water: Targeted Attacks in the Middle East
-138.201.75.227,Muddying the Water: Targeted Attacks in the Middle East
-144.76.109.88,Muddying the Water: Targeted Attacks in the Middle East
-148.251.204.131,Muddying the Water: Targeted Attacks in the Middle East
-151.80.14.194,Recent InPage Exploits Lead to Multiple Malware Families
-185.121.177.177,CHTHONIC and DIMNIE Campaign Targets Russia
-103.208.86.92,CHTHONIC and DIMNIE Campaign Targets Russia
-194.67.211.202,Fake Flash Player Update Linked to Watering Hole Attack on Popular News Site
-89.26.243.21,Fake Flash Player Update Linked to Watering Hole Attack on Popular News Site
-89.26.243.22,Fake Flash Player Update Linked to Watering Hole Attack on Popular News Site
-47.89.250.152,Locky ransomware adds anti sandbox feature
-185.10.58.170,Sofacys Komplex OS X Trojan
-169.255.137.203,Introducing WhiteBear
-217.171.86.137,Introducing WhiteBear
-66.178.107.140,Introducing WhiteBear
-169.255.137.203,Gazing at Gazer - Turlas new second stage backdoor
-217.171.86.137,Gazing at Gazer - Turlas new second stage backdoor
-185.162.235.121,Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
-74.91.19.122,Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
-27.255.83.3,Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures
-103.240.140.152,SSHPsychos
-162.218.112.7,SSHPsychos
-169.254.61.191,OPERATION QUANTUM ENTANGLEMENT
-169.254.163.19,OPERATION QUANTUM ENTANGLEMENT
-47.88.52.220,Ukranian Accounting Software Site Delivering Malware
-46.20.33.219,Ukranian Accounting Software Site Delivering Malware
-203.248.116.182,Paranoid PlugX
-138.201.44.3,Footprints of Fin7
-198.100.119.6,Footprints of Fin7
-5.149.250.235,Footprints of Fin7
-91.214.70.69,Malicious Scanbox Host
-138.68.242.68,Further Gaza Cybergang Activity
-165.194.123.67,Backdoor.Rifelku
-119.28.78.131,Gryphon Ransomware
-104.223.89.174,Dreambot post infection traffic
-37.1.202.26,Karagany.B
-37.1.219.31,Karagany.B
-5.61.39.179,Karagany.B
-45.125.12.147,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
-116.193.154.69,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
-103.242.134.243,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
-103.40.102.233,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
-112.10.117.47,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
-164.132.50.32,Recent Emotet Malware
-173.212.192.45,Recent Emotet Malware
-178.62.175.211,Recent Emotet Malware
-178.79.132.214,Recent Emotet Malware
-192.81.212.79,Recent Emotet Malware
-74.208.17.10,Recent Emotet Malware
-93.180.157.92,Recent Emotet Malware
-158.69.199.223,Recent Emotet Malware
-176.119.28.74,"MARCHER GETS CLOSE TO USERS BY TARGETING MOBILE BANKING, ANDROID APPS, SOCIAL MEDIA, AND EMAIL"
-107.170.240.244,Microsoft Office OLE2Link vulnerability samples - a quick triage
-212.86.115.71,Microsoft Office OLE2Link vulnerability samples - a quick triage
-46.102.152.129,Microsoft Office OLE2Link vulnerability samples - a quick triage
-95.141.38.110,Microsoft Office OLE2Link vulnerability samples - a quick triage
-95.46.99.199,Microsoft Office OLE2Link vulnerability samples - a quick triage
-101.165.141.2,Dridex Malspam
-107.170.0.14,Dridex Malspam
-109.170.219.19,Dridex Malspam
-117.120.7.82,Dridex Malspam
-174.104.208.57,Dridex Malspam
-175.32.140.13,Dridex Malspam
-179.108.87.11,Dridex Malspam
-213.214.50.60,Dridex Malspam
-23.95.23.219,Dridex Malspam
-37.120.172.171,Dridex Malspam
-66.214.155.189,Dridex Malspam
-8.8.247.36,Dridex Malspam
-86.3.169.110,Dridex Malspam
-86.4.149.217,Dridex Malspam
-88.177.240.182,Dridex Malspam
-90.219.218.80,Dridex Malspam
-95.145.161.76,Dridex Malspam
-122.10.91.133,Recent PlugX Samples
-118.193.225.133,Flying Dragon Eye: Uyghur Themed Threat Activity
-118.193.240.195,Flying Dragon Eye: Uyghur Themed Threat Activity
-59.188.83.144,Flying Dragon Eye: Uyghur Themed Threat Activity
-118.193.240.218,Flying Dragon Eye: Uyghur Themed Threat Activity
-210.209.118.87,Flying Dragon Eye: Uyghur Themed Threat Activity
-212.47.254.187,A Mole exposing itself to sunlight
-80.78.251.138,Rurktar Backdoor
-80.78.251.148,Rurktar Backdoor
-46.148.18.122,LuaBot: Malware targeting cable modems
-80.87.205.92,LuaBot: Malware targeting cable modems
-193.169.252.102,MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks
-198.100.119.6,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
-198.100.119.7,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
-204.155.31.167,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
-204.155.31.174,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
-31.148.219.141,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
-198.100.119.6,FIN7 Evolution and the Phishing LNK
-179.108.87.11,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
-185.25.184.214,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
-185.44.105.92,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
-23.95.23.219,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
-63.141.250.167,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
-64.79.205.100,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
-83.229.87.11,Snake: Coming soon in Mac OS X flavour
-138.201.44.30,EPS Processing Zero-Days Exploited by Multiple Threat Actors
-185.106.122.113,EPS Processing Zero-Days Exploited by Multiple Threat Actors
-84.200.2.12,EPS Processing Zero-Days Exploited by Multiple Threat Actors
-86.110.117.207,DiamondFox modular malware – a one-stop shop
-50.6.118.27,Operation Electric Powder – Who is targeting Israel Electric Company?
-82.211.30.186,Operation Electric Powder – Who is targeting Israel Electric Company?
-178.175.138.196,Spear Phishing attacks hits industrial companies
-138.201.7.140,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-136.243.203.174,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-192.99.102.35,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-85.117.204.18,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-178.33.94.47,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-158.69.57.61,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-136.243.214.247,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-136.243.203.141,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-31.3.225.55,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-83.142.230.138,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-149.202.230.140,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
-62.138.9.9,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
-62.138.9.11,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
-62.75.195.117,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
-109.236.87.82,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
