infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
512 Commits
4 Branches
12 Tags
262 MiB
Commit Graph

512 Commits (a47075594dcea923692825d3c81706409cd5e836)

Author SHA1 Message Date
Nate Guagenti 37da1251ff
authoring-correction 2019-09-09 01:08:56 -04:00
Nate Guagenti 8b544b5508
Merge pull request #323 from Cyb3rWard0g/temp-sigma-fixes 
temprorary-hotfix20190401
 2019-09-04 12:07:51 -04:00
Nate Guagenti 6b366c8f95
temprorary-hotfix20190401 
- correctly sets query for rules not matching an index pattern
- fix Process typo
- correction
- dst_is_ipv6 isn't used anymore and sysmon DestinationIsIpv6 is kept
 2019-09-04 12:03:00 -04:00
cyb3rward0g 10190018f5 Hotfix Jupyter 
https://github.com/Cyb3rWard0g/HELK/issues/315
 2019-08-25 13:39:42 -04:00
cyb3rward0g 9b817f9260 Update helk_remove_containers.sh 
removing specific images.
 2019-08-24 06:51:47 -04:00
cyb3rward0g 3a9b3a0718 Hot Fix 20190824 
Fix https://github.com/Cyb3rWard0g/HELK/issues/316
 2019-08-24 06:41:26 -04:00
Nate Guagenti 5e1a3eb53e
hotfix-2019-08-20 v001 
typo ip type and rfc
 2019-08-20 14:06:35 -04:00
Roberto Rodriguez ad834bd778
Merge pull request #308 from Cyb3rWard0g/pipelining 
Fix #186 and Fix #271
 2019-08-14 12:01:33 -04:00
Roberto Rodriguez 18b9b08c0f
Merge pull request #288 from freeload101/patch-1 
Update helk_install.sh
 2019-07-10 11:59:16 -04:00
Roberto Rodriguez 4242672c4a
Merge pull request #299 from itsnotapt/sysmon_10_changes 
[Feature Request] Added Sysmon 10 new fields and DNSEvent type.
 2019-07-10 11:58:12 -04:00
itsnotapt 5466908ba4
DnsQuery not DnsEvent 2019-07-10 12:55:39 +01:00
Carl Rutherford 04fcc6f118 Added Sysmon 10 new fields and DNSEvent type. 2019-07-10 11:45:48 +01:00
Roberto Rodriguez d10231195d Jupyter Updates 
+ Updated notebooks connection to ES
+ Updaed Jupyter Image
 2019-07-07 19:58:44 -04:00
Roberto Rodriguez a177a8b165 Update helk_install.sh 
fix https://github.com/Cyb3rWard0g/HELK/issues/298
 2019-07-07 16:57:49 -04:00
neu5ron 8088efa28b track & install latest docker compose. #186 2019-07-07 00:41:30 -04:00
neu5ron 2cdc233a27 process_granted_access as decimal. fixes #271 2019-07-06 21:17:32 -04:00
neu5ron e463c7d554 track & install latest docker compose. fixed #186 2019-07-06 21:16:30 -04:00
Roberto Rodriguez 0da53d1626
Merge pull request #292 from Cyb3rWard0g/pipelining 
pipeline fixes and enhancements
 2019-06-24 11:12:51 -04:00
neu5ron e23f8ee6b6 mapping for process_target_id. fixes #290 2019-06-23 22:30:06 -04:00
neu5ron dc7634f454 make the field for sysmon_version a float with sub field of keyword 2019-06-23 22:29:12 -04:00
neu5ron 9a2812fa43 ScheduledTask user normalization and task name change addition, think this got missed somehow thinking we had it done in the scheduled task XML field parser from 2512 2019-06-23 22:21:19 -04:00
neu5ron 74b7a8b2db clean "blank" AuthenticationPackageName and PackageName fields 2019-06-23 22:18:01 -04:00
neu5ron 8ff875f070 fix for winlogbeat param field conflicts. 2019-06-23 22:10:43 -04:00
operat0r 753581bac8
Update helk_install.sh 
Also found a bug in this script but can't sort out what the hell this awk line is doing ?

