infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleaning Repo 

+ Updated README (initial update)
+ Removed unused files and folders
neu5ron-patch-1
Cyb3rWard0g 2019-10-02 21:50:28 -04:00
parent eadc7aa810
commit a81fc35b1a
5 changed files with 2 additions and 682 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -1,6 +1,5 @@
# HELK [Alpha]
![version](https://img.shields.io/badge/version-0.1.4-blue.svg?maxAge=2592000)
[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
[![GitHub issues-closed](https://img.shields.io/github/issues-closed/Cyb3rward0g/HELK.svg)](https://GitHub.com/Cyb3rWard0g/HELK/issues?q=is%3Aissue+is%3Aclosed)
[![Twitter](https://img.shields.io/twitter/follow/THE_HELK.svg?style=social&label=Follow)](https://twitter.com/THE_HELK)
@ -93,13 +92,9 @@ root@ede2a2503030:/opt/helk/scripts#
* Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) [@THE_HELK](https://twitter.com/THE_HELK)
# Contributors
# Current Committers
* Jose Luis Rodriguez [@Cyb3rPandaH](https://twitter.com/Cyb3rPandaH)
* Robby Winchester [@robwinchester3](https://twitter.com/robwinchester3)
* Jared Atkinson [@jaredatkinson](https://twitter.com/jaredcatkinson)
* Nate Guagenti [@neu5ron](https://twitter.com/neu5ron)
* Lee Christensen [@tifkin_](https://twitter.com/tifkin_)
# Contributing
@ -123,4 +118,4 @@ There are a few things that I would like to accomplish with the HELK as shown in
- [ ] Add more Jupyter Notebooks to teach the basics
- [ ] Auditd beat intergation
More coming soon...
More coming soon...

74
scripts/export_attack.py
View File

@ -1,74 +0,0 @@
#!/usr/bin/env python
# ATT&CK Client Main Script - Drill-down capabilities at the tactic / technique / platform / data source levels
# Author: Jose Rodriguez (@Cyb3rPandaH)
# License: GPL-3.0
# Reference:
# https://github.com/Cyb3rWard0g/ATTACK-Python-Client
# https://stackoverflow.com/questions/27263805/pandas-when-cell-contents-are-lists-create-a-row-for-each-element-in-the-list/27266225?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa
# https://stackoverflow.com/questions/19913659/pandas-conditional-creation-of-a-series-dataframe-column?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa
# http://pandas.pydata.org/pandas-docs/version/0.22/generated/pandas.Series.str.contains.html
# https://chrisalbon.com/python/data_wrangling/pandas_dropping_column_and_rows/
from pandas import *
from pandas.io.json import json_normalize
from pandas import Series,DataFrame
from attackcti import attack_client
mitre = attack_client()
db = mitre.get_all_attack()
# Removes '\n' inside of a list element of the 'system_requirements' property
db_fixed = db
for sr in db_fixed:
if 'system_requirements' in sr:
if sr['system_requirements']:
for idx, item in enumerate(sr['system_requirements']):
sr['system_requirements'][idx] = sr['system_requirements'][idx].replace('\n',' ')
df = json_normalize(db_fixed)
df = df[[
'matrix','tactic','technique','technique_id','technique_description',
'mitigation','mitigation_description','group','group_id','group_aliases',
'group_description','software','software_id','software_description','software_labels',
'relationship_description','platform','data_sources','detectable_by_common_defenses','detectable_explanation',
'difficulty_for_adversary','difficulty_explanation','effective_permissions','network_requirements','permissions_required',
'remote_support','system_requirements','contributors','url']]
#****** There are some columns that contain a list on their cells, we need to create a row per each value of the list
attributes = ['tactic','platform','data_sources','permissions_required']
# In attributes, we indicate the name of the columns that we need to distribute in rows by values of the list
for a in attributes:
s = df.apply(lambda x: pandas.Series(x[a]),axis=1).stack().reset_index(level=1, drop=True)
# "s" is going to be a column of a frame with every value of the list inside each cell of the column "a"
s.name = a
# We name "s" with the same name of "a".
df = df.drop(a, axis=1).join(s).reset_index(drop=True)
# We drop the column "a" from "df", and then join "df" with "s"
#****** Now we are going to create a new column to identify windows data sources in Linux and macOS platforms
conditions = [(df['platform']=='Linux')&(df['data_sources'].str.contains('windows',case=False)== True),
(df['platform']=='macOS')&(df['data_sources'].str.contains('windows',case=False)== True),
(df['platform']=='Linux')&(df['data_sources'].str.contains('powershell',case=False)== True),
(df['platform']=='macOS')&(df['data_sources'].str.contains('powershell',case=False)== True),
(df['platform']=='Linux')&(df['data_sources'].str.contains('wmi',case=False)== True),
(df['platform']=='macOS')&(df['data_sources'].str.contains('wmi',case=False)== True)]
# In conditions we indicate a logical test
choices = ['NO OK','NO OK','NO OK','NO OK','NO OK','NO OK']
# In choices, we indicate the result when the logical test is true
df['Validation'] = np.select(conditions,choices,default='OK')
# Finally, we add a column "Validation" to "df" with the result of the logical test. The default value is going to be "OK"
#****** Now we are going to create a new dataframe and filter the value "OK" in the column "Validation". We are going to replace some values in all the cells of the data frame
df_final = df[df.Validation == 'OK'].replace(['mitre-attack-mobile','Process monitoring','Application logs'],['mitre-mobile-attack','Process Monitoring','Application Logs'])
#****** Now we are going to delete the line breaks for all the cell of the dataframe. This action only applies for cells that contain a String value
df_final = df_final.replace('\n','',regex=True)
#****** Finally, we export the data frame to a CSV file
df_final.to_csv('mitre_attack.csv',index=False,encoding='utf-8')

