infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
173 Commits
4 Branches
12 Tags
262 MiB
Commit Graph

173 Commits (4dce1883a2dd75a8b7d1238de30076702943b75e)

Author SHA1 Message Date
Roberto Rodriguez 13995a4d66 Fixed curl installation 2018-01-11 16:16:23 -05:00
Roberto Rodriguez c91d80a073 Updated README 
Ubuntu Xenial specifically for the bash script build.
 2018-01-11 14:10:28 -05:00
Roberto Rodriguez 4f2bbfbc21 Added Official Docker install script 
-Using Official Docker install script known as convenience script
- Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
 2018-01-11 12:14:50 -05:00
Roberto Rodriguez 6bc8585fd8 Updating HELK after latest PR 2018-01-10 23:48:49 -05:00
Roberto Rodriguez 5626d4af42 Arranged folders, updated bash script & README 
-Moved spark folder out of enrichments to root.
- Removed ipython & inotebook deb packages. Jupyter is installed via PIP only.
- Added new contributor to README
 2018-01-10 23:46:38 -05:00
Roberto Rodriguez 7cf39f1c0d
Merge pull request #9 from esebese/patch-1 
Update helk_linux_deb_install.sh
 2018-01-10 12:22:24 -05:00
esebese 7b4cdd1777
Update helk_linux_deb_install.sh 
While installing the HELK from local bash script, process did not go further in "Creating Kibana index-patterns, dashboards and visualizations automatically.." step. After some debugging, the problem detected in helk_kibana_setup.sh script which uses "curl". "curl" is not installed by default in 16.04.2 Ubuntu. As a conclusion, installation of "curl" was added to this script.
 2018-01-10 20:09:46 +03:00
Roberto Rodriguez aaf2a531e9
Updated README 
Feedback taken.
Changed Learn to Enable
 2018-01-08 18:26:44 -05:00
Roberto Rodriguez 57b3dbe6e5 Fixed README 
Mispelled image path
 2018-01-08 18:22:29 -05:00
Roberto Rodriguez 8cd6dbb15b Updated README & Added Images 
Added Dashboard and Discovery images
Updated To-Do List
 2018-01-08 18:20:50 -05:00
Roberto Rodriguez 0f9d529993
Add files via upload 2018-01-08 17:59:08 -05:00
Roberto Rodriguez 0a80cfbf80
Updated README 2018-01-08 17:58:42 -05:00
Roberto Rodriguez ad9690a5d1 Merge branch 'master' of https://github.com/Cyb3rWard0g/HELK 2018-01-08 16:32:20 -05:00
Roberto Rodriguez f55cf1d749 HELK_UpdatedBeta_Version 
- Added Jupyter Notebook example
- Created Install Script with Menu options
- Bashscript, Docker & Pull Docker image is now stable
 2018-01-08 16:32:13 -05:00
Roberto Rodriguez 463297dc96
Updated Readme 2018-01-06 17:14:43 -05:00
Roberto Rodriguez ec597f700d
HELK_Stack 
README Main Image
 2018-01-06 16:49:42 -05:00
Roberto Rodriguez 49485a58f4 HELK_BetaVersion 
Updated HELK beta version with Spark, GraphFrames and Jupyter Notebook capabilities
 2018-01-06 16:46:20 -05:00
Roberto Rodriguez 7c1fe57477 Updated Template Name & Install script 
- stop restarting logstash service in the install script
 2017-12-21 23:24:51 -05:00
Roberto Rodriguez 75c48e14af Updated index pattern & install script 
- kibana index patter creation script needed an update
- install script updated to be executed without sh
- updated sysmon template name to match sysmon logstash sysmon output config
 2017-12-21 21:32:48 -05:00
Roberto Rodriguez 9a313bf6f3 Updated script headers & Kibana index creation script 
- Forgot to save changes to a few logstash confs
- Forgot to save changes to kibana index creation script
 2017-12-20 15:04:07 -05:00
Roberto Rodriguez 3178c85172 Updated scripts, Logstash confs, elasticsearch conf & created sysmon template 
- Logstash
-- Cleaned output configurations
-- Created Sysmon teamplte
-- Added sysmon template to sysmon elasticsearch output
-- Removed sniffing = True from every elasticsearch output
- Scripts
-- Updated Install config
-- Added creation of Kibana index patterns to install script
-- Added headers to every script but posh script
-- renamed scripts to keep naming standard helk-*
 2017-12-20 14:55:57 -05:00
Roberto Rodriguez e5f4d646fd Updated Posh filter 
Removed param3 field from EID 400 and 600
 2017-12-19 01:28:31 -05:00
Roberto Rodriguez e2be226b94 split logstash output & updated posh filter 
- Updated PowerShell Filter and output to also parse 400 and 600
- Split winlogbeat output to show new indices
-- sysmon
-- application
-- system
-- security
-- powershell
 2017-12-19 01:25:49 -05:00
Roberto Rodriguez 4df8d41913 Added geoip filter & updated install script 
- Intel files path was updated
- Updated cronjob command line
 2017-12-17 23:32:52 -05:00
Roberto Rodriguez 9131cae55d Updated HELK Install & Sysmon Logstash config 
- Removed neo4j install (replacing it with something that could scale)
- Added creation of folder /op/helk and cron job in helk_install script
- updated sysmon logstash script to grap intelligence from the new path /opt/helk/otx
 2017-12-17 17:47:33 -05:00
Roberto Rodriguez ed5665926d Update OTX script to pull last 30 days 2017-12-17 17:03:20 -05:00
Roberto Rodriguez 04695170b2 Merge remote-tracking branch 'origin/master' into develop 2017-12-17 15:51:28 -05:00
Roberto Rodriguez 845895ccca Updated INTEL files and Install script 2017-12-17 15:44:43 -05:00
Roberto Rodriguez 46ab102c5f Updated Intel files and OTX script for UpperCase Hashes 
Hashes in Sysmon have strings in Uppercase.