AVAILABLE_DOCKER_DISK=$(df -m $(docker info --format '{{.DockerRootDir}}') | awk '$1 ~ /\//{printf "%.f", $4 / 1024}')


it needs to pull 999999 when overlay is mounted but still work with /dev/sda etc  

overlay 4444444 4444444 999999 9%  /
 2019-06-18 13:29:35 -04:00
Roberto Rodriguez 7f9c11eb3d
Merge pull request #286 from Cyb3rWard0g/dev 
Update kibana-entrypoint.sh
 2019-06-15 14:24:40 -04:00
Roberto Rodriguez e10601a424 Update kibana-entrypoint.sh 
Removed ES call timeout in Kibana entrypoint
 2019-06-15 14:24:11 -04:00
Roberto Rodriguez 591186ce6e
Merge pull request #285 from Cyb3rWard0g/dev 
Update kibana-entrypoint.sh
 2019-06-14 10:56:19 -04:00
Roberto Rodriguez 690db58c46 Update kibana-entrypoint.sh 2019-06-14 10:55:26 -04:00
Roberto Rodriguez 7bd459ad98
Merge pull request #284 from Cyb3rWard0g/pipelining 
scheduled task and PS
 2019-06-13 14:53:13 -04:00
neu5ron 7bd0ee7ee2 Merge branch 'master' of https://github.com/Cyb3rWard0g/HELK into pipelining 2019-06-13 14:42:24 -04:00
neu5ron f58f75300c better whitespace support 2019-06-13 14:42:04 -04:00
neu5ron 349fec620f fixes original field naming issue for xml parsing scheduled task. also, better whitespace support 2019-06-13 14:39:27 -04:00
Roberto Rodriguez 1cb4265895
Merge pull request #280 from Cyb3rWard0g/dev 
Logstash Pipeline and ES Memory
 2019-06-10 22:56:33 -04:00
Roberto Rodriguez 3cdd2449ca Logstash Pipeline and ES Memory 
Logstash:
fix https://github.com/Cyb3rWard0g/HELK/issues/278
fix https://github.com/Cyb3rWard0g/HELK/issues/277
fix https://github.com/Cyb3rWard0g/HELK/issues/274
fix https://github.com/Cyb3rWard0g/HELK/issues/273

Elasticsearch:
fix https://github.com/Cyb3rWard0g/HELK/issues/275
 2019-06-10 22:55:24 -04:00
Roberto Rodriguez 9f6720de01
Merge pull request #279 from Cyb3rWard0g/dev 
Update elasticsearch-entrypoint.sh
 2019-06-10 21:24:56 -04:00
Roberto Rodriguez a9d8e9b7b5 Update elasticsearch-entrypoint.sh 
Current Patch for https://github.com/Cyb3rWard0g/HELK/issues/275
 2019-06-10 21:23:13 -04:00
neu5ron 46dd3ab7e0 potential fix for scheduled task parse 
some products for shipping use \r\n and others use \n...
so using "\s+" should solve this ignorance...
 2019-06-07 00:47:17 -04:00
Roberto Rodriguez c33bcaf6b8
Merge pull request #270 from Cyb3rWard0g/pipelining 
typo, fixes script rename to correctly user powershell.script.name now
 2019-06-06 22:05:00 -04:00
neu5ron 30803aa69d typo, fixes script rename to correctly user powershell.script.name now 2019-06-06 18:59:19 -04:00
Roberto Rodriguez da237d0c66
Merge pull request #268 from Cyb3rWard0g/dev 
Elastalert 0.2.4 and rules
 2019-06-04 22:35:02 -04:00
Roberto Rodriguez 92732df9ea Elastalert 0.2.4 and rules 2019-06-04 22:34:39 -04:00
Roberto Rodriguez 5b0ae88b48
Merge pull request #266 from Cyb3rWard0g/pipelining 
ES and Logstash Enhancements
 2019-06-03 13:51:22 -04:00
neu5ron 44566de1b1 net hash 2019-06-03 03:31:23 -04:00
neu5ron e81a98a745 add network hash 2019-06-03 03:17:19 -04:00
neu5ron 3f43da4d0a flipped files 2019-06-03 02:22:55 -04:00
neu5ron f1d54858af specific exception tagging 2019-06-03 02:22:42 -04:00
neu5ron 4854af35cc optimization and programmatic improvement of all IP related fields 2019-06-03 02:08:59 -04:00
neu5ron 3950fee8df duplicate file, however.. keeping the file until we eventually script out deleting files no longer needed 2019-06-03 02:01:58 -04:00
neu5ron b868381c88 ip v6 do not have their own field anymore. however, keeping the file until we eventually script out deleting files no longer needed 2019-06-03 01:44:14 -04:00
neu5ron 5d88a3b937 create helk group ID, and document consumer threads for scaling 2019-06-03 01:36:13 -04:00