Merge pull request #36 from thomaspatzke/devel-sigma

Sigma integration

README.md

@@ -22,6 +22,7 @@ The project is currently in an alpha stage, which means that the code and the fu
 * **Spark:** A fast and general-purpose cluster computing system. It provides high-level APIs in Java, Scala, Python and R, and an optimized engine that supports general execution graphs.
 * **GraphFrames:** A package for Apache Spark which provides DataFrame-based Graphs.
 * **Jupyter Notebook:** An open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text.
+* **Sigma:** A generic signature format for log events. All Sigma signatures contained in the repository are preloaded into Kibana.
 
 # Resources
 * [Setting up a Pentesting.. I mean, a Threat Hunting Lab - Part 5](https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html)
@@ -32,6 +33,7 @@ The project is currently in an alpha stage, which means that the code and the fu
 * [Elasticsearch Guide](https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html)
 * [spujadas elk-docker](https://github.com/spujadas/elk-docker)
 * [deviantony docker-elk](https://github.com/deviantony/docker-elk)
+* [Sigma](https://github.com/Neo23x0/sigma)
 
 # Getting Started
 ## WIKI

helk-elk/Dockerfile

@@ -26,7 +26,10 @@ RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
   nano \
   python \
   python-pip \
-  unzip
+  python3-pip \
+  unzip \
+  git \
+  jq
 
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
     locale-gen
@@ -35,6 +38,7 @@ RUN apt-get -qy clean \
 
 # *********** Upgrading PIP ***************
 RUN pip install --upgrade pip
+RUN pip3 install --upgrade pip
 
 # *********** Installing HELK python packages ***************
 RUN pip install \
@@ -43,7 +47,7 @@ RUN pip install \
 
 # *********** Creating the right directories ***************
 #RUN bash -c 'mkdir -pv /opt/helk/{scripts,training,otx,es-hadoop,spark,output_templates,dashboards,kafka,elasticsearch,logstash,kibana,cerebro,ksql}'
-RUN bash -c 'mkdir -pv /opt/helk/{scripts,otx,output_templates,dashboards,elasticsearch,logstash,kibana,cerebro,ksql}'
+RUN bash -c 'mkdir -pv /opt/helk/{scripts,otx,output_templates,dashboards,elasticsearch,logstash,kibana,cerebro,ksql,sigma}'
 
 # *********** Adding HELK scripts and files to Container ***************
 ADD scripts/helk_otx.py /opt/helk/scripts/
@@ -131,6 +135,10 @@ ADD enrichments/otx/ /opt/helk/otx/
 RUN cronjob="0 8 * * 1 python /opt/helk/scripts/helk_otx.py" \
   && echo "$cronjob" | crontab
 
+# *********** Pulling Sigma Git Repository and install Python dependencies *************
+RUN git clone https://github.com/Neo23x0/sigma.git /opt/helk/sigma
+RUN pip3 install -r /opt/helk/sigma/tools/requirements.txt
+
 # *********** Install Cerebro ***************
 ENV CEREBRO_HOME=/opt/helk/cerebro
 ENV CEREBRO_LOGS_PATH=/var/log/cerebro
@@ -141,4 +149,4 @@ ADD cerebro/cerebro-init /etc/init.d/cerebro
 # *********** RUN HELK ***************
 EXPOSE 80 5044 9000 8082
 WORKDIR "/opt/helk/scripts/"
-ENTRYPOINT ["./elk-entrypoint.sh"]
+ENTRYPOINT ["./elk-entrypoint.sh"]

helk-elk/scripts/elk-kibana-setup.sh

@@ -17,6 +17,7 @@ KIBANA="http://localhost:5601"
 TIME_FIELD="@timestamp"
 DEFAULT_INDEX="logs-endpoint-winevent-sysmon-*"
 DIR=/opt/helk/dashboards
+SIGMA_DIR=/opt/helk/sigma
 
 # *********** Setting Index Pattern Array ***************
 declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*")
@@ -46,3 +47,8 @@ do
     -H 'Content-type:application/json' -d @${file} || exit 1
     echo
 done
+
+# *********** Loading Sigma searches ***************
+cd $SIGMA_DIR
+tools/sigmac -t kibana -c tools/config/helk.yml -Ooutput=curl -o import-sigma-to-kibana.sh -r rules/
+. import-sigma-to-kibana.sh