diff --git a/docker/helk-curator/Dockerfile b/docker/helk-curator/Dockerfile new file mode 100644 index 00000000..964d0dd4 --- /dev/null +++ b/docker/helk-curator/Dockerfile @@ -0,0 +1,56 @@ +# HELK script: HELK Curator Dockerfile +# HELK build Stage: Alpha +# Author: Ashlee Jones (@AshleeJones04) +# License: GPL-3.0 + +# References: +# https://github.com/elastic/curator + +FROM cyb3rward0g/helk-base:0.0.3 +LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" +LABEL description="Dockerfile base for the HELK Curator." + +ENV CURATOR_GID=934 +ENV CURATOR_UID=934 +ENV CURATOR_USER=curatoruser +ENV CURATOR_HOME=/usr/share/curator +ENV DEBIAN_FRONTEND noninteractive + +# *********** Installing Prerequisites *************** +# -qq : No output except for errors +RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \ + libmagic-dev \ + build-essential \ + python3-setuptools \ + git \ + python3-pip \ + python3-dev \ + tzdata \ + nano \ + cron \ + # ********* Clean **************************** + && apt-get -qy clean \ + autoremove \ + && rm -rf /var/lib/apt/lists/* \ + # ********* Install Curator ************** + && bash -c 'mkdir -pv /usr/share/curator' \ + && cd ${CURATOR_HOME} \ + && wget https://raw.githubusercontent.com/elastic/curator/master/requirements.txt \ + && pip3 install wheel \ + && pip3 install -r requirements.txt \ + && pip3 install elasticsearch-curator + +# ********* Copy Curator files and setup cron ************** +COPY actions.yaml ${CURATOR_HOME}/ +COPY curator.yml ${CURATOR_HOME}/ +COPY helk-curator-cron /etc/cron.d/helk-curator-cron +RUN chmod 0644 /etc/cron.d/helk-curator-cron +RUN crontab /etc/cron.d/helk-curator-cron +RUN touch /var/log/helk-curator-cron.log + + +# *********** RUN Curator *************** +WORKDIR ${CURATOR_HOME} +#ENTRYPOINT ["./curator-entrypoint.sh"] +#CMD ["curator","--config","/usr/share/curator/curator.yml","/usr/share/curator/actions.yaml"] +CMD cron && tail -f /var/log/helk-curator-cron.log \ No newline at end of file diff --git a/docker/helk-curator/actions.yaml b/docker/helk-curator/actions.yaml new file mode 100644 index 00000000..00f03a12 --- /dev/null +++ b/docker/helk-curator/actions.yaml @@ -0,0 +1,123 @@ +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: delete_indices + description: >- + Delete indices older than 7 days (based on index name), for winlogbeat- + prefixed indices. Ignore the error if the filter does not result in an + actionable list of indices (ignore_empty_list) and exit cleanly. + options: + ignore_empty_list: True + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: prefix + value: logs-endpoint-winevent- + exclude: + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 7 + exclude: + 2: + action: delete_indices + description: >- + Delete indices older than 7 days (based on index name), for filebeat- + prefixed indices. Ignore the error if the filter does not result in an + actionable list of indices (ignore_empty_list) and exit cleanly. + options: + ignore_empty_list: True + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: prefix + value: winlogbeat- + exclude: + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 7 + exclude: + 3: + action: delete_indices + description: >- + Delete indices older than 7 days (based on index name), for packetbeat- + prefixed indices. Ignore the error if the filter does not result in an + actionable list of indices (ignore_empty_list) and exit cleanly. + options: + ignore_empty_list: True + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: prefix + value: .monitoring-kibana- + exclude: + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 7 + exclude: + 4: + action: delete_indices + description: >- + Delete indices older than 7 days (based on index name), for metricbeat- + prefixed indices. Ignore the error if the filter does not result in an + actionable list of indices (ignore_empty_list) and exit cleanly. + options: + ignore_empty_list: True + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: prefix + value: mitre-attack- + exclude: + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 7 + exclude: + 5: + action: delete_indices + description: >- + Delete indices older than 7 days (based on index name), for metricbeat- + prefixed indices. Ignore the error if the filter does not result in an + actionable list of indices (ignore_empty_list) and exit cleanly. + options: + ignore_empty_list: True + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: prefix + value: .monitoring-logstash- + exclude: + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 7 + exclude: \ No newline at end of file diff --git a/docker/helk-curator/curator.yml b/docker/helk-curator/curator.yml new file mode 100644 index 00000000..9c047b8d --- /dev/null +++ b/docker/helk-curator/curator.yml @@ -0,0 +1,22 @@ + +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +client: + hosts: + - localhost + port: 9200 + url_prefix: + use_ssl: False + certificate: + client_cert: + client_key: + ssl_no_validate: False + http_auth: + timeout: 30 + master_only: False + +logging: + loglevel: INFO + logfile: + logformat: default + blacklist: ['elasticsearch', 'urllib3'] diff --git a/docker/helk-curator/helk-curator-cron b/docker/helk-curator/helk-curator-cron new file mode 100644 index 00000000..5460a282 --- /dev/null +++ b/docker/helk-curator/helk-curator-cron @@ -0,0 +1,2 @@ +0 0 * * * /usr/local/bin/curator --config /usr/share/curator/curator.yml /usr/share/curator/actions.yaml >> /var/log/helk-curator-cron.log 2>&1 +# An empty line is required at the end of this file for a valid cron file. diff --git a/docker/helk-elastalert/Dockerfile b/docker/helk-elastalert/Dockerfile index f4d39b89..1b685488 100644 --- a/docker/helk-elastalert/Dockerfile +++ b/docker/helk-elastalert/Dockerfile @@ -28,6 +28,7 @@ RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \ python3-dev \ python3-setuptools \ tzdata \ + nano \ # ********* Clean **************************** && apt-get -qy clean \ autoremove \ @@ -47,6 +48,7 @@ RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \ # ********* Copy Elastalert files ************** COPY scripts/* ${ESALERT_HOME}/ COPY config.yaml ${ESALERT_HOME}/ +COPY smtp_auth_file.yaml ${ESALERT_HOME}/ COPY rules/* ${ESALERT_HOME}/rules/ COPY sigmac/sigmac-config.yml ${ESALERT_SIGMA_HOME}/sigmac-config.yml diff --git a/docker/helk-elastalert/config.yaml b/docker/helk-elastalert/config.yaml index 77c26acf..efcb4a7d 100644 --- a/docker/helk-elastalert/config.yaml +++ b/docker/helk-elastalert/config.yaml @@ -13,7 +13,7 @@ run_every: seconds: 30 buffer_time: seconds: 45 -es_host: helk-elasticsearch +es_host: HELKIP es_port: 9200 alert_time_limit: days: 1 diff --git a/docker/helk-elastalert/rules/helk_powershell_susp_ps_commands.yml b/docker/helk-elastalert/rules/helk_powershell_susp_ps_commands.yml index 30d52d21..8143ca4c 100644 --- a/docker/helk-elastalert/rules/helk_powershell_susp_ps_commands.yml +++ b/docker/helk-elastalert/rules/helk_powershell_susp_ps_commands.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential suspicious powershell parameters filter: - query: @@ -10,4 +18,4 @@ name: Windows-Suspicious-Powershell-commