Commit Graph

48 Commits (a47075594dcea923692825d3c81706409cd5e836)

Author SHA1 Message Date
Roberto Rodriguez 46f3f98446 Sigma to Notebooks Integration
+ Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings
+ Uploaded all sigma notebooks.
2020-01-11 12:59:39 -05:00
Cyb3rWard0g a81fc35b1a Cleaning Repo
+ Updated README (initial update)
+ Removed unused files and folders
2019-10-02 21:50:28 -04:00
Roberto Rodriguez 931d56729f HELK-07122018
License: GPL-3.0 Update
++ Updated all the local documents
++ Docker images in Dockerhub in progreess

Docker-Compose
++ Created two options: basic and trial

ELK Stack Docker Files
++ Created Trial Folders to make sure the configurations are set properly for when the user selects trial version of HELK.
++++ HELK trial = x-pack + trial license + security enabled
++ Deprecating the HELKs Platinum's Branch. Merging that branch with the HELKs master to allow user to select the type of license during the install process.

Jupyter
++ Getting ready for Jupyterhub
++ Created two folders: basic and trial to allow elasticsearch interaciton with username and password hardcoded in the spark session. trial license requires any interaction with elasticsearch to be authenticated.

Kibana
++ Added trial folder with scripts that set up security configs for the trial version of HELK. It creates users and roles to test the security features of x-pack

Logstash
++ Created trial folder with another pipeline folder in it. The pipeline in trial has output configs with elasticsearch's username and password hardcoded. Ready for when the user sets the build with trial license and wants to send logs to elasticsearch. The logstash configs are the same as the ones from the defailt pipeline. They only have username and password configs on all the output configs.

Nginx
++ set trial folder with the right config to allow Kibana handle the authentication process when user builds and installs HELK with a trial license. No need for nginx to handle the authentication.

helk_install bash script
++ Updated script to handle license choice : basic or trial
++ basic license is selected by default. If user selects trial, it runs the specific docker-compose file needed to build and install HELK with the right trial configs.
++ Updated also the CLI options. User now will have to specify the license for HELK. Example: sudo ./helk_install.sh -i 192.168.64.131 -l basic
2018-07-12 00:29:09 -04:00
Roberto Rodriguez 828f0fc599 HELK 6.3.0
HELK Version
+ ELK update tp 6.3.0

Logstash
+ Integrated ATT&CK CTI to the build. Created from https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/integrations/helk_cti
+ Added the mitre_attack file to the build which contains information from Enterprise, PRE and Mobile Matrices
+ Enabled x-pack monitoring (new feature)

Kibana
+ Added Dashboards for the ATT&CK Integration

helk_install script
+ reduced docker-compose build and run steps to one

scripts
+ Added script export_attack.py to export the file used for logstash and kibana.
2018-06-15 13:11:58 -04:00
Roberto Rodriguez c43eaa08e3 HELK 6.2.3 - 032218
Docker-Compose file
+ Updated Image versions
++ helk-elk:6.2.3
++ helk-kafka:1.0.1
++ helk-analytics:0.0.2

HELK-ANALYTICS
+ Upgraded spark to version 2.3.0
++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html
+ Upgraded Jupyter Lab to 0.31.12
+ Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3.
+ Upgraded ES-Hadoop package to version 6.2.3
++ Check release notes:
https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html

HELK-ELK
+ Upgraded elastic components to 6.2.3
++ Check elasticsearch release notes:
https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html
++ No changes for Kibana
++ Check Logstash release notes:
https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html
+ Logstash kafka input now adds metadata from kafka. Topic name, etc.
+ Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field.
+ logstash config 11-winevent-sysmon-filter.conf
++ removed field "user". This was causing issues when parsing events with Spark.

