infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #256 from Cyb3rWard0g/dev-nate 

fixes and additions
keyword-vs-text-changes
Roberto Rodriguez 2019-05-30 14:58:10 -04:00 committed by GitHub
parent 37b9f6ba48 789ad31ded
commit b1516ee3c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 104 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docker/helk-kibana/scripts/kibana-entrypoint.sh
View File

@ -63,12 +63,12 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]]; then
# *********** Change Kibana and Logstash password *************** # *********** Change Kibana and Logstash password ***************
echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Submitting a request to change the password of a Kibana and Logstash users .." echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Submitting a request to change the password of a Kibana and Logstash users .."
until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -H 'Content-Type:application/json' -XPUT $ELASTICSEARCH_HOSTS/_xpack/security/user/kibana/_password -d "{\"password\": \"$KIBANA_PASSWORD\"}" until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -H 'Content-Type:application/json' -XPUT $ELASTICSEARCH_HOSTS/_security/user/kibana/_password -d "{\"password\": \"$KIBANA_PASSWORD\"}"
do do
sleep 1 sleep 1
done done
until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -H 'Content-Type:application/json' -XPUT $ELASTICSEARCH_HOSTS/_xpack/security/user/logstash_system/_password -d "{\"password\": \"logstashpassword\"}" until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -H 'Content-Type:application/json' -XPUT $ELASTICSEARCH_HOSTS/_security/user/logstash_system/_password -d "{\"password\": \"logstashpassword\"}"
do do
sleep 1 sleep 1
done done

14
docker/helk-kibana/scripts/kibana-setup.sh
View File

@ -39,7 +39,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Creating Kibana Index Patterns..." echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Creating Kibana Index Patterns..."
for index in ${!index_patterns[@]}; do for index in ${!index_patterns[@]}; do
echo "[++++++] creating kibana index ${index_patterns[${index}]}" echo "[++++++] creating kibana index ${index_patterns[${index}]}"
until curl -u $KIBANA_USER:$KIBANA_PASSWORD -X POST "$KIBANA_URL/api/saved_objects/index-pattern/${index_patterns[${index}]}" \ until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$KIBANA_URL/api/saved_objects/index-pattern/${index_patterns[${index}]}" \
-H "Content-Type: application/json" -H "kbn-xsrf: true" \ -H "Content-Type: application/json" -H "kbn-xsrf: true" \
-d"{\"attributes\":{\"title\":\"${index_patterns[${index}]}\",\"timeFieldName\":\"$TIME_FIELD\"}}" -d"{\"attributes\":{\"title\":\"${index_patterns[${index}]}\",\"timeFieldName\":\"$TIME_FIELD\"}}"
do do
@ -49,7 +49,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
# *********** Making Sysmon the default index *************** # *********** Making Sysmon the default index ***************
echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Making Sysmon the default index..." echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Making Sysmon the default index..."
until curl -u $KIBANA_USER:$KIBANA_PASSWORD -X POST -H "Content-Type: application/json" -H "kbn-xsrf: true" \ until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST -H "Content-Type: application/json" -H "kbn-xsrf: true" \
"$KIBANA_URL/api/kibana/settings/defaultIndex" \ "$KIBANA_URL/api/kibana/settings/defaultIndex" \
-d"{\"value\":\"$DEFAULT_INDEX\"}" -d"{\"value\":\"$DEFAULT_INDEX\"}"
do do
@ -58,7 +58,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
# *********** Set URL session store ********************* # *********** Set URL session store *********************
echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Setting URL session store" echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Setting URL session store"
curl -u $KIBANA_USER:$KIBANA_PASSWORD -X POST "$KIBANA_URL/api/kibana/settings" -H 'Content-Type: application/json' -H 'kbn-xsrf: true' -d" curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$KIBANA_URL/api/kibana/settings" -H 'Content-Type: application/json' -H 'kbn-xsrf: true' -d"
{ {
\"changes\":{ \"changes\":{
\"state:storeInSessionStorage\": true \"state:storeInSessionStorage\": true
@ -71,7 +71,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
for file in ${DIR}/*.json for file in ${DIR}/*.json
do do
echo "[++++++] Loading dashboard file ${file}" echo "[++++++] Loading dashboard file ${file}"
until curl -u $KIBANA_USER:$KIBANA_PASSWORD -X POST "$KIBANA_URL/api/kibana/dashboards/import" -H 'kbn-xsrf: true' \ until curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$KIBANA_URL/api/kibana/dashboards/import" -H 'kbn-xsrf: true' \
-H 'Content-type:application/json' -d @${file} -H 'Content-type:application/json' -d @${file}
do do
sleep 1 sleep 1
@ -80,7 +80,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
# *********** Creating HELK User ********************* # *********** Creating HELK User *********************
echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Setting HELK's user password to $KIBANA_UI_PASSWORD" echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Setting HELK's user password to $KIBANA_UI_PASSWORD"
curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$ELASTICSEARCH_URL/_xpack/security/user/helk" -H 'Content-Type: application/json' -d" curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$ELASTICSEARCH_HOSTS/_security/user/helk" -H 'Content-Type: application/json' -d"
{ {
\"password\" : \"$KIBANA_UI_PASSWORD\", \"password\" : \"$KIBANA_UI_PASSWORD\",
\"roles\" : [ \"superuser\" ], \"roles\" : [ \"superuser\" ],
@ -90,7 +90,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
" "
# *********** Create Roles ******************* # *********** Create Roles *******************
curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$ELASTICSEARCH_URL/_xpack/security/role/hunters" -H 'Content-Type: application/json' -d' curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$ELASTICSEARCH_HOSTS/_security/role/hunters" -H 'Content-Type: application/json' -d'
{ {
"run_as": [], "run_as": [],
"cluster": [], "cluster": [],
@ -102,7 +102,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
] ]
} }
' '
curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$ELASTICSEARCH_URL/_xpack/security/role/sysmon_hunters" -H 'Content-Type: application/json' -d' curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD -X POST "$ELASTICSEARCH_HOSTS/_xpack/security/role/sysmon_hunters" -H 'Content-Type: application/json' -d'
{ {
"run_as": [], "run_as": [],
"cluster": [], "cluster": [],