456
scripts/helk_docker_edge_install.sh
View File

@ -1,456 +0,0 @@
#!/bin/sh
set -e
# HELK script: helk_docker_edge_install.sh
# HELK script description: Installs Docker on your HELK server.
# HELK build Stage: Alpha
# Author: Docker
# Maintained by: Docker
# Default Channel: EDGE
# Download Date: 01/11/2018
# Using these scripts is not recommended for production environments, and you should understand the potential risks before you use them:
# The scripts require root or sudo privileges in order to run. Therefore, you should carefully examine and audit the scripts before running them.
# The scripts attempt to detect your Linux distribution and version and configure your package management system for you. In addition, the scripts do not allow you to customize any installation parameters. This may lead to an unsupported configuration, either from Dockers point of view or from your own organizations guidelines and standards.
# The scripts install all dependencies and recommendations of the package manager without asking for confirmation. This may install a large number of packages, depending on the current configuration of your host machine.
# The script does not provide options to specify which version of Docker to install, and will install the latest version that is released in the “edge” channel.
# Do not use the convenience script if Docker has already been installed on the host machine using another mechanism.
# This script is meant for quick & easy install via:
# $ curl -fsSL get.docker.com -o get-docker.sh
# $ sh get-docker.sh
#
# For test builds (ie. release candidates):
# $ curl -fsSL test.docker.com -o test-docker.sh
# $ sh test-docker.sh
#
# NOTE: Make sure to verify the contents of the script
# you downloaded matches the contents of install.sh
# located at https://github.com/docker/docker-install
# before executing.
#
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
SCRIPT_COMMIT_SHA=1d31602
# This value will automatically get changed for:
# * edge
# * test
# * experimental
DEFAULT_CHANNEL_VALUE="edge"
if [ -z "$CHANNEL" ]; then
CHANNEL=$DEFAULT_CHANNEL_VALUE
fi
DOWNLOAD_URL="https://download.docker.com"
SUPPORT_MAP="
x86_64-centos-7
x86_64-fedora-24
x86_64-fedora-25
x86_64-fedora-26
x86_64-fedora-27
x86_64-debian-wheezy
x86_64-debian-jessie
x86_64-debian-stretch
x86_64-debian-buster
x86_64-ubuntu-trusty
x86_64-ubuntu-xenial
x86_64-ubuntu-zesty
x86_64-ubuntu-artful
s390x-ubuntu-xenial
s390x-ubuntu-zesty
s390x-ubuntu-artful
ppc64le-ubuntu-xenial
ppc64le-ubuntu-zesty
ppc64le-ubuntu-artful
aarch64-ubuntu-xenial
aarch64-ubuntu-zesty
aarch64-debian-jessie
aarch64-debian-stretch
armv6l-raspbian-jessie
armv7l-raspbian-jessie
armv6l-raspbian-stretch
armv7l-raspbian-stretch
armv7l-debian-jessie
armv7l-debian-stretch
armv7l-debian-buster
armv7l-ubuntu-trusty
armv7l-ubuntu-xenial
armv7l-ubuntu-zesty
armv7l-ubuntu-artful
"
mirror=''
DRY_RUN=${DRY_RUN:-}
while [ $# -gt 0 ]; do
case "$1" in
--mirror)
mirror="$2"
shift
;;
--dry-run)
DRY_RUN=1
;;
--*)
echo "Illegal option $1"
;;
esac
shift $(( $# > 0 ? 1 : 0 ))
done
case "$mirror" in
Aliyun)
DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
;;
AzureChinaCloud)
DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
;;
esac
command_exists() {
command -v "$@" > /dev/null 2>&1
}
is_dry_run() {
if [ -z "$DRY_RUN" ]; then
return 1
else
return 0
fi
}
get_distribution() {
lsb_dist=""
# Every system that we officially support has /etc/os-release
if [ -r /etc/os-release ]; then
lsb_dist="$(. /etc/os-release && echo "$ID")"
fi