HELK-KAFKA
+ Upgraded Kafka to version 2.11-1.0.1
++ Check kafka release notes:
https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html
+ Removed sleep time for kafka init file
+ updated kafka entrypoint updating version values

HELK helk_install main script
+ Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33

HELK Winlogbeat install script
+ Updated beat version to 6.2.3
2018-03-22 03:32:21 -04:00
Roberto Rodriguez 5859ba3dab HELK 6.2.2 - 030318
helk-analytics
+ Init file and Dockerfile updated with Spark version 2.3.0
+Jupyter Notebook from getting started folder updated
+ New jupyter notebook with graphframes example presented in BSColumbus 2018

helk-elk
+ Added properties to elasticsearch config file to set it as a standalone cluster. (It helps for when elasticsearch is restarted)
+ Updated Dashboards
+ Updated Kibana timeout to 60000
+ Updated Logstas - elasticsearch mapping templates after renaming fields.
+ Updated logstash filters renaming fields keeping a new flat schema. No more nested fields style.

helk-kafka
+ Updated Log retention hours to 2 hours

Resources:
- Created README to share all the blog posts, documentes and presentations that helped me to work on the HELK

Scripts
+ Deprecated most of the scripts used before to install ELK via TAR and DEB. Also deprecated scripts to updated geoip database.
2018-03-03 21:15:35 -05:00
Roberto Rodriguez 063e5835ec HELK 6.2.2 - 022518
HELK Design
+ moved everything to docker-compose approach for a more modular design.
+ separated the HELK in 3 services:
++helk-elk, helk-kafka, helk-analytics
+ Updated Design picture to show WEF ideas and also show Jupyter Lab integrations.

HELK Docker-Compose
+ Added ESDATA volume to keep logs after contaners get stopped
+ Services restart automatically after reboot
+ created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker.

HELK-ELK Version
- Updated to 6.2.2

ELasticsearch
- Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment.

Logstash
+ minimal updates to  certain configs (Mainly renaming files and replacing certain strings)

Kibana
+ enableExternalUrls set to true for Vega visualization that need external libraries.

Spark - Analytics
+ Renamed service to Analytics
+ Integrated Apache Toree to allow Scala kernel in Jupyter
+ Pyspark, Scala and SQL are now available in Jupyter

Jupyter
+ Jupyter LAB has been enabled
2018-02-25 02:59:44 -05:00
Roberto Rodriguez d623246f4c HELK ELK 6.2.0 & New features
Elasticsearch
+ Deleted Docker elasticsearch config file (Duplicate)

Logstash
+ Adjusted Batch size to 300 (Testing)
+ Renamed scripts to follow a standard naming convention
+ Added a fingerprint filter to all logs to help reduce duplicate logs
+ Removed ELK Version strings from all Logstash configs so that I dont have to update every single script every time ELK gets updated.
+ Added Document_id to every logstash output config to take the fingerprint value.

Kibana
+ Renamed Index Patterns to standard naming convention.
+ Added experimental visualization vega setting. Enabling External URLs to use D3 libraries from their repos. This is grayed out in the Kibana config so user will have to enable it.
+ Updated name of index patterns across all visualizations and dashboards.

Kafka
+ Log retention is now 24 hours and not 268 Hours
+ added auto_offset_reset => "earliest" to beats kafka input config

Spark
+ updated es-hadoop version to 6.2.0 and added new spark jar packages: org.apache.spark:spark-sql-kafka-0-10_2.11:2.2.1 & databricks:spark-sklearn:0.2.3
+ Created an init file to run spark and jupyter all together as a service. This will allow us to restart jupyter and pyspark gracefully.

Winlogbeat
+ Updated Winlogbeat config to take PowerShell and Microsoft-Windows-WMI-Activity/Operational logs.

