infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
336 Commits
4 Branches
12 Tags
262 MiB
Commit Graph

336 Commits (a21575d16e2f57451d8d7e0358ee795ea2c88614)

Author SHA1 Message Date
Roberto Rodriguez 0d7075e3cc Added more images for wiki 
+ Updated Kafka design
+ Added Elasticsearch, Kibana, Logstash & Spark
 2018-02-04 00:14:19 -05:00
Roberto Rodriguez 0df92d3b90 Kafka Images for Wiki 2018-02-01 20:27:11 -05:00
Roberto Rodriguez 3b17da481a Exposed Docker Ports properly 
+ @bsisco via Issue #19 let us know that communication between systems and kafka was not working. I forgot to expose the right ports when running the HELK Docker image after being pulled.
 2018-02-01 13:30:16 -05:00
Roberto Rodriguez 191275ef18 Contributors & Alpha Versions 
+ Added Lee Christensen to contributors list
+ Updated Main install script to reflect Alpha version and latest ELK version (6.1.3)
 2018-01-31 18:36:46 -05:00
Roberto Rodriguez 6928f74242 Spark & Kafka Communication 
Updatd Design to show potential capability to start using Spark and Kafka
 2018-01-31 18:31:46 -05:00
Roberto Rodriguez 25d4aa5996 HELK - Alpha ELK 6.1.3 
+ ELK 6.1.3 version (Jun 30,2018 release)
+ Kafka Integration
-- Bash, DockerFile & Docker Image
+ Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control)
+ Logstash: JVM Heap 2GB default
+ ELK (Init Files created)
-- More control over service start
+ Left Linux DEB install bash script (deprecating it in next release)
+ ELK .yml files are not available to adjust deployment in an easier way.
+ Fixed Docker Run environment parameters to be call before pointing to the HELK image.
+ Edited every single file to have the right headers:
-- ELK version 6.1.3
-- Aplha Version
 2018-01-31 17:52:50 -05:00
Roberto Rodriguez 5c5ffafd80 Updated Sysmon user fields for consistency 
- Sysmon user (domain, sid, name) were not consistent with security logs.
 2018-01-16 21:10:42 -05:00
Roberto Rodriguez 8cbda80112
Merge pull request #14 from jaredcatkinson/master 
Cropped that for you ;-)
 2018-01-15 22:24:26 -05:00
Jared Atkinson 7c01703f0b Cropped that for you ;-) 2018-01-16 04:17:28 +01:00
Roberto Rodriguez 41c70f29ce Merge branch 'master' of https://github.com/Cyb3rWard0g/HELK 2018-01-15 20:47:32 -05:00
Roberto Rodriguez 4ef706c5a6 Updated HELK Design 2018-01-15 20:42:57 -05:00
Roberto Rodriguez 56550d0c69
Update README.md 2018-01-15 20:11:13 -05:00
Roberto Rodriguez 15939ffc96 Updated HELK's Design & README 
- Added ES-Hadoop connector to Design to show how Spark interacts with Elasticsearch
- Updated README to-do list to add Kafka to the build
 2018-01-15 20:07:44 -05:00
Roberto Rodriguez 13995a4d66 Fixed curl installation 2018-01-11 16:16:23 -05:00
Roberto Rodriguez c91d80a073 Updated README 
Ubuntu Xenial specifically for the bash script build.
 2018-01-11 14:10:28 -05:00
Roberto Rodriguez 4f2bbfbc21 Added Official Docker install script 
-Using Official Docker install script known as convenience script
- Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
 2018-01-11 12:14:50 -05:00
Roberto Rodriguez 6bc8585fd8 Updating HELK after latest PR 2018-01-10 23:48:49 -05:00
Roberto Rodriguez 5626d4af42 Arranged folders, updated bash script & README 
-Moved spark folder out of enrichments to root.
- Removed ipython & inotebook deb packages. Jupyter is installed via PIP only.
- Added new contributor to README
 2018-01-10 23:46:38 -05:00
Roberto Rodriguez 7cf39f1c0d
Merge pull request #9 from esebese/patch-1 
Update helk_linux_deb_install.sh
 2018-01-10 12:22:24 -05:00
esebese 7b4cdd1777
Update helk_linux_deb_install.sh 
While installing the HELK from local bash script, process did not go further in "Creating Kibana index-patterns, dashboards and visualizations automatically.." step. After some debugging, the problem detected in helk_kibana_setup.sh script which uses "curl". "curl" is not installed by default in 16.04.2 Ubuntu. As a conclusion, installation of "curl" was added to this script.
 2018-01-10 20:09:46 +03:00
Roberto Rodriguez aaf2a531e9
Updated README 
Feedback taken.