# Returning an empty string here should be alright since the
# case statements don't act unless you provide an actual value
echo "$lsb_dist"
}
add_debian_backport_repo() {
debian_version="$1"
backports="deb http://ftp.debian.org/debian $debian_version-backports main"
if ! grep -Fxq "$backports" /etc/apt/sources.list; then
(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
fi
}
echo_docker_as_nonroot() {
if is_dry_run; then
return
fi
if command_exists docker && [ -e /var/run/docker.sock ]; then
(
set -x
$sh_c 'docker version'
) || true
fi
your_user=your-user
[ "$user" != 'root' ] && your_user="$user"
# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
echo "If you would like to use Docker as a non-root user, you should now consider"
echo "adding your user to the \"docker\" group with something like:"
echo
echo " sudo usermod -aG docker $your_user"
echo
echo "Remember that you will have to log out and back in for this to take effect!"
echo
echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
echo " containers which can be used to obtain root privileges on the"
echo " docker host."
echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
echo " for more information."
}
# Check if this is a forked Linux distro
check_forked() {
# Check for lsb_release command existence, it usually exists in forked distros
if command_exists lsb_release; then
# Check if the `-u` option is supported
set +e
lsb_release -a -u > /dev/null 2>&1
lsb_release_exit_code=$?
set -e
# Check if the command has exited successfully, it means we're in a forked distro
if [ "$lsb_release_exit_code" = "0" ]; then
# Print info about current distro
cat <<-EOF
You're using '$lsb_dist' version '$dist_version'.
EOF
# Get the upstream release info
lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
# Print info about upstream distro
cat <<-EOF
Upstream release is '$lsb_dist' version '$dist_version'.
EOF
else
if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
# We're Debian and don't even know it!
lsb_dist=debian
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
9)
dist_version="stretch"
;;
8|'Kali Linux 2')
dist_version="jessie"
;;
7)
dist_version="wheezy"
;;
esac
fi
fi
fi
}
semverParse() {
major="${1%%.*}"
minor="${1#$major.}"
minor="${minor%%.*}"
patch="${1#$major.$minor.}"
patch="${patch%%[-.]*}"
}
ee_notice() {
echo
echo
echo " WARNING: $1 is now only supported by Docker EE"
echo " Check https://store.docker.com for information on Docker EE"
echo
echo
}
do_install() {
echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
if command_exists docker; then
version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
MAJOR_W=1
MINOR_W=10
semverParse "$version"
shouldWarn=0
if [ "$major" -lt "$MAJOR_W" ]; then
shouldWarn=1
fi
if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
shouldWarn=1
fi
cat >&2 <<-'EOF'
Warning: the "docker" command appears to already exist on this system.
If you already have Docker installed, this script can cause trouble, which is
why we're displaying this warning and provide the opportunity to cancel the
installation.
If you installed the current Docker package using this script and are using it
EOF
if [ $shouldWarn -eq 1 ]; then
cat >&2 <<-'EOF'
again to update Docker, we urge you to migrate your image store before upgrading
to v1.10+.
You can find instructions for this here:
https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
EOF
else
cat >&2 <<-'EOF'
again to update Docker, you can safely ignore this message.
EOF
fi
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
user="$(id -un 2>/dev/null || true)"
sh_c='sh -c'