New Features
+ Cerebro
+ Python packages:
-scipy==1.0.0
  scikit-learn==0.19.1
  nltk==3.2.5
  matplotlib==2.1.2
  seaborn==0.8.1
  datasketch==1.2.5
  tensorflow==1.5.0
  keras==2.1.3
  pyflux==0.4.15
  imbalanced-learn==0.3.2
  lime==0.1.1.29

Docker Hub
+ New HELK image available
2018-02-15 03:28:48 -05:00
Lee Christensen 384b2d3f1e
Added wmiactivity 2018-02-07 20:36:57 -05:00
Roberto Rodriguez 644089c35a Updated ES-Hadoop to 6.1.3
+ Updated Spark Defaults config : elasticsearch-hadoop-6.1.3.jar
+ Updated Shell Script & Dockerfile to download elasticsearch-hadoop-6.1.3.zip
2018-02-04 22:59:52 -05:00
Roberto Rodriguez 191275ef18 Contributors & Alpha Versions
+ Added Lee Christensen to contributors list
+ Updated Main install script to reflect Alpha version and latest ELK version (6.1.3)
2018-01-31 18:36:46 -05:00
Roberto Rodriguez 25d4aa5996 HELK - Alpha ELK 6.1.3
+ ELK 6.1.3 version (Jun 30,2018 release)
+ Kafka Integration
-- Bash, DockerFile & Docker Image
+ Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control)
+ Logstash: JVM Heap 2GB default
+ ELK (Init Files created)
-- More control over service start
+ Left Linux DEB install bash script (deprecating it in next release)
+ ELK .yml files are not available to adjust deployment in an easier way.
+ Fixed Docker Run environment parameters to be call before pointing to the HELK image.
+ Edited every single file to have the right headers:
-- ELK version 6.1.3
-- Aplha Version
2018-01-31 17:52:50 -05:00
Roberto Rodriguez 4f2bbfbc21 Added Official Docker install script
-Using Official Docker install script known as convenience script
- Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 12:14:50 -05:00
Roberto Rodriguez 6bc8585fd8 Updating HELK after latest PR 2018-01-10 23:48:49 -05:00
Roberto Rodriguez 5626d4af42 Arranged folders, updated bash script & README
-Moved spark folder out of enrichments to root.
- Removed ipython & inotebook deb packages. Jupyter is installed via PIP only.
- Added new contributor to README
2018-01-10 23:46:38 -05:00
esebese 7b4cdd1777
Update helk_linux_deb_install.sh
While installing the HELK from local bash script, process did not go further in "Creating Kibana index-patterns, dashboards and visualizations automatically.." step. After some debugging, the problem detected in helk_kibana_setup.sh script which uses "curl". "curl" is not installed by default in 16.04.2 Ubuntu. As a conclusion, installation of "curl" was added to this script.
2018-01-10 20:09:46 +03:00
Roberto Rodriguez f55cf1d749 HELK_UpdatedBeta_Version
- Added Jupyter Notebook example
- Created Install Script with Menu options
- Bashscript, Docker & Pull Docker image is now stable
2018-01-08 16:32:13 -05:00
Roberto Rodriguez 49485a58f4 HELK_BetaVersion
Updated HELK beta version with Spark, GraphFrames and Jupyter Notebook capabilities
2018-01-06 16:46:20 -05:00
Roberto Rodriguez 7c1fe57477 Updated Template Name & Install script
- stop restarting logstash service in the install script
2017-12-21 23:24:51 -05:00
Roberto Rodriguez 75c48e14af Updated index pattern & install script
- kibana index patter creation script needed an update
- install script updated to be executed without sh
- updated sysmon template name to match sysmon logstash sysmon output config
2017-12-21 21:32:48 -05:00
Roberto Rodriguez 9a313bf6f3 Updated script headers & Kibana index creation script
- Forgot to save changes to a few logstash confs
- Forgot to save changes to kibana index creation script
2017-12-20 15:04:07 -05:00
Roberto Rodriguez 3178c85172 Updated scripts, Logstash confs, elasticsearch conf & created sysmon template