11
docker/helk-logstash/output_templates/88-logs-meta-enrichment-for-endpoints.json
View File

@ -1,7 +1,7 @@
{ {
"order": 88, "order": 88,
"index_patterns": [ "logs-endpoint-*" ], "index_patterns": [ "logs-endpoint-*" ],
"version": 2019021801, "version": 2019052901,
"mappings": { "mappings": {
"properties": { "properties": {
"meta_process_command_line_has_non_ascii": { "meta_process_command_line_has_non_ascii": {
@ -12,6 +12,15 @@
}, },
"meta_process_command_line_length": { "meta_process_command_line_length": {
"type": "integer" "type": "integer"
},
"meta_user_name_is_machine": {
"type": "boolean"
},
"meta_user_reporter_name_is_machine": {
"type": "boolean"
},
"meta_user_target_name_is_machine": {
"type": "boolean"
} }
} }
} }

19
docker/helk-logstash/pipeline/8211-winevent-hostname-cleanups.conf Normal file
View File

@ -0,0 +1,19 @@
# HELK hostname cleanup conf
# HELK build Stage: Alpha
# Author: Nate Guagenti (@neu5ron)
# License: GPL-3.0
filter {
if [event_id] {
mutate {
lowercase => [
"computer_name",
"dst_host_name",
"src_host_name",
"host_name",
"[winlog][computer_name]"
]
add_field => { "z_logstash_pipeline" => "winevent-hostname-cleanup" }
}
}
}

66
docker/helk-logstash/pipeline/8291-winevent-username-final-modifcations.conf Normal file
View File

@ -0,0 +1,66 @@
# HELK hostname cleanup conf
# HELK build Stage: Alpha
# Author: Nate Guagenti (@neu5ron)
# License: GPL-3.0
filter {
if [event_id] {
if [user_name] {
if [user_name] =~ "\$$" {
mutate {
add_field => {
"meta_user_name_is_machine" => true
"z_logstash_pipeline" => "winevent-user_name-is-machine-account"
}
}
}
else {
mutate {
add_field => {
"meta_user_name_is_machine" => false
"z_logstash_pipeline" => "winevent-user_name-is-machine-account"
}
}
}
}
if [user_reporter_name] {
if [user_reporter_name] =~ "\$$" {
mutate {
add_field => {
"meta_user_reporter_name_is_machine" => true
"z_logstash_pipeline" => "winevent-user_reporter_name-is-machine-account"
}
}
}
else {
mutate {
add_field => {
"meta_user_reporter_name_is_machine" => false
"z_logstash_pipeline" => "winevent-user_reporter_name-is-machine-account"
}
}
}
}
if [user_target_name] {
if [user_target_name] =~ "\$$" {
mutate {
add_field => {
"meta_user_target_name_is_machine" => true
"z_logstash_pipeline" => "winevent-user_target_name-is-machine-account"
}
}
}
else {
mutate {
add_field => {
"meta_user_target_name_is_machine" => false
"z_logstash_pipeline" => "winevent-user_target_name-is-machine-account"
}
}
}
}
}
}