if [ "$user" != 'root' ]; then
if command_exists sudo; then
sh_c='sudo -E sh -c'
elif command_exists su; then
sh_c='su -c'
else
cat >&2 <<-'EOF'
Error: this installer needs the ability to run commands as root.
We are unable to find either "sudo" or "su" available to make this happen.
EOF
exit 1
fi
fi
if is_dry_run; then
sh_c="echo"
fi
# perform some very rudimentary platform detection
lsb_dist=$( get_distribution )
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
case "$lsb_dist" in
ubuntu)
if command_exists lsb_release; then
dist_version="$(lsb_release --codename | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
fi
;;
debian|raspbian)
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
7)
dist_version="wheezy"
;;
esac
;;
centos)
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
rhel|ol|sles)
ee_notice "$lsb_dist"
exit 1
;;
*)
if command_exists lsb_release; then
dist_version="$(lsb_release --release | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
esac
# Check if this is a forked Linux distro
check_forked
# Check if we actually support this configuration
if ! echo "$SUPPORT_MAP" | grep "$(uname -m)-$lsb_dist-$dist_version" >/dev/null; then
cat >&2 <<-'EOF'
Either your platform is not easily detectable or is not supported by this
installer script.
Please visit the following URL for more detailed installation instructions:
https://docs.docker.com/engine/installation/
EOF
exit 1
fi
# Run setup for each distro accordingly
case "$lsb_dist" in
ubuntu|debian|raspbian)
pre_reqs="apt-transport-https ca-certificates curl"
if [ "$lsb_dist" = "debian" ]; then
if [ "$dist_version" = "wheezy" ]; then
add_debian_backport_repo "$dist_version"
fi
# libseccomp2 does not exist for debian jessie main repos for aarch64
if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
add_debian_backport_repo "$dist_version"
fi
fi
if ! command -v gpg > /dev/null; then
pre_reqs="$pre_reqs gnupg"
fi
apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
(
if ! is_dry_run; then
set -x
fi
$sh_c 'apt-get update -qq >/dev/null'
$sh_c "apt-get install -y -qq $pre_reqs >/dev/null"
$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
if [ "$lsb_dist" = "debian" ] && [ "$dist_version" = "wheezy" ]; then
$sh_c 'sed -i "/deb-src.*download\.docker/d" /etc/apt/sources.list.d/docker.list'
fi
$sh_c 'apt-get update -qq >/dev/null'
$sh_c 'apt-get install -y -qq --no-install-recommends docker-ce >/dev/null'
)
echo_docker_as_nonroot
exit 0
;;
centos|fedora)
yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/docker-ce.repo"
if [ "$lsb_dist" = "fedora" ]; then
if [ "$dist_version" = "24" ]; then
echo
echo "Warning: Fedora 24 has reached EOL"
echo " Support for Fedora 24 for this installation script will be removed on October 1, 2017"
echo
sleep 10
fi
if [ "$dist_version" -lt "24" ]; then
echo "Error: Only Fedora >=24 are supported"
exit 1
fi
pkg_manager="dnf"
config_manager="dnf config-manager"
enable_channel_flag="--set-enabled"
pre_reqs="dnf-plugins-core"
else
pkg_manager="yum"
config_manager="yum-config-manager"
enable_channel_flag="--enable"
pre_reqs="yum-utils"
fi
(
if ! is_dry_run; then
set -x
fi
$sh_c "$pkg_manager install -y -q $pre_reqs"
$sh_c "$config_manager --add-repo $yum_repo"
if [ "$CHANNEL" != "stable" ]; then
$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
fi
$sh_c "$pkg_manager makecache"
$sh_c "$pkg_manager install -y -q docker-ce"
)
echo_docker_as_nonroot
exit 0
;;
esac
exit 1
}
# wrapped up in a function so that we have some protection against only getting
# half the file during "curl | sh"
do_install