Changed Learn to Enable
 2018-01-08 18:26:44 -05:00
Roberto Rodriguez 57b3dbe6e5 Fixed README 
Mispelled image path
 2018-01-08 18:22:29 -05:00
Roberto Rodriguez 8cd6dbb15b Updated README & Added Images 
Added Dashboard and Discovery images
Updated To-Do List
 2018-01-08 18:20:50 -05:00
Roberto Rodriguez 0f9d529993
Add files via upload 2018-01-08 17:59:08 -05:00
Roberto Rodriguez 0a80cfbf80
Updated README 2018-01-08 17:58:42 -05:00
Roberto Rodriguez ad9690a5d1 Merge branch 'master' of https://github.com/Cyb3rWard0g/HELK 2018-01-08 16:32:20 -05:00
Roberto Rodriguez f55cf1d749 HELK_UpdatedBeta_Version 
- Added Jupyter Notebook example
- Created Install Script with Menu options
- Bashscript, Docker & Pull Docker image is now stable
 2018-01-08 16:32:13 -05:00
Roberto Rodriguez 463297dc96
Updated Readme 2018-01-06 17:14:43 -05:00
Roberto Rodriguez ec597f700d
HELK_Stack 
README Main Image
 2018-01-06 16:49:42 -05:00
Roberto Rodriguez 49485a58f4 HELK_BetaVersion 
Updated HELK beta version with Spark, GraphFrames and Jupyter Notebook capabilities
 2018-01-06 16:46:20 -05:00
Roberto Rodriguez 7c1fe57477 Updated Template Name & Install script 
- stop restarting logstash service in the install script
 2017-12-21 23:24:51 -05:00
Roberto Rodriguez 75c48e14af Updated index pattern & install script 
- kibana index patter creation script needed an update
- install script updated to be executed without sh
- updated sysmon template name to match sysmon logstash sysmon output config
 2017-12-21 21:32:48 -05:00
Roberto Rodriguez 9a313bf6f3 Updated script headers & Kibana index creation script 
- Forgot to save changes to a few logstash confs
- Forgot to save changes to kibana index creation script
 2017-12-20 15:04:07 -05:00
Roberto Rodriguez 3178c85172 Updated scripts, Logstash confs, elasticsearch conf & created sysmon template 
- Logstash
-- Cleaned output configurations
-- Created Sysmon teamplte
-- Added sysmon template to sysmon elasticsearch output
-- Removed sniffing = True from every elasticsearch output
- Scripts
-- Updated Install config
-- Added creation of Kibana index patterns to install script
-- Added headers to every script but posh script
-- renamed scripts to keep naming standard helk-*
 2017-12-20 14:55:57 -05:00
Roberto Rodriguez e5f4d646fd Updated Posh filter 
Removed param3 field from EID 400 and 600
 2017-12-19 01:28:31 -05:00
Roberto Rodriguez e2be226b94 split logstash output & updated posh filter 
- Updated PowerShell Filter and output to also parse 400 and 600
- Split winlogbeat output to show new indices
-- sysmon
-- application
-- system
-- security
-- powershell
 2017-12-19 01:25:49 -05:00
Roberto Rodriguez 4df8d41913 Added geoip filter & updated install script 
- Intel files path was updated
- Updated cronjob command line
 2017-12-17 23:32:52 -05:00
Roberto Rodriguez 9131cae55d Updated HELK Install & Sysmon Logstash config 
- Removed neo4j install (replacing it with something that could scale)
- Added creation of folder /op/helk and cron job in helk_install script
- updated sysmon logstash script to grap intelligence from the new path /opt/helk/otx
 2017-12-17 17:47:33 -05:00
Roberto Rodriguez ed5665926d Update OTX script to pull last 30 days 2017-12-17 17:03:20 -05:00
Roberto Rodriguez 04695170b2 Merge remote-tracking branch 'origin/master' into develop 2017-12-17 15:51:28 -05:00
Roberto Rodriguez 845895ccca Updated INTEL files and Install script 2017-12-17 15:44:43 -05:00
Roberto Rodriguez 46ab102c5f Updated Intel files and OTX script for UpperCase Hashes 
Hashes in Sysmon have strings in Uppercase.
- updated OTX script
- updated OTX intel files
 2017-12-06 03:19:02 -08:00
Roberto Rodriguez 4a2d1a1cb5 uploaded OTX intel 2017-12-06 01:30:29 -08:00
Roberto Rodriguez 61c4a6266e Updated Helk Install and OTX script 2017-12-06 01:25:03 -08:00
Roberto Rodriguez 9e9c3679e9 Added OTX Intel Script 
- Script creates a csv dictionary with MD5, SHA1, SHA256, IMPHASH, IPs as Keys to be used as INTEL for the HELK
- Script grabs intel from OTX
 2017-12-06 00:26:02 -08:00
Roberto Rodriguez e36f6db4e9 Logstash sysmon config working 
- rearranged the sysmon logstash configuration and fixed syntax issues
- deleted separate configs per log names
- got it back to a few logstash configs only for now
 2017-12-05 20:15:21 -08:00
Roberto Rodriguez 8858c58e06 split output configs 
- testing output configs to separate winlogbeat input and create separate indexes
 2017-12-04 19:31:41 -08:00
Roberto Rodriguez bc532eda83 Updated LogName filed to Channel 
- Changed field from Log_name to Channel since thats the one from the raw xml
- updated input config to not create extra lines
 2017-12-04 18:25:20 -08:00
Roberto Rodriguez 875219ebcf Testing new logstash configs 2017-12-04 18:07:44 -08:00
Roberto Rodriguez 979310193b
Create start-winlogbeat.ps1 
first draft
 2017-12-04 12:14:12 -08:00