- Logstash
-- Cleaned output configurations
-- Created Sysmon teamplte
-- Added sysmon template to sysmon elasticsearch output
-- Removed sniffing = True from every elasticsearch output
- Scripts
-- Updated Install config
-- Added creation of Kibana index patterns to install script
-- Added headers to every script but posh script
-- renamed scripts to keep naming standard helk-*
2017-12-20 14:55:57 -05:00
Roberto Rodriguez 4df8d41913 Added geoip filter & updated install script
- Intel files path was updated
- Updated cronjob command line
2017-12-17 23:32:52 -05:00
Roberto Rodriguez 9131cae55d Updated HELK Install & Sysmon Logstash config
- Removed neo4j install (replacing it with something that could scale)
- Added creation of folder /op/helk and cron job in helk_install script
- updated sysmon logstash script to grap intelligence from the new path /opt/helk/otx
2017-12-17 17:47:33 -05:00
Roberto Rodriguez ed5665926d Update OTX script to pull last 30 days 2017-12-17 17:03:20 -05:00
Roberto Rodriguez 04695170b2 Merge remote-tracking branch 'origin/master' into develop 2017-12-17 15:51:28 -05:00
Roberto Rodriguez 845895ccca Updated INTEL files and Install script 2017-12-17 15:44:43 -05:00
Roberto Rodriguez 46ab102c5f Updated Intel files and OTX script for UpperCase Hashes
Hashes in Sysmon have strings in Uppercase.
- updated OTX script
- updated OTX intel files
2017-12-06 03:19:02 -08:00
Roberto Rodriguez 61c4a6266e Updated Helk Install and OTX script 2017-12-06 01:25:03 -08:00
Roberto Rodriguez 9e9c3679e9 Added OTX Intel Script
- Script creates a csv dictionary with MD5, SHA1, SHA256, IMPHASH, IPs as Keys to be used as INTEL for the HELK
- Script grabs intel from OTX
2017-12-06 00:26:02 -08:00
Roberto Rodriguez 979310193b
Create start-winlogbeat.ps1
first draft
2017-12-04 12:14:12 -08:00
Roberto Rodriguez bda7ab415a updated Readme, created enrichments folder, and organized logstash configs 2017-08-12 00:50:56 -04:00
Roberto Rodriguez 2104b840af updated docker files 2017-08-11 23:05:38 -04:00
Roberto Rodriguez 19830e775e deleted docker test files 2017-08-11 22:47:59 -04:00
Roberto Rodriguez 9f226b5841 Updated dockerfile 2017-08-11 14:30:14 -04:00
Roberto Rodriguez d773477016 Update helk_install.sh 2017-08-11 01:53:10 -04:00
Roberto Rodriguez 1e997a10d3 renamed helk_docker_start script 2017-08-11 01:07:33 -04:00
Roberto Rodriguez cbcd857959 Developed new Dockerfile for HELK ACE version 2017-08-11 01:03:30 -04:00
Roberto Rodriguez 5f11b10f56 organized/updated scripts and files 2017-08-09 21:12:40 -04:00
Roberto Rodriguez 7486cd94f7 updated Logstash install script with powershell filter 2017-07-03 16:32:00 -04:00
root b4b46ddeb1 updated scripts & docker-compose to integrate stable nginx config 2017-06-08 00:54:25 -04:00
Roberto Rodriguez 81219b8e31 adding permissions to bash scripts 2017-06-06 17:32:39 -04:00
Roberto Rodriguez 5e1cfaaa5a bash scripts and docker-compose update 2017-06-06 17:30:52 -04:00
Roberto Rodriguez 4d75c151ac Update helk_install.sh 2017-06-06 11:39:58 -04:00
Roberto Rodriguez 913ff92d2c Update helk_install.sh
added LOGFILE
2017-06-06 11:08:53 -04:00
Roberto Rodriguez 5f26a0e0b4 Update helk_install.sh
Starting ELK Stack services automatically and naming the default admin user "helkadmin"
2017-05-26 01:47:15 -04:00
Roberto Rodriguez 17d7209975 Initial installation script for BETA build & config files 2017-05-26 01:22:24 -04:00
Roberto Rodriguez f86d2b68ab created scripts folder and copied update_geoipdb.sh script to it 2017-03-17 00:00:38 -04:00