Commit Graph

315 Commits (c18aac2f5136cf86e906ca67f89c673e5895e54e)

Author SHA1 Message Date
Roberto Rodriguez 32236b729e Updated Jupyter Password Strings
Password in the output message after starting HELK was wrong. it had an exta chaacter.
2018-08-04 16:26:07 -07:00
Roberto Rodriguez 634e24e3aa HELK v0.1.3-alpha08032018
All
+ Moved all to docker folder. Getting ready to start sharing other ways to deploy helk (terraform & Packer maybe)

Compose-files
+ Basic & Trial Elastic Subscriptions available now and can be automatically managed via the helk_install script

ELK Version : 6.3.2

Elasticsearch
+ Set 4GB for ES_JAVA_OPTS by default allowing the modification of it via docker-compose and calculating half of the host memory if it is not set
+ Added Entrypoint script and using docker-entrypoint to start ES

Logstash
+ Big Pipeline Update by Nate Guagenti (@neu5ron)
++better cli & file name searching
++”dst_ip_public:true” filter out all rfc1918/non-routable
++Geo ASName
++Identification of 16+ windows IP fields
++Arrayed IPs support
++IPv6&IPv4 differentiation
++removing “-“ values and MORE!!!
++ THANK YOU SO MUCH NATE!!!
++ PR: https://github.com/Cyb3rWard0g/HELK/pull/93
+ Added entrypoint script to push new output_templates straight to Elasticsearch per Nate's recommendation
+ Starting Logstash now with docker-entrypoint
+ "event_data" is now taken out of winlogbeat logs to allow integration with nxlog (sauce added by Nate Guagenti (@neu5ron)

Kibana
+ Kibana yml file updated to allow a longer time for timeout

Nginx:
+ it handles communications to Kibana and Jupyterhub via port 443 SSL
+ certificate and key get created at build time
+ Nate added several settings to improve the way how nginx operates

Jupyterhub
+ Multiple users and mulitple notebooks open at the same time are possible now
+ Jupytehub now has 3 users hunter1,hunter2.hunter3 and password patterh is <user>P@ssw0rd!
+ Every notebook created is also JupyterLab
+ Updated ES-Hadoop 6.3.2

Kafka Update
+ 1.1.1 Update

Spark Master + Brokers
+ reduce memory for brokers by default to 512m

Resources:
+ Added new images for Wiki
2018-08-03 11:13:25 -07:00
Roberto Rodriguez c7af8e42bc
Merge pull request #93 from neu5ron/master
Logstash refactoring and many logstash additions
2018-08-02 14:30:21 -04:00
Nate Guagenti 3433425e16
Update 9956-attack-output.conf
cleanup of my testing
2018-08-02 14:15:04 -04:00
neutron d5fc2ecd56 match new field names 2018-08-02 14:06:06 -04:00
neutron df133447c1 added optimizations 2018-08-02 14:05:55 -04:00
neutron 42f7e5b2fc hardening and optimization 2018-08-02 14:05:39 -04:00
neutron 9c5183d000 complete refactor 2018-08-02 14:04:42 -04:00
neutron ad48df9793 creating new templates to make more modular in the future.
added ip types
added geo types
added source and destination nat IPs
better command line and process name analyzers
2018-08-02 14:04:23 -04:00
Dev Dua 457a2a579a Minor fix on output 2018-07-12 13:48:13 +05:30
Dev Dua 34bafe51ff Added license option & improved update process 2018-07-12 13:39:10 +05:30
Dev Dua a645e6365a Fixed typo 2018-07-12 11:52:56 +05:30
Dev Dua 4e74ac1102 Merge branch 'master' (commit 931d567) of https://github.com/Cyb3rWard0g/HELK into add-helk-update-script 2018-07-12 11:50:15 +05:30
Roberto Rodriguez 47edded450
Update helk_update.sh
I updated the Available Memory variable
2018-07-12 00:55:53 -04:00
Roberto Rodriguez 931d56729f HELK-07122018
License: GPL-3.0 Update
++ Updated all the local documents
++ Docker images in Dockerhub in progreess

Docker-Compose
++ Created two options: basic and trial

ELK Stack Docker Files
++ Created Trial Folders to make sure the configurations are set properly for when the user selects trial version of HELK.
++++ HELK trial = x-pack + trial license + security enabled
++ Deprecating the HELKs Platinum's Branch. Merging that branch with the HELKs master to allow user to select the type of license during the install process.

Jupyter
++ Getting ready for Jupyterhub
++ Created two folders: basic and trial to allow elasticsearch interaciton with username and password hardcoded in the spark session. trial license requires any interaction with elasticsearch to be authenticated.