-69.64.77.51,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.193.2,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-138.201.210.182,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.63.219.5,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-69.175.20.4,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.213.215,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-69.175.20.3,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-188.138.70.8,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-92.222.122.55,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-107.6.177.5,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-137.74.148.228,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-92.222.122.54,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-172.86.179.110,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.234.59,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.99.205,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-185.49.68.151,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-108.175.8.33,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.99.201,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.78.150,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-85.25.237.52,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-51.254.30.226,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-51.254.30.225,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.193.19,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-108.175.12.108,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-198.71.51.101,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-185.140.33.81,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-176.31.151.177,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-176.31.151.176,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-5.196.208.235,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-46.105.81.161,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-85.93.93.161,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-63.143.53.134,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-69.175.7.219,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-74.208.77.4,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-209.126.118.6,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
-91.92.136.20,MONSOON APT campaign activity 7-6-2017
-184.154.150.66,Attack on Critical Infrastructure Leverages Template Injection
-5.153.58.45,Attack on Critical Infrastructure Leverages Template Injection
-62.8.193.206,Attack on Critical Infrastructure Leverages Template Injection
-78.47.96.17,New version of Hworm being used within multiple attacks
-136.243.104.200,New version of Hworm being used within multiple attacks
-52.42.161.75,New version of Hworm being used within multiple attacks
-81.130.131.55,"Dridex Banking Trojan Returns, Leverages New UAC Bypass Method"
-179.177.114.30,"Dridex Banking Trojan Returns, Leverages New UAC Bypass Method"
-84.234.75.108,"Dridex Banking Trojan Returns, Leverages New UAC Bypass Method"
-193.238.152.198,From RTF to Cobalt Strike passing via Flash
-108.61.117.31,Deep Dive On The DragonOK Rambo Backdoor
-116.193.154.28,Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government
-192.225.226.195,Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations
-160.16.243.129,Winnti Abuses GitHub for CC Communications
-174.139.203.18,Winnti Abuses GitHub for CC Communications
-174.139.203.20,Winnti Abuses GitHub for CC Communications
-174.139.203.22,Winnti Abuses GitHub for CC Communications
-174.139.203.27,Winnti Abuses GitHub for CC Communications
-174.139.203.34,Winnti Abuses GitHub for CC Communications
-174.139.62.58,Winnti Abuses GitHub for CC Communications
-174.139.62.60,Winnti Abuses GitHub for CC Communications
-174.139.62.61,Winnti Abuses GitHub for CC Communications
-61.195.98.245,Winnti Abuses GitHub for CC Communications
-67.198.161.250,Winnti Abuses GitHub for CC Communications
-67.198.161.251,Winnti Abuses GitHub for CC Communications
-67.198.161.252,Winnti Abuses GitHub for CC Communications
-210.244.79.219,Msposer.C Samples
-185.159.82.11,Nemucod Evolves Delivery and Obfuscation Techniques to Harvest Credentials
-122.9.52.215,APT Targets Financial Analysts with CVE-2017-0199
-185.82.202.102,Two Years of Pawn Storm
-193.169.244.35,Two Years of Pawn Storm
-46.166.162.90,Two Years of Pawn Storm
-46.183.217.74,Two Years of Pawn Storm
-80.255.3.94,Two Years of Pawn Storm
-87.121.52.145,Two Years of Pawn Storm
-144.76.108.61,DressCode Android Malware Finds Apparent Successor in MilkyDoor
-89.46.102.43,Callisto Group
-185.77.129.103,CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
-217.12.203.90,CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
-95.141.38.110,CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
-217.12.203.100,CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
-46.102.152.129,CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
-95.141.38.110,CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
-103.43.18.105,Playing Cat &amp; Mouse: Introducing the Felismus Malware
-45.76.128.71,Shamoon 2 Delivering Disttrack
-103.249.31.49,Conference Invite used as a Lure by Operation Lotus Blossom Actors
-74.200.214.226,CNACOM - Open Source Exploitation via Strategic Web Compromise
-104.171.117.216,Sednit Downloader DOWNDELPH
-141.255.160.52,Sednit Downloader DOWNDELPH
-69.90.132.215,Fancy Bear Tracking of Ukrainian Field Artillery Units
-5.200.52.198,When A Pony Walks Out Of A Pub
-195.22.127.233,When A Pony Walks Out Of A Pub
-192.169.136.121,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-203.31.216.214,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-45.42.243.20,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-39.40.44.245,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-175.107.13.215,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-155.254.225.24,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-175.107.5.247,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-175.107.6.174,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-39.47.84.127,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-39.40.67.219,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-39.47.125.110,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-39.40.141.25,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-175.107.7.69,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-175.107.7.50,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-119.160.68.178,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-139.190.6.180,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-182.191.90.91,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-175.110.165.110,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-182.191.90.92,URI TERROR ATTACK &amp; KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
-188.165.163.228,Updated Sundown Exploit Kit Uses Steganography
-101.200.147.153,Switcher: Android joins the attack-the-router club
-112.33.13.11,Switcher: Android joins the attack-the-router club
-120.76.249.59,Switcher: Android joins the attack-the-router club
-80.233.134.147,TeleBots: Analyzing disruptive KillDisk attacks
-95.141.37.3,TeleBots: Analyzing disruptive KillDisk attacks
-93.190.137.212,TeleBots: Analyzing disruptive KillDisk attacks
-5.45.70.34,Tordow v2.0 Android Malware
-85.69.197.19,Nuclear Bot
-210.172.213.117,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
-87.98.132.57,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
-85.214.207.16,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
-37.221.210.196,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
-58.222.39.215,PluginPhantom: New Android Trojan Abuses &quot;DroidPlugin&quot; Framework
-41.208.110.46,Investigating a Libyan Cyber Espionage Campaign Targeting High-Profile Influentials
-163.47.20.25,A RAT For The US Presidential Elections
-103.25.58.83,A RAT For The US Presidential Elections
-89.35.178.112,Windows Troubleshooting Platform Leveraged to Deliver Malware
-158.255.5.121,Linux.DDoS.93
--- a/helk-elk/enrichments/otx/otx_md5_.csv
+++ b/helk-elk/enrichments/otx/otx_md5_.csv
--- a/helk-elk/enrichments/otx/otx_sha1_.csv
+++ b/helk-elk/enrichments/otx/otx_sha1_.csv
--- a/helk-elk/enrichments/otx/otx_sha256_.csv
+++ b/helk-elk/enrichments/otx/otx_sha256_.csv
--- a/helk-elk/scripts/elk-entrypoint.sh
+++ b/helk-elk/scripts/elk-entrypoint.sh
@ -1,58 +0,0 @@
-#!/bin/sh
-
-# HELK script: elk-entrypoint.sh
-# HELK script description: Restarts and runs ELK services
-# HELK build version: 0.9 (Alpha)
-# Author: Roberto Rodriguez (@Cyb3rWard0g)
-# License: BSD 3-Clause
-
-# Start graceful termination of HELK services that might be running before running the entrypoint script.
-_term() {
-  echo "Terminating HELK Services"
-  service elasticsearch stop
-  service logstash stop
-  service kibana stop
-  service cerebro stop
-  exit 0
-}
-trap _term SIGTERM
-
-# Removing PID files just in case the graceful termination fails
-rm -f /var/run/elasticsearch/elasticsearch.pid \
-    /var/run/logstash.pid \
-    /var/run/kibana.pid \
-    /var/run/cerebro.pid
-
-# *********** Setting ES Heap Size***************
-# https://serverfault.com/questions/881383/automatically-set-java-heap-size-for-elasticsearch-on-linux
-memoryInKb="$(awk '/MemTotal/ {print $2}' /proc/meminfo)"
-heapSize="$(expr $memoryInKb / 1024 / 1000 / 2)"
-sed -i "s/#*-Xmx[0-9]\+g/-Xmx${heapSize}g/g" /etc/elasticsearch/jvm.options
-sed -i "s/#*-Xms[0-9]\+g/-Xms${heapSize}g/g" /etc/elasticsearch/jvm.options
-
-# *********** Setting Logstash Heap Size***************
-# https://www.elastic.co/guide/en/logstash/current/performance-troubleshooting.html
-sed -i "s/#*-Xmx[0-9]\+g/-Xmx2g/g" /etc/logstash/jvm.options
-sed -i "s/#*-Xms[0-9]\+g/-Xms2g/g" /etc/logstash/jvm.options
-
-# *********** Start HELK services ***************
-echo "[HELK-DOCKER-INSTALLATION-INFO] Starting elasticsearch service"
-service elasticsearch start
-echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
-until curl -s localhost:9200 -o /dev/null; do
-    sleep 1
-done
-
-echo "[HELK-DOCKER-INSTALLATION-INFO] Starting remaining services.."
-service kibana start
-service nginx restart
-service logstash start
-service cerebro start
-service cron start
-
-    # *********** Creating Kibana Dashboards, visualizations and index-patterns ***************
-echo "[HELK-DOCKER-INSTALLATION-INFO] Running helk_kibana_setup.sh script..."
-./elk-kibana-setup.sh
-
-echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing logstash Logs to console.."
-tail -f /var/log/logstash/*-plain.log
--- a/helk-elk/scripts/helk_otx.py
+++ b/helk-elk/scripts/helk_otx.py
@ -1,82 +0,0 @@
-#!/usr/bin/env python
-
-# HELK script: helk_otx.py
-# HELK script description: Pulling intelligence from OTX (AlienVault)
-# HELK build version: 0.9 (Alpha)
-# Author: Roberto Rodriguez (@Cyb3rWard0g)
-# License: BSD 3-Clause
-
-from OTXv2 import OTXv2
-from pandas.io.json import json_normalize
-
-otx = OTXv2("API Key")
-time_range = 30
-timedelta_days = timedelta(days=int(time_range))
-pull_time = (datetime.now() - timedelta_days).isoformat()
-
-def OTXEnrichment():
-    pulses = otx.getsince(pull_time)
-    data = []
-    object = {}
-    for p in pulses:
-        for i in p['indicators']:
-            object = {
-                'industries': p['industries'],
-                'tlp': p['tlp'],
-                'description' : p['description'],
-                'created' : p['created'],
-                'pulse_name' : p['name'],
-                'tags' : p['tags'],
-                'author_name' : p['author_name'],
-                'created': p['created'],
-                'modified' : p['modified'],
-                'targeted_countries' : p['targeted_countries'],
-                'id' : p['id'],
-                'extract_source' : p['extract_source'],
-                'references' : p['references'],
-                'adversary' : p['adversary'],
-                'indicator_name': i['indicator'],
-                'indicator_description': i['description'],
-                'indicator_title': i['title'],
-                'indicator_created': i['created'],
-                'indicator_content': i['content'],
-                'indicator_type': i['type'],
-                'indicator_id': i['id']
-            }    
-            data.append(object)
-    
-    IPV4 = []
-    IMPHASH = []
-    MD5 = []
-    SHA256 = []
-    SHA1 = []
-
-    def pull_indicators(lst, name):
-        object = {
-            'indicator_name' : (i['indicator_name']).upper(),
-            'pulse_name' : i['pulse_name'],
-            'ioc_name': name
-        }
-        return object
-    for i in data:
-        if i['indicator_type'] == "IPv4":
-            IPV4.append(pull_indicators(IPV4, 'ipv4'))
-        elif i['indicator_type'] == "FileHash-MD5":
-            MD5.append(pull_indicators(MD5, 'md5'))
-        elif i['indicator_type'] == "FileHash-SHA1":
-            SHA1.append(pull_indicators(SHA1, 'sha1'))
-        elif i['indicator_type'] == "FileHash-SHA256":
-            SHA256.append(pull_indicators(SHA256, 'sha256'))
-        elif i['indicator_type'] == "FileHash-IMPHASH":
-            IMPHASH.append(pull_indicators(IMPHASH, 'imphash'))
-
-    iocs = [IPV4, IMPHASH, MD5, SHA1, SHA256]
-    for i in iocs:
-        try:
-            df = json_normalize(i)
-            df.to_csv(('/opt/otx/otx_'+i[0]['ioc_name']+'_.csv'), index=False, header=False, encoding='utf-8', columns=("indicator_name", "pulse_name"))
-        except:
-            print "Not available Intelligence for one indicator in the past 30 days"
-
-if __name__=="__main__":
-    OTXEnrichment()
--- a/helk-kafka/Dockerfile
+++ b/helk-kafka/Dockerfile
@ -3,12 +3,10 @@
 # Author: Roberto Rodriguez (@Cyb3rWard0g)
 # License: BSD 3-Clause

-FROM phusion/baseimage
+FROM cyb3rward0g/helk-base:0.0.1
 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
 LABEL description="Dockerfile base for the HELK Kafka."

-USER root
-
 ENV DEBIAN_FRONTEND noninteractive

 # *********** Installing Prerequisites ***************
@ -17,24 +15,20 @@ RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
  && apt-get update -qq \
  && echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
  && apt-get install -qqy \
-  openjdk-8-jre-headless \
-  wget \
-  sudo \
-  nano
-RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
-    locale-gen
+  openjdk-8-jre-headless
+
 RUN apt-get -qy clean \
-  autoremove \
-  && rm -rf /var/lib/apt/lists/*
+  autoremove

 # *********** Creating the right directories ***************
-RUN bash -c 'mkdir -pv /opt/helk/{scripts,kafka}'
+RUN bash -c 'mkdir -pv /opt/helk/kafka'
 
 # *********** Install Kafka ***************
+ENV KAFKA_VERSION=1.1.0
 ENV KAFKA_LOGS_PATH=/var/log/kafka
-ENV KAFKA_HOME=/opt/helk/kafka/kafka_2.11-1.0.1
+ENV KAFKA_HOME=/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}

-RUN wget -qO- http://mirrors.advancedhosters.com/apache/kafka/1.0.1/kafka_2.11-1.0.1.tgz | sudo tar xvz -C /opt/helk/kafka/ \
+RUN wget -qO- http://mirrors.ocf.berkeley.edu/apache/kafka/1.1.0/kafka_2.11-${KAFKA_VERSION}.tgz | sudo tar xvz -C /opt/helk/kafka/ \
  && mkdir -v $KAFKA_LOGS_PATH \
  && mv ${KAFKA_HOME}/config/server.properties ${KAFKA_HOME}/config/backup_server.properties
 ADD *.properties ${KAFKA_HOME}/config/
--- a/helk-kafka/kafka-init
+++ b/helk-kafka/kafka-init
@ -32,7 +32,7 @@ if [ -r /etc/default/rcS ]; then
  . /etc/default/rcS
 fi

-KAFKA_HOME=/opt/helk/kafka/kafka_2.11-1.0.1
+KAFKA_HOME=/opt/helk/kafka/kafka_2.11-1.1.0
 KAFKA_USER=root
 KAFKA_GROUP=root
 KAFKA_NICE=18
--- a/helk-kafka/scripts/kafka-entrypoint.sh
+++ b/helk-kafka/scripts/kafka-entrypoint.sh
@ -6,7 +6,7 @@
 # Author: Roberto Rodriguez (@Cyb3rWard0g)
 # License: BSD 3-Clause

-KAFKA_VERSION=2.11-1.0.1
+KAFKA_VERSION=1.1.0

 # Start graceful termination of HELK services that might be running before running the entrypoint script.
 _term() {
@ -24,14 +24,20 @@ rm -f /var/run/kafka_zookeeper.pid \

   # *********** Start Kafka **************
 echo "[HELK-DOCKER-INSTALLATION-INFO] Setting current host IP to brokers server.properties files.."
-sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9092/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9092/g" /opt/helk/kafka/kafka_${KAFKA_VERSION}/config/server.properties
-sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9093/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9093/g" /opt/helk/kafka/kafka_${KAFKA_VERSION}/config/server-1.properties
-sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9094/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9094/g" /opt/helk/kafka/kafka_${KAFKA_VERSION}/config/server-2.properties
+sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9092/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9092/g" /opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/config/server.properties
+sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9093/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9093/g" /opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/config/server-1.properties
+sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9094/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9094/g" /opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/config/server-2.properties
 echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Kafka.."
 service kafka start
 sleep 30
 echo "[HELK-DOCKER-INSTALLATION-INFO] Creating Kafka winlogbeat Topic.."
-/opt/helk/kafka/kafka_${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic winlogbeat
+/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic winlogbeat
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Creating Kafka winevent-sysmon-transformed Topic.."
+/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic sysmontransformed
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Creating Kafka winevent-security-transformed Topic.."
+/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic securitytransformed

 echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Spark Logs to console.."
 tail -f /var/log/kafka/helk-*.log
--- a/helk-kafka/server-1.properties
+++ b/helk-kafka/server-1.properties
@ -30,7 +30,7 @@ broker.id=1
 #     listeners = PLAINTEXT://your.host.name:9092
 #listeners=INSIDE://:9094,OUTSIDE://:9095
 #inter.broker.listener.name=INSIDE
-listeners=PLAINTEXT://:9093
+listeners=PLAINTEXT://helk-kafka:9093
 # Hostname and port the broker will advertise to producers and consumers. If not set,
 # it uses the value for "listeners" if configured.  Otherwise, it will use the value
 # returned from java.net.InetAddress.getCanonicalHostName().
--- a/helk-kafka/server-2.properties
+++ b/helk-kafka/server-2.properties
@ -30,7 +30,7 @@ broker.id=2
 #     listeners = PLAINTEXT://your.host.name:9092
 #listeners=INSIDE://:9096,OUTSIDE://:9097
 #inter.broker.listener.name=INSIDE
-listeners=PLAINTEXT://:9094
+listeners=PLAINTEXT://helk-kafka:9094
 # Hostname and port the broker will advertise to producers and consumers. If not set,
 # it uses the value for "listeners" if configured.  Otherwise, it will use the value
 # returned from java.net.InetAddress.getCanonicalHostName().
--- a/helk-kafka/server.properties
+++ b/helk-kafka/server.properties
@ -30,7 +30,7 @@ broker.id=0
 #     listeners = PLAINTEXT://your.host.name:9092
 #listeners=INSIDE://:9092,OUTSIDE://:9093
 #inter.broker.listener.name=INSIDE
-listeners=PLAINTEXT://:9092
+listeners=PLAINTEXT://helk-kafka:9092
 # Hostname and port the broker will advertise to producers and consumers. If not set,
 # it uses the value for "listeners" if configured.  Otherwise, it will use the value
 # returned from java.net.InetAddress.getCanonicalHostName().
--- a/helk-kibana/Dockerfile
+++ b/helk-kibana/Dockerfile
@ -0,0 +1,65 @@
+# HELK script: HELK Kibana Dockerfile
+# HELK build version: 0.9 (ALPHA)
+# HELK ELK version: 6.2.3
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# References: 
+# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
+# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
+
+FROM cyb3rward0g/helk-base:0.0.1
+LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
+LABEL description="Dockerfile base for the HELK Kibana."
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# *********** Installing Prerequisites ***************
+# -qq : No output except for errors
+RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
+  && apt-get update -qq \
+  && echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
+  && apt-get install -qqy \
+  openjdk-8-jre-headless
+
+RUN apt-get -qy clean \
+  autoremove
+
+# *********** Creating the right directories ***************
+RUN bash -c 'mkdir -pv /opt/helk/{dashboards,kibana}'
+
+# *********** Adding HELK scripts and files to Container ***************
+ADD scripts/entrypoint.sh /opt/helk/scripts/
+RUN chmod +x /opt/helk/scripts/entrypoint.sh
+
+# *********** Adding HELK scripts and files to Container ***************
+ADD scripts/elk-kibana-setup.sh /opt/helk/scripts/
+ADD scripts/entrypoint.sh /opt/helk/scripts/
+RUN chmod +x /opt/helk/scripts/elk-kibana-setup.sh
+RUN chmod +x /opt/helk/scripts/entrypoint.sh
+
+# *********** ELK Version ***************
+ENV ELK_VERSION=6.2.3
+
+# *********** Installing Kibana ***************
+ENV KIBANA_HELK_HOME=/opt/helk/kibana
+ENV KIBANA_HOME=/usr/share/kibana
+ENV KIBANA_PATH_CONF=/etc/kibana
+ENV KIBANA_PATH_LOGS=/var/log/kibana
+ENV KIBANA_GID=708
+ENV KIBANA_UID=708
+
+RUN wget -qO- https://artifacts.elastic.co/downloads/kibana/kibana-${ELK_VERSION}-linux-x86_64.tar.gz | sudo tar xvz -C ${KIBANA_HELK_HOME} --strip-components=1 \
+  && cp -r ${KIBANA_HELK_HOME}/ ${KIBANA_HOME}/ \
+  && mkdir -pv ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} \
+  && mv /usr/share/kibana/config/* ${KIBANA_PATH_CONF}
+ADD kibana-init /etc/init.d/kibana
+ADD kibana.yml ${KIBANA_PATH_CONF}
+ADD dashboards/ /opt/helk/dashboards/
+RUN groupadd -r kibana -g ${KIBANA_GID} \
+  && useradd -r -s /usr/sbin/nologin -M -c "Kibana user" -u ${KIBANA_UID} -g kibana kibana \
+  && chown -R kibana:kibana ${KIBANA_HOME} ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} /opt/helk/dashboards
+
+# *********** RUN HELK ***************
+WORKDIR "/opt/helk/scripts/"
+ENTRYPOINT ["./entrypoint.sh"]
--- a/helk-elk/kibana/dashboards/Global_Dashboard.json
+++ b/helk-elk/kibana/dashboards/Global_Dashboard.json
--- a/helk-elk/kibana/dashboards/Sysmon_Dashboard.json
+++ b/helk-elk/kibana/dashboards/Sysmon_Dashboard.json
--- a/helk-elk/kibana/dashboards/Sysmon_Network_Dashboard.json
+++ b/helk-elk/kibana/dashboards/Sysmon_Network_Dashboard.json
--- a/helk-elk/kibana/kibana-init
+++ b/helk-elk/kibana/kibana-init
--- a/helk-elk/kibana/kibana.yml
+++ b/helk-elk/kibana/kibana.yml
@ -4,7 +4,7 @@
 # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
 # The default is 'localhost', which usually means remote machines will not be able to connect.
 # To allow connections from remote users, set this parameter to a non-loopback address.
-server.host: "localhost"
+server.host: "helk-kibana"

 # Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
 # the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
@ -18,7 +18,7 @@ server.host: "localhost"
 #server.name: "your-hostname"

 # The URL of the Elasticsearch instance to use for all your queries.
-#elasticsearch.url: "http://localhost:9200"
+elasticsearch.url: "http://helk-elasticsearch:9200"

 # When this setting's value is true Kibana uses the hostname specified in the server.host
 # setting. When the value of this setting is false, Kibana uses the hostname of the host
--- a/helk-kibana/scripts/elk-kibana-setup.sh
+++ b/helk-kibana/scripts/elk-kibana-setup.sh
@ -13,7 +13,7 @@
 # https://github.com/elastic/kibana/issues/14872

 # *********** Setting Variables ***************
-KIBANA="http://localhost:5601"
+KIBANA="http://helk-kibana:5601"
 TIME_FIELD="@timestamp"
 DEFAULT_INDEX="logs-endpoint-winevent-sysmon-*"
 DIR=/opt/helk/dashboards
@ -22,7 +22,7 @@ DIR=/opt/helk/dashboards
 declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*")

 # *********** Waiting for Kibana to be available ***************
-until curl -s localhost:5601 -o /dev/null; do
+until curl -s helk-kibana:5601 -o /dev/null; do
    sleep 1
 done

--- a/helk-kibana/scripts/entrypoint.sh
+++ b/helk-kibana/scripts/entrypoint.sh
@ -0,0 +1,34 @@
+#!/bin/sh
+
+# HELK script: entrypoint.sh
+# HELK script description: Restarts and runs Kibana service
+# HELK build version: 0.9 (Alpha)
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# Start graceful termination of kibana services that might be running before running the entrypoint script.
+_term() {
+  echo "Terminating Kibana Service"
+  service kibana stop
+  exit 0
+}
+trap _term SIGTERM
+
+# Removing PID files just in case the graceful termination fails
+rm -f /var/run/kibana.pid
+
+# *********** Start Kibana services ***************
+echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
+until curl -s helk-elasticsearch:9200 -o /dev/null; do
+    sleep 1
+done
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Kibana service.."
+service kibana start
+
+    # *********** Creating Kibana Dashboards, visualizations and index-patterns ***************
+echo "[HELK-DOCKER-INSTALLATION-INFO] Running helk_kibana_setup.sh script..."
+./elk-kibana-setup.sh
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Kibana logs to console.."
+tail -f /var/log/kibana/kibana.log
--- a/helk-logstash/Dockerfile
+++ b/helk-logstash/Dockerfile
@ -0,0 +1,63 @@
+# HELK script: HELK Logstash Dockerfile
+# HELK build version: 0.9 (ALPHA)
+# HELK ELK version: 6.2.3
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# References: 
+# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
+# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
+
+FROM cyb3rward0g/helk-base:0.0.1
+LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
+LABEL description="Dockerfile base for the HELK Logstash."
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# *********** Installing Prerequisites ***************
+# -qq : No output except for errors
+RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
+  && apt-get update -qq \
+  && echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
+  && apt-get install -qqy \
+  openjdk-8-jre-headless \
+  python-pip
+
+RUN apt-get -qy clean \
+  autoremove
+
+# *********** Creating the right directories ***************
+RUN bash -c 'mkdir -pv /opt/helk/{output_templates,logstash}'
+
+# *********** Adding HELK scripts and files to Container ***************
+ADD scripts/entrypoint.sh /opt/helk/scripts/
+RUN chmod +x /opt/helk/scripts/entrypoint.sh
+
+# *********** ELK Version ***************
+ENV ELK_VERSION=6.2.3
+
+# *********** Installing Logstash ***************
+ENV LOGSTASH_HELK_HOME=/opt/helk/logstash
+ENV LS_HOME=/usr/share/logstash
+ENV LS_SETTINGS_DIR=/etc/logstash
+ENV LS_CONF_PATH=/etc/logstash/pipeline
+ENV LS_LOGS_PATH=/var/log/logstash
+ENV LS_GID=709
+ENV LS_UID=709
+
+RUN wget -qO- https://artifacts.elastic.co/downloads/logstash/logstash-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${LOGSTASH_HELK_HOME} --strip-components=1 \
+  && cp -r ${LOGSTASH_HELK_HOME}/ ${LS_HOME}/ \
+  && mkdir -pv ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} \
+  && mv /usr/share/logstash/config/* ${LS_SETTINGS_DIR}
+ADD logstash-init /etc/init.d/logstash
+ADD pipeline/* ${LS_CONF_PATH}/
+ADD logstash.yml ${LS_SETTINGS_DIR}
+ADD output_templates/* /opt/helk/output_templates/
+RUN groupadd -r logstash -g ${LS_GID} \
+  && useradd -r -s /usr/sbin/nologin -M -c "Logstash user" -u ${LS_UID} -g logstash logstash \
+  && chown -R logstash:logstash ${LS_HOME} ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} /opt/helk/output_templates
+
+# *********** RUN HELK ***************
+EXPOSE 5044
+WORKDIR "/opt/helk/scripts/"
+ENTRYPOINT ["./entrypoint.sh"]
--- a/helk-logstash/enrichments/ACE/logstash/03-ace-rabbitmq-input.conf
+++ b/helk-logstash/enrichments/ACE/logstash/03-ace-rabbitmq-input.conf
--- a/helk-logstash/enrichments/ACE/logstash/55-rabbitmq-elasticsearch-output.conf
+++ b/helk-logstash/enrichments/ACE/logstash/55-rabbitmq-elasticsearch-output.conf
--- a/helk-elk/logstash/logstash-init
+++ b/helk-elk/logstash/logstash-init
--- a/helk-elk/logstash/logstash.yml
+++ b/helk-elk/logstash/logstash.yml
--- a/helk-elk/logstash/output_templates/powershell-direct-template.json
+++ b/helk-elk/logstash/output_templates/powershell-direct-template.json
--- a/helk-elk/logstash/output_templates/winevent-application-template.json
+++ b/helk-elk/logstash/output_templates/winevent-application-template.json
--- a/helk-elk/logstash/output_templates/winevent-security-template.json
+++ b/helk-elk/logstash/output_templates/winevent-security-template.json
--- a/helk-elk/logstash/output_templates/winevent-sysmon-template.json
+++ b/helk-elk/logstash/output_templates/winevent-sysmon-template.json
--- a/helk-elk/logstash/output_templates/winevent-system-template.json
+++ b/helk-elk/logstash/output_templates/winevent-system-template.json
--- a/helk-elk/logstash/output_templates/winevent-wmiactivity-template.json
+++ b/helk-elk/logstash/output_templates/winevent-wmiactivity-template.json
--- a/helk-elk/logstash/pipeline/02-kafka-input.conf
+++ b/helk-elk/logstash/pipeline/02-kafka-input.conf
@ -6,7 +6,7 @@
 input {
  kafka
  {
-    bootstrap_servers => "172.18.0.3:9092,172.18.0.3:9093,172.18.0.3:9094"
+    bootstrap_servers => "helk-kafka:9092,helk-kafka:9093,helk-kafka:9094"
    topics => ["winlogbeat"]
    decorate_events => true
    codec => "json"
--- a/helk-elk/logstash/pipeline/03-beats-input.conf
+++ b/helk-elk/logstash/pipeline/03-beats-input.conf
--- a/helk-elk/logstash/pipeline/09-all-filter.conf
+++ b/helk-elk/logstash/pipeline/09-all-filter.conf
--- a/helk-elk/logstash/pipeline/10-winevent-powershell-filter.conf
+++ b/helk-elk/logstash/pipeline/10-winevent-powershell-filter.conf
--- a/helk-elk/logstash/pipeline/11-winevent-sysmon-filter.conf
+++ b/helk-elk/logstash/pipeline/11-winevent-sysmon-filter.conf
@ -49,21 +49,6 @@ filter {
        prefix => "hash_"
        transform_key => "lowercase"
      }
-      translate {
-        field => "hash_md5"
-        destination => "otx_md5"
-        dictionary_path => "/opt/helk/otx/otx_md5_.csv"
-      }
-      translate {
-        field => "hash_sha1"
-        destination => "otx_sha1"
-        dictionary_path => "/opt/helk/otx/otx_sha1_.csv"
-      }
-      translate {
-        field => "hash_sha256"
-        destination => "otx_sha256"
-        dictionary_path => "/opt/helk/otx/otx_sha256_.csv"
-      }
    }
    if [event_data][TargetImage] {
      grok { 
@ -141,11 +126,6 @@ filter {
          "[event_data][SourcePortName]" => "src_port_name"
        }
      }
-      translate {
-        field => "dst_ip"
-        destination => "[otx][ip]"
-        dictionary_path => "/opt/helk/otx/otx_ipv4_.csv"
-      }
      geoip {
        source => "dst_ip"
        remove_field => "[geoip][ip]"
--- a/helk-elk/logstash/pipeline/12-winevent-security-filter.conf
+++ b/helk-elk/logstash/pipeline/12-winevent-security-filter.conf
--- a/helk-elk/logstash/pipeline/13-winevent-system-filter.conf
+++ b/helk-elk/logstash/pipeline/13-winevent-system-filter.conf
--- a/helk-elk/logstash/pipeline/14-winevent-application-filter.conf
+++ b/helk-elk/logstash/pipeline/14-winevent-application-filter.conf
--- a/helk-elk/logstash/pipeline/15-winevent-wmiactivity-filter.conf
+++ b/helk-elk/logstash/pipeline/15-winevent-wmiactivity-filter.conf
--- a/helk-elk/logstash/pipeline/16-winevent-security-schtasks-filter.conf
+++ b/helk-elk/logstash/pipeline/16-winevent-security-schtasks-filter.conf
--- a/helk-elk/logstash/pipeline/50-winevent-sysmon-output.conf
+++ b/helk-elk/logstash/pipeline/50-winevent-sysmon-output.conf
@ -6,12 +6,17 @@
 output {
  if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}"
      template => "/opt/helk/output_templates/winevent-sysmon-template.json"
      template_name => "logs-endpoint-winevent-sysmon"
      template_overwrite => true
      document_id => "%{[@metadata][log_hash]}"
    }
+    kafka {
+      bootstrap_servers => "helk-kafka:9092,helk-kafka:9093,helk-kafka:9094"
+      codec => "json"
+      topic_id => "sysmontransformed"
+    }
  }
 }
--- a/helk-elk/logstash/pipeline/51-winevent-security-output.conf
+++ b/helk-elk/logstash/pipeline/51-winevent-security-output.conf
@ -6,12 +6,17 @@
 output {
  if [log_name] == "Security"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      index => "logs-endpoint-winevent-security-%{+YYYY.MM.dd}"
      template => "/opt/helk/output_templates/winevent-security-template.json"
      template_name => "logs-endpoint-winevent-security"
      template_overwrite => true
      document_id => "%{[@metadata][log_hash]}"
    }
+    kafka {
+      bootstrap_servers => "helk-kafka:9092,helk-kafka:9093,helk-kafka:9094"
+      codec => "json"
+      topic_id => "securitytransformed"
+    }
  }
 }
--- a/helk-elk/logstash/pipeline/52-winevent-system-output.conf
+++ b/helk-elk/logstash/pipeline/52-winevent-system-output.conf
@ -6,7 +6,7 @@
 output {
  if [log_name] == "System"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      index => "logs-endpoint-winevent-system-%{+YYYY.MM.dd}"
      template => "/opt/helk/output_templates/winevent-system-template.json"
      template_name => "logs-endpoint-winevent-system"
--- a/helk-elk/logstash/pipeline/53-winevent-application-output.conf
+++ b/helk-elk/logstash/pipeline/53-winevent-application-output.conf
@ -6,7 +6,7 @@
 output {
  if [log_name] == "Application"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      index => "logs-endpoint-winevent-application-%{+YYYY.MM.dd}"
      template => "/opt/helk/output_templates/winevent-application-template.json"
      template_name => "logs-endpoint-winevent-application"
--- a/helk-elk/logstash/pipeline/54-winevent-powershell-output.conf
+++ b/helk-elk/logstash/pipeline/54-winevent-powershell-output.conf
@ -6,7 +6,7 @@
 output {
  if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      manage_template => false
      index => "logs-endpoint-winevent-powershell-%{+YYYY.MM.dd}"
      document_id => "%{[@metadata][log_hash]}"
--- a/helk-elk/logstash/pipeline/55-winevent-wmiactivity-output.conf
+++ b/helk-elk/logstash/pipeline/55-winevent-wmiactivity-output.conf
@ -6,7 +6,7 @@
 output {
  if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      index => "logs-endpoint-winevent-wmiactivity-%{+YYYY.MM.dd}"
      template => "/opt/helk/output_templates/winevent-wmiactivity-template.json"
      template_name => "logs-endpoint-winevent-wmiactivity"
--- a/helk-elk/logstash/pipeline/56-beats-output.conf
+++ b/helk-elk/logstash/pipeline/56-beats-output.conf
@ -6,7 +6,7 @@
 output {
  if [@metadata][source] == "beats"{
    elasticsearch {
-      hosts => ["127.0.0.1:9200"]
+      hosts => ["helk-elasticsearch:9200"]
      index => "logs-endpoint-beats-%{+YYYY.MM.dd}"
    }
  }
--- a/helk-logstash/scripts/entrypoint.sh
+++ b/helk-logstash/scripts/entrypoint.sh
@ -0,0 +1,35 @@
+#!/bin/sh
+
+# HELK script: entrypoint.sh
+# HELK script description: Restarts and runs Logstash service
+# HELK build version: 0.9 (Alpha)
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# Start graceful termination of Logstash services that might be running before running the entrypoint script.
+_term() {
+  echo "Terminating HELK Services"
+  service logstash stop
+  exit 0
+}
+trap _term SIGTERM
+
+# Removing PID files just in case the graceful termination fails
+rm -f /var/run/logstash.pid
+
+# *********** Setting Logstash Heap Size***************
+# https://www.elastic.co/guide/en/logstash/current/performance-troubleshooting.html
+sed -i "s/#*-Xmx[0-9]\+g/-Xmx2g/g" /etc/logstash/jvm.options
+sed -i "s/#*-Xms[0-9]\+g/-Xms2g/g" /etc/logstash/jvm.options
+
+# *********** Start HELK services ***************
+echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
+until curl -s helk-elasticsearch:9200 -o /dev/null; do
+    sleep 1
+done
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Logstash services.."
+service logstash start
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Logstash Logs to console.."
+tail -f /var/log/logstash/*-plain.log
--- a/helk-nginx/Dockerfile
+++ b/helk-nginx/Dockerfile
@ -0,0 +1,39 @@
+# HELK script: HELK Nginx Dockerfile
+# HELK build version: 0.9 (ALPHA)
+# HELK ELK version: 6.2.3
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# References: 
+# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
+# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
+
+FROM cyb3rward0g/helk-base:0.0.1
+LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
+LABEL description="Dockerfile base for the HELK Nginx."
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# *********** Installing Prerequisites ***************
+# -qq : No output except for errors
+RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
+  && apt-get update -qq
+
+RUN apt-get -qy clean \
+  autoremove
+
+# *********** Adding HELK scripts and files to Container ***************
+ADD scripts/entrypoint.sh /opt/helk/scripts/
+RUN chmod +x /opt/helk/scripts/entrypoint.sh
+
+# *********** Installing Nginx ***************
+RUN apt-get install -qqy nginx \
+  && mv /etc/nginx/sites-available/default /etc/nginx/sites-available/backup_default
+ADD htpasswd.users /etc/nginx/ 
+ADD default /etc/nginx/sites-available/
+RUN apt-get update -qq
+
+# *********** RUN HELK ***************
+EXPOSE 80
+WORKDIR "/opt/helk/scripts/"
+ENTRYPOINT ["./entrypoint.sh"]
--- a/helk-elk/nginx/default
+++ b/helk-elk/nginx/default
@ -1,20 +1,3 @@
-server {
-    listen 8082;
-
-    server_name 127.0.0.1;
-
-    auth_basic "Restricted Access";
-    auth_basic_user_file /etc/nginx/htpasswd.users;
-
-    location / {
-        proxy_pass http://localhost:9200;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_cache_bypass $http_upgrade;        
-    }
-}
 server {
    proxy_connect_timeout 900;
    proxy_send_timeout 600;
@ -28,7 +11,7 @@ server {
    auth_basic_user_file /etc/nginx/htpasswd.users;

    location / {
-        proxy_pass http://localhost:5601;
+        proxy_pass http://helk-kibana:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
--- a/helk-elk/nginx/htpasswd.users
+++ b/helk-elk/nginx/htpasswd.users
--- a/helk-nginx/scripts/entrypoint.sh
+++ b/helk-nginx/scripts/entrypoint.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+
+# HELK script: entrypoint.sh
+# HELK script description: Restarts and runs Nginx service
+# HELK build version: 0.9 (Alpha)
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: BSD 3-Clause
+
+# Start graceful termination of HELK services that might be running before running the entrypoint script.
+_term() {
+  echo "Terminating Nginx Services"
+  service nginx stop
+  exit 0
+}
+trap _term SIGTERM
+
+until curl -s helk-elasticsearch:9200 -o /dev/null; do
+    sleep 1
+done
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Starting remaining services.."
+service nginx restart
+
+echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Nginx Logs to console.."
+tail -f /var/log/nginx/*.log
--- a/helk_install.sh
+++ b/helk_install.sh
@ -22,7 +22,7 @@ echoerror() {
 systemKernel="$(uname -s)"

 # *********** Getting Jupyter Token ***************
-get_token(){
+get_jupyter_token(){
    echo "[HELK-INSTALLATION-INFO] Waiting for HELK services and Jupyter Server to start.."
    until curl -s localhost:8880 -o /dev/null; do
        sleep 1
@ -48,7 +48,7 @@ install_curl(){
 }

 # *********** Building and Running HELK Images ***************
-build_run(){
+install_helk(){
    echo "[HELK-INSTALLATION-INFO] Building HELK via docker-compose"
    echo "ADVERTISED_LISTENER=$host_ip" >> helk.env
    docker-compose build >> $LOGFILE 2>&1
@ -66,23 +66,62 @@ build_run(){
        exit 1
    fi
 }
- 
-# *********** Showing HELK Docker menu options ***************
-show_banner() {
-    echo " "
-	echo "**********************************************"	
-	echo "**          HELK - THE HUNTING ELK          **"
-    echo "**                                          **"
-    echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
-    echo "** HELK build version: 0.9 (Alpha)          **"
-    echo "** HELK ELK version: 6.2.3                  **"
-    echo "** License: BSD 3-Clause                    **"
-    echo "**********************************************"
-    echo " "
+
+install_docker(){
+    # ****** Installing via convenience script ***********
+    echo "[HELK-INSTALLATION-INFO] Installing docker via convenience script.."
+    curl -fsSL get.docker.com -o get-docker.sh >> $LOGFILE 2>&1
+    chmod +x get-docker.sh >> $LOGFILE 2>&1
+    ./get-docker.sh >> $LOGFILE 2>&1
+    ERROR=$?
+    if [ $ERROR -ne 0 ]; then
+        echoerror "Could not install docker via convenience script (Error Code: $ERROR)."
+        exit 1
+    fi
+}
+
+install_docker_compose(){
+    echo "[HELK-INSTALLATION-INFO] Installing docker-compose.."
+    curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose >> $LOGFILE 2>&1
+    chmod +x /usr/local/bin/docker-compose >> $LOGFILE 2>&1
+    ERROR=$?
+    if [ $ERROR -ne 0 ]; then
+        echoerror "Could not install docker-compose (Error Code: $ERROR)."
+        exit 1
+    fi
+}
+
+get_host_ip(){
+    # *********** Getting Host IP ***************
+    # https://github.com/Invoke-IR/ACE/blob/master/ACE-Docker/start.sh
+    echo "[HELK-INSTALLATION-INFO] Obtaining current host IP.."
+    case "${systemKernel}" in
+        Linux*)     host_ip=$(ip route get 1 | awk '{print $NF;exit}');;
+        Darwin*)    host_ip=$(ifconfig en0 | grep inet | grep -v inet6 | cut -d ' ' -f2);;
+        *)          host_ip="UNKNOWN:${unameOut}"
+    esac
+}
+
+set_helk_ip(){    
+    # *********** Accepting Defaults or Allowing user to set HELK IP ***************
+    local ip_choice
+    local read_input
+    read -t 30 -p "[HELK-INSTALLATION-INFO] Set HELK IP. Default value is your current IP: " -e -i ${host_ip} ip_choice
+    read_input=$?
+    ip_choice="${ip_choice:-$host_ip}"
+    if [ $ip_choice != $host_ip ]; then
+        host_ip=$ip_choice
+    fi
+    if [ $read_input  = 142 ]; then
+       echo -e "\n[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}" 
+    else
+    echo "[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
+    fi
 }

 prepare_helk(){
    get_host_ip
+    set_helk_ip
    if [ "$systemKernel" == "Linux" ]; then
        # Reference: https://get.docker.com/
        echo "[HELK-INSTALLATION-INFO] HELK identified Linux as the system kernel"
@ -148,17 +187,8 @@ prepare_helk(){

            # ****** Install Curl if it is not installed *********
            install_curl
-
-            # ****** Installing via convenience script ***********
-            echo "[HELK-INSTALLATION-INFO] Installing docker via convenience script.."
-            curl -fsSL get.docker.com -o scripts/get-docker.sh >> $LOGFILE 2>&1
-            chmod +x scripts/get-docker.sh >> $LOGFILE 2>&1
-            scripts/get-docker.sh >> $LOGFILE 2>&1
-            ERROR=$?
-            if [ $ERROR -ne 0 ]; then
-                echoerror "Could not install docker via convenience script (Error Code: $ERROR)."
-                exit 1
-            fi
+            # ****** Installing Docker if it is not installed *********
+            install_docker
        fi
        # ********** Check if docker-compose is installed *******
        if [ -x "$(command -v docker-compose)" ]; then
@ -168,16 +198,8 @@ prepare_helk(){

            # ****** Install Curl if it is not installed *********
            install_curl
-
-            # ****** Installing docker-compose ***********
-            echo "[HELK-INSTALLATION-INFO] Installing docker-compose .."
-            curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose >> $LOGFILE 2>&1
-            chmod +x /usr/local/bin/docker-compose >> $LOGFILE 2>&1
-            ERROR=$?
-            if [ $ERROR -ne 0 ]; then
-                echoerror "Could not install docker-compose (Error Code: $ERROR)."
-                exit 1
-            fi
+            # ****** Installing Docker-Compose *******************
+            install_docker_compose
        fi
    else
        # *********** Check if docker is installed ***************
@ -200,38 +222,23 @@ prepare_helk(){
    fi
 }

-get_host_ip(){
-    # *********** Getting Host IP ***************
-    # https://github.com/Invoke-IR/ACE/blob/master/ACE-Docker/start.sh
-    echo "[HELK-INSTALLATION-INFO] Obtaining current host IP.."
-    case "${systemKernel}" in
-        Linux*)     host_ip=$(ip route get 1 | awk '{print $NF;exit}');;
-        Darwin*)    host_ip=$(ifconfig en0 | grep inet | grep -v inet6 | cut -d ' ' -f2);;
-        *)          host_ip="UNKNOWN:${unameOut}"
-    esac
-    
-    # *********** Accepting Defaults or Allowing user to set HELK IP ***************
-    local ip_choice
-    local read_input
-    read -t 30 -p "[HELK-INSTALLATION-INFO] Set HELK IP. Default value is your current IP: " -e -i ${host_ip} ip_choice
-    read_input=$?
-    ip_choice="${ip_choice:-$host_ip}"
-    if [ $ip_choice != $host_ip ]; then
-        host_ip=$ip_choice
-    fi
-    if [ $read_input  = 142 ]; then
-       echo -e "\n[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}" 
-    else
-    echo "[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
-    fi
-}
+# *********** Showing HELK Docker menu options ***************
+echo " "
+echo "**********************************************"	
+echo "**          HELK - THE HUNTING ELK          **"
+echo "**                                          **"
+echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
+echo "** HELK build version: 0.9 (Alpha)          **"
+echo "** HELK ELK version: 6.2.3                  **"
+echo "** License: BSD 3-Clause                    **"
+echo "**********************************************"
+echo " "

 # *********** Running selected option ***************
-show_banner
 prepare_helk
-build_run
-get_token
-sleep 20
+install_helk
+get_jupyter_token
+sleep 45

 echo " "
 echo " "
--- a/resources/papers/Spark_Cluster_Computing_with_Working_Sets.pdf
+++ b/resources/papers/Spark_Cluster_Computing_with_Working_Sets.pdf
				`@ -1 +0,0 @@`
				`E160EF8E55BB9D162DA4E266AFD9EEF3,CBT-Locker ransomeware`