108
scripts/start-winlogbeat.ps1
View File

@ -1,108 +0,0 @@
function start-winlogbeat
{
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false, Position=0)]
[Alias('wc')]
[string]$winconfig="https://raw.githubusercontent.com/Cyb3rWard0g/HELK/master/winlogbeat/winlogbeat.yml",
[Parameter(Mandatory=$true, Position=1)]
[Alias('lsip')]
[String]$logstaship
)
function invoke-unzip
{
[CmdletBinding()]
Param (
[Parameter()]
[string]$file
)
write-verbose "[+++] Unzipping file.."
[string]$RemoteFolderPath = $env:ProgramFiles
[int32]$copyOption = 20
$shell = New-Object -ComObject shell.application
$zip = $shell.Namespace($file)
foreach($item in $zip.items()){
$shell.Namespace($RemoteFolderPath).copyhere($item, $copyOption) | Out-Null
}
}
$winInstall_source = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.2.3-windows-x86_64.zip"
$winInstall_dest = ($env:ProgramFiles + "\winlogbeat-6.2.3-windows-x86_64.zip")
$winconfig_dest = ($env:ProgramFiles + "\winlogbeat\winlogbeat.yml")
$winInstall_old = $env:ProgramFiles + "\winlogbeat-6.2.3-windows-x86_64"
$winInstall_new = $env:ProgramFiles + "\winlogbeat"
if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat"})
{
Write-Verbose "[+++] Winlogbeat service already exists."
if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat" -and $_.State -eq "Running"}){
Write-Verbose "[!!!] Winlogbeat service already exists and it is running.."
}
else
{
Write-Verbose "[!!!] Winlogbeat service already exists but it is not running.."
}
}
else
{
$wc=New-Object System.Net.WebClient;
$wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
write-verbose "[+++] Downloading Winlogbeat from $winInstall_source"
$wc.DownloadFile($winInstall_source,$winInstall_dest)
if (get-item $winInstall_dest)
{
invoke-unzip -file $winInstall_dest
Rename-Item -Path $winInstall_old -NewName $winInstall_new
Remove-Item -Path $winInstall_dest
if (get-item $winInstall_new)
{
& ($winInstall_new +"\install-service-winlogbeat.ps1")
if (get-wmiobject Win32_Service -Filter 'Name LIKE "%winlogbeat%"')
{
Rename-Item ($winInstall_new + "\winlogbeat.yml") -NewName ($winInstall_new + "\BACKUP_winlogbeat_config.yml")
write-verbose "[+++] Downloading Winlogbeat config from $winconfig"
$wc.DownloadFile($winconfig,$winconfig_dest)
if (get-item $winconfig_dest)
{
write-verbose "[+++] Replacing default localhost string for logstash connection with $logstaship"
(get-content $winconfig_dest) -replace 'hosts: \[\"localhost\:5044\"\]', ('hosts: ["'+$logstaship+':5044"]') | Set-Content $winconfig_dest
}
else
{
Write-Verbose "[!!!] $winconfig_dest does not exist locally.."
Write-verbose $_.Exception.Message
break
}
write-verbose "[+++] Starting winlogbeat service.."
start-service winlogbeat
if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat" -and $_.State -eq "Running"})
{
Write-Verbose "[!!!] Winlogbeat was installed successfully and it is running.."
}
else
{
Write-verbose $_.Exception.Message
break
}
}
}
}
else
{
Write-Verbose "[!!!] $winInstall_dest does not exist locally.."
Write-verbose $_.Exception.Message
}
}
}

37
winlogbeat/winlogbeat.yml
View File

@ -1,37 +0,0 @@
# Winlogbeat 6, 7, and 8 are currently supported!
# You can download the latest stable version of winlogbeat here:
# https://www.elastic.co/downloads/beats/winlogbeat
# For simplicity/brevity we have only included only the enabled options necessary for sending windows logs to HELK.
# Please visit the Elastic documentation for the complete details of each option and full reference config:
# https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html
#======================= Winlogbeat specific options ==========================
winlogbeat.event_logs:
- name: Application
ignore_older: 30m
- name: Security
ignore_older: 30m
- name: System
ignore_older: 30m
- name: Microsoft-windows-sysmon/operational
ignore_older: 30m
- name: Microsoft-windows-PowerShell/Operational
ignore_older: 30m
event_id: 4103, 4104
- name: Windows PowerShell
event_id: 400,600
ignore_older: 30m
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
#----------------------------- Kafka output --------------------------------
output.kafka:
# initial brokers for reading cluster metadata
# Place your HELK IP(s) here (keep the port).
# If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093
hosts: ["<HELK-IP>:9092","<HELK-IP>:9093"]
topic: "winlogbeat"
############################# HELK Optimizing Latency ######################
max_retries: 2
max_message_bytes: 1000000