mirror of https://github.com/infosecn1nja/HELK.git
Updated HELK Install & Sysmon Logstash config
- Removed neo4j install (replacing it with something that could scale) - Added creation of folder /op/helk and cron job in helk_install script - updated sysmon logstash script to grap intelligence from the new path /opt/helk/otxkeyword-vs-text-changes
parent
ed5665926d
commit
9131cae55d
|
@ -32,17 +32,17 @@ filter {
|
||||||
translate {
|
translate {
|
||||||
field => "[hash][MD5]"
|
field => "[hash][MD5]"
|
||||||
destination => "[otx][MD5]"
|
destination => "[otx][MD5]"
|
||||||
dictionary_path => "/opt/otx/otx_md5_.csv"
|
dictionary_path => "/opt/helk/otx/otx_md5_.csv"
|
||||||
}
|
}
|
||||||
translate {
|
translate {
|
||||||
field => "[hash][SHA1]"
|
field => "[hash][SHA1]"
|
||||||
destination => "[otx][SHA1]"
|
destination => "[otx][SHA1]"
|
||||||
dictionary_path => "/opt/otx/otx_sha1_.csv"
|
dictionary_path => "/opt/helk/otx/otx_sha1_.csv"
|
||||||
}
|
}
|
||||||
translate {
|
translate {
|
||||||
field => "[hash][SHA256]"
|
field => "[hash][SHA256]"
|
||||||
destination => "[otx][SHA256]"
|
destination => "[otx][SHA256]"
|
||||||
dictionary_path => "/opt/otx/otx_sha256_.csv"
|
dictionary_path => "/opt/helk/otx/otx_sha256_.csv"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if [event_id] == 3 {
|
if [event_id] == 3 {
|
||||||
|
@ -70,7 +70,7 @@ filter {
|
||||||
translate {
|
translate {
|
||||||
field => "[destination][ip]"
|
field => "[destination][ip]"
|
||||||
destination => "[otx][ip]"
|
destination => "[otx][ip]"
|
||||||
dictionary_path => "/opt/otx/otx_ipv4_.csv"
|
dictionary_path => "/opt/helk/otx/otx_ipv4_.csv"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if [event_id] == 7 {
|
if [event_id] == 7 {
|
||||||
|
@ -98,17 +98,17 @@ filter {
|
||||||
translate {
|
translate {
|
||||||
field => "[hash][MD5]"
|
field => "[hash][MD5]"
|
||||||
destination => "[otx][MD5]"
|
destination => "[otx][MD5]"
|
||||||
dictionary_path => "/opt/otx/otx_md5_.csv"
|
dictionary_path => "/opt/helk/otx/otx_md5_.csv"
|
||||||
}
|
}
|
||||||
translate {
|
translate {
|
||||||
field => "[hash][SHA1]"
|
field => "[hash][SHA1]"
|
||||||
destination => "[otx][SHA1]"
|
destination => "[otx][SHA1]"
|
||||||
dictionary_path => "/opt/otx/otx_sha1_.csv"
|
dictionary_path => "/opt/helk/otx/otx_sha1_.csv"
|
||||||
}
|
}
|
||||||
translate {
|
translate {
|
||||||
field => "[hash][SHA256]"
|
field => "[hash][SHA256]"
|
||||||
destination => "[otx][SHA256]"
|
destination => "[otx][SHA256]"
|
||||||
dictionary_path => "/opt/otx/otx_sha256_.csv"
|
dictionary_path => "/opt/helk/otx/otx_sha256_.csv"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if [event_id] == 8 {
|
if [event_id] == 8 {
|
||||||
|
|
|
@ -22,7 +22,6 @@ ERROR=$?
|
||||||
echoerror "Could not install updates (Error Code: $ERROR)."
|
echoerror "Could not install updates (Error Code: $ERROR)."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echo "[HELK INFO] Installing openjdk-8-jre-headless.."
|
echo "[HELK INFO] Installing openjdk-8-jre-headless.."
|
||||||
apt-get install -y openjdk-8-jre-headless >> $LOGFILE 2>&1
|
apt-get install -y openjdk-8-jre-headless >> $LOGFILE 2>&1
|
||||||
ERROR=$?
|
ERROR=$?
|
||||||
|
@ -203,7 +202,7 @@ ERROR=$?
|
||||||
|
|
||||||
# *********** Installing Pandas ***************
|
# *********** Installing Pandas ***************
|
||||||
echo "[HELK INFO] Installing Pandas.."
|
echo "[HELK INFO] Installing Pandas.."
|
||||||
pip install pandas>> $LOGFILE 2>&1
|
pip install pandas >> $LOGFILE 2>&1
|
||||||
ERROR=$?
|
ERROR=$?
|
||||||
if [ $ERROR -ne 0 ]; then
|
if [ $ERROR -ne 0 ]; then
|
||||||
echoerror "Could not install Pandas (Error Code: $ERROR)."
|
echoerror "Could not install Pandas (Error Code: $ERROR)."
|
||||||
|
@ -211,42 +210,22 @@ ERROR=$?
|
||||||
|
|
||||||
# *********** Copying Intel files to HELK ***************
|
# *********** Copying Intel files to HELK ***************
|
||||||
echo "[HELK INFO] Copying Intel files to HELK"
|
echo "[HELK INFO] Copying Intel files to HELK"
|
||||||
mkdir /opt/otx
|
mkdir /opt/helk/
|
||||||
cp -v ../logstash/intel/* /opt/otx/>> $LOGFILE 2>&1
|
mkdir /opt/helk/otx
|
||||||
|
cp -v ../logstash/intel/* /opt/helk/otx/ >> $LOGFILE 2>&1
|
||||||
ERROR=$?
|
ERROR=$?
|
||||||
if [ $ERROR -ne 0 ]; then
|
if [ $ERROR -ne 0 ]; then
|
||||||
echoerror "Could not copy intel files to HELK (Error Code: $ERROR)."
|
echoerror "Could not copy intel files to HELK (Error Code: $ERROR)."
|
||||||
fi
|
fi
|
||||||
|
# *********** Creating Cron Job to run OTX script every monday at 8AM and capture last 30 days of Intel *************
|
||||||
# *********** Download Neo4j public signing key **********.
|
echo "[HELK INFO] Creating a cronjob for OTX intel script"
|
||||||
echo "[HELK INFO] Downloading Neo4j public signing key and adding it to the host.."
|
mkdir /opt/helk/scripts
|
||||||
wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add - >> $LOGFILE 2>&1
|
cp -v otx_helk.py /opt/helk/scripts/
|
||||||
|
cronjob="0 8 * * 1 python /opt/helk/scripts/otx_helk.py"
|
||||||
|
(crontab -u root -l; echo "$cronjob" ) | crontab -u root - >> $LOGFILE 2>&1
|
||||||
ERROR=$?
|
ERROR=$?
|
||||||
if [ $ERROR -ne 0 ]; then
|
if [ $ERROR -ne 0 ]; then
|
||||||
echoerror "Could not download Neo4j public signing key and add it to the host (Error Code: $ERROR)."
|
echoerror "Could not create cronjob for OTX intel script (Error Code: $ERROR)."
|
||||||
fi
|
|
||||||
|
|
||||||
# *********** Upgrade repository sources **********.
|
|
||||||
echo "[HELK INFO] Upgrading repository sources.."
|
|
||||||
echo 'deb https://debian.neo4j.org/repo stable/' | sudo tee /etc/apt/sources.list.d/neo4j.list >> $LOGFILE 2>&1
|
|
||||||
ERROR=$?
|
|
||||||
if [ $ERROR -ne 0 ]; then
|
|
||||||
echoerror "Could not upgrade repository sources (Error Code: $ERROR)."
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "[HELK INFO] Installing updates.."
|
|
||||||
apt-get update >> $LOGFILE 2>&1
|
|
||||||
ERROR=$?
|
|
||||||
if [ $ERROR -ne 0 ]; then
|
|
||||||
echoerror "Could not install update (Error Code: $ERROR)."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# *********** Install Neo4j **********.
|
|
||||||
echo "[HELK INFO] Installing Neo4j.."
|
|
||||||
apt-get -y install neo4j >> $LOGFILE 2>&1
|
|
||||||
ERROR=$?
|
|
||||||
if [ $ERROR -ne 0 ]; then
|
|
||||||
echoerror "Could not install neo4j (Error Code: $ERROR)."
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# *********** Installing Logstash ***************
|
# *********** Installing Logstash ***************
|
||||||
|
|
Loading…
Reference in New Issue