- updated OTX script
- updated OTX intel files
 2017-12-06 03:19:02 -08:00
Roberto Rodriguez 4a2d1a1cb5 uploaded OTX intel 2017-12-06 01:30:29 -08:00
Roberto Rodriguez 61c4a6266e Updated Helk Install and OTX script 2017-12-06 01:25:03 -08:00
Roberto Rodriguez 9e9c3679e9 Added OTX Intel Script 
- Script creates a csv dictionary with MD5, SHA1, SHA256, IMPHASH, IPs as Keys to be used as INTEL for the HELK
- Script grabs intel from OTX
 2017-12-06 00:26:02 -08:00
Roberto Rodriguez e36f6db4e9 Logstash sysmon config working 
- rearranged the sysmon logstash configuration and fixed syntax issues
- deleted separate configs per log names
- got it back to a few logstash configs only for now
 2017-12-05 20:15:21 -08:00
Roberto Rodriguez 8858c58e06 split output configs 
- testing output configs to separate winlogbeat input and create separate indexes
 2017-12-04 19:31:41 -08:00
Roberto Rodriguez bc532eda83 Updated LogName filed to Channel 
- Changed field from Log_name to Channel since thats the one from the raw xml
- updated input config to not create extra lines
 2017-12-04 18:25:20 -08:00
Roberto Rodriguez 875219ebcf Testing new logstash configs 2017-12-04 18:07:44 -08:00
Roberto Rodriguez 979310193b
Create start-winlogbeat.ps1 
first draft
 2017-12-04 12:14:12 -08:00
Roberto Rodriguez 866818abae Merge pull request #4 from robwinchester3/master 
Fixed typo
 2017-09-07 20:01:38 -04:00
Robby Winchester fcf65bc049 fixed typo 
fixed typo in esdata volume
 2017-09-07 16:57:57 -07:00
Roberto Rodriguez adfa6d9c85 Merge pull request #3 from robwinchester3/master 
Update ACE enrichment and add docker volumes
 2017-09-07 19:25:48 -04:00
Robby Winchester 19a5e46576 Update ACE enrichment and add docker volumes 
Added docker volume for elasticsearch data to persist
Added documentation for increasing memory of elasticsearch
Updated ACE logstash input for durable queue
 2017-09-07 16:21:12 -07:00
Roberto Rodriguez 439c015f57 Removed DC IP to work on any env 2017-08-26 11:01:47 -04:00
Roberto Rodriguez d6980ad919 deleted copies of html and json files 2017-08-25 15:24:47 -04:00
Roberto Rodriguez b118d0bc3e Ready Workshop 2017-08-24 14:38:06 -04:00
Roberto Rodriguez be30d96802 Ready Workshop 2017-08-24 14:31:57 -04:00
Roberto Rodriguez 0e3ce3d240 Uploaded Data Science folder for training purposes 2017-08-23 00:36:52 -04:00
Roberto Rodriguez 1453b3fea0 updated logstash output to try two hosts 2017-08-12 01:29:45 -04:00
Roberto Rodriguez bda7ab415a updated Readme, created enrichments folder, and organized logstash configs 2017-08-12 00:50:56 -04:00
Roberto Rodriguez a2c4a68862 Update 03-ace-rabbitmq-input.conf 2017-08-11 23:48:13 -04:00
Roberto Rodriguez e1c984c159 Update README.md 2017-08-11 23:24:06 -04:00