Kibana
++ Added trial folder with scripts that set up security configs for the trial version of HELK. It creates users and roles to test the security features of x-pack

Logstash
++ Created trial folder with another pipeline folder in it. The pipeline in trial has output configs with elasticsearch's username and password hardcoded. Ready for when the user sets the build with trial license and wants to send logs to elasticsearch. The logstash configs are the same as the ones from the defailt pipeline. They only have username and password configs on all the output configs.

Nginx
++ set trial folder with the right config to allow Kibana handle the authentication process when user builds and installs HELK with a trial license. No need for nginx to handle the authentication.

helk_install bash script
++ Updated script to handle license choice : basic or trial
++ basic license is selected by default. If user selects trial, it runs the specific docker-compose file needed to build and install HELK with the right trial configs.
++ Updated also the CLI options. User now will have to specify the license for HELK. Example: sudo ./helk_install.sh -i 192.168.64.131 -l basic
2018-07-12 00:29:09 -04:00
Roberto Rodriguez 3694e25b23
Updating License 2018-07-11 20:54:57 -04:00
Dev Dua bd7df68b59 Removed backup and restore of docker-compose.yml (Docker Hub fail-safe) 2018-07-10 12:01:10 +05:30
Roberto Rodriguez 2a09c6ddd5 HELK 07092018
++Added Image property to docker-compose file for ELK images.
++Updated Docker files to remove extra configs that were being already specified in docker-compose file
++ Kibana scripts are now added in the docker-compose file. Move them to /usr/share/kibana/scripts folder in the Kibana container
++Updated ELK config files to follow basic subscription templates (default settings)
++ Updated Winlogbeat template to only point to two Kafka Brokers
2018-07-09 17:08:27 -04:00
Dev Dua bc67befc52 Removed Docker Hub update option 2018-07-09 10:04:59 +05:30
Dev Dua f327b332ee Small change to GitHub update check 2018-07-08 20:47:17 +05:30
Dev Dua c63bee7b55 Merge branch 'master' of https://github.com/Cyb3rWard0g/HELK into add-helk-update-script 2018-07-08 19:54:35 +05:30
Roberto Rodriguez a17d8341bd HELK v0.1.1-alpha07062018
Docker Compose
++ Updated Spark images to 2.3.1

ELK Stack
++ Docker Images updated to 6.3.1

helk-jupyter
++ Preparing Jupyter for Jupyterhub
++ Spark base image now comes with a sparkuser user
++ Updated es-hadoop package to 6.3.1

helk-logstash
++ Updated Sysmon parser to transform new datafield from Sysmon V8.0. RuleName

helk-spark-base
++ Images updated to 2.3.1

helk_install
++ fixed https://github.com/Cyb3rWard0g/HELK/issues/81
++ Updated banner to show right version
2018-07-06 23:11:41 -04:00
Dev Dua 7a055280f7 Added option to update from Github + minor improvements 2018-06-18 15:23:43 +05:30
Dev Dua 5a2a3911cf Modified the script for HELK 6.3.0 & added available memory check 2018-06-16 18:32:44 +05:30
Dev Dua 7277b9ee2c Merge branch 'master' of https://github.com/Cyb3rWard0g/HELK into add-helk-update-script
Get the latest install script
2018-06-16 07:49:44 +05:30
Roberto Rodriguez ac40eed43a
Merge pull request #78 from rsimplicio/install-script-update
Update helk_install.sh to read from available memory instead of free
2018-06-15 17:44:31 -04:00
Robert Simplicio 524ef7f352 Updated helk_install.sh with upstream changes and updated memory to available 2018-06-15 11:30:29 -07:00
Robert Simplicio 1beef09b92 Merge remote-tracking branch 'upstream/master' into install-script-update 2018-06-15 11:23:14 -07:00
Roberto Rodriguez 828f0fc599 HELK 6.3.0
HELK Version
+ ELK update tp 6.3.0

Logstash
+ Integrated ATT&CK CTI to the build. Created from https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/integrations/helk_cti
+ Added the mitre_attack file to the build which contains information from Enterprise, PRE and Mobile Matrices
+ Enabled x-pack monitoring (new feature)

Kibana
+ Added Dashboards for the ATT&CK Integration

helk_install script
+ reduced docker-compose build and run steps to one

scripts
+ Added script export_attack.py to export the file used for logstash and kibana.
2018-06-15 13:11:58 -04:00
Dev Dua 4dce1883a2 Minor improvements 2018-06-15 09:05:52 +05:30
Roberto Rodriguez 51c310febb
Official HELK LogoV2 2018-06-14 00:43:36 -04:00
Robert Simplicio 667a4c4434 Update helk_install.sh to read from available memory instead of free 2018-06-13 09:18:07 -07:00
Roberto Rodriguez ec4e491060 Minor updates
- Docker compose file order of volumes
- Kibana Dockerfile: removed comment
- README: Added Contributor
2018-06-12 01:28:26 -04:00
Roberto Rodriguez 2856a40c9c Minor Fix - Winevent Security
fix https://github.com/Cyb3rWard0g/HELK/issues/75
2018-06-11 02:42:44 -04:00
Roberto Rodriguez fea1b81c31 Update 06112018
Updated several errors that I got after testing a few configurations.

Logstash
- Updated Field Names for Sysmon and Security Logs
- Updated Logstash Templates to maintain consistency
- Updated Dockerfile to directly use official Centos Elastic Docker Image
- Updated Logstash main config file to update pipeline batch value and the Kafka input config to  fix https://github.com/Cyb3rWard0g/HELK/issues/73
- Updated Logstash Security parser to fix:
-- https://github.com/Cyb3rWard0g/HELK/issues/71
-- https://github.com/Cyb3rWard0g/HELK/issues/72

Kibana & Elasticsearch
- Updated Docker files to directly use  Official Centos Elastic Docker images with only a few updates.

Docker Compose File
- Updated file to mount Logstash, Kibana and Elasticsearch config files, dashboards and output_templates. This will simplify utilization of custom pipes, visualizations and dashboards. User can now just replace those the local folder and HELK will use those configurations.
- ES_JAVA_OPTS is now set to 6GB by default. No more MEM string. It confuses the user.

helk_install.sh script
- Updated the string that it replaces when setting ES JAVA OPTS. It went from looking for the string "MEME" to "6GB".
2018-06-11 01:56:28 -04:00
Roberto Rodriguez 3cbef71322 Fixed Disk Size conversion
Addressed https://github.com/Cyb3rWard0g/HELK/issues/67 where I was grabbing Disk size in human readable format which was breaking the calculations when the HELK was being built on a computer with TB space.
2018-06-10 15:18:53 -04:00
Dev Dua 596bd4cdb8 Minor corrections 2018-06-05 16:22:49 +05:30
Dev Dua 1e80f05e0e Added first draft of the update script 2018-06-05 16:14:18 +05:30
Roberto Rodriguez 6702eaf8d9 Install CLI Option 2018-06-03 19:15:24 -07:00
Roberto Rodriguez eaf08d4a97 Updated Kafka Input Pipeline config
I added the helk-kafka-broker2 to the list of Kafka instances in case the other one is down. more information about the kafka plugin: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-kafka.html#plugins-inputs-kafka-bootstrap_servers
2018-05-31 16:13:36 -04:00
Roberto Rodriguez f3a0e251ea 05312018
Logstash
- Added Local Pipeline to the build to allow custom local configurations
- updated sysmon config to fix https://github.com/Cyb3rWard0g/HELK/issues/63
- removed port exposed in local logstash Dockerfile. It will be pushed to official docker image in the next update
- removed logstash init file (not being used anymore)

Zeppelin
- not available yet
- initial draft dockerfile
- created spark-defaults file for future zeppelin dockerfile

Install Script
- incrased minimum memory size required
2018-05-31 02:08:15 -04:00
Roberto Rodriguez bb321d985a
Merge pull request #56 from thomaspatzke/devel-sigma
Sigma integration
2018-05-30 12:12:14 -04:00
Thomas Patzke ea979912ed Finalized Sigma integration 2018-05-22 23:32:07 +02:00
Thomas Patzke d0477a08db Added Sigma container
Todo:
* Structure (scripts in directory)
* Recognition when Kibana and index config of it gets available (polling)
* Cron job for auto update
* Integration in compose file
2018-05-22 23:32:07 +02:00
Thomas Patzke e70eafce09 Added field mappings
Field mappings required for integration of Windows Sigma rules.
2018-05-22 23:32:07 +02:00
Roberto Rodriguez 0519db370a
Update PULL_REQUEST_TEMPLATE.md 2018-05-17 09:33:56 -04:00
Roberto Rodriguez 714f9daacd
Merge pull request #51 from devdua/add-snap-fallback
Added snap as fallback installation method for Docker
2018-05-15 10:54:08 -04:00
Dev Dua 43feaa7407 Added check to see if snap is installed 2018-05-15 09:59:54 +05:30
Dev Dua f8cbe7e825 Added snap as fallback installation method for Docker 2018-05-15 08:10:10 +05:30
Roberto Rodriguez 93c47ea728
Create PULL_REQUEST_TEMPLATE.md 2018-05-11 16:31:41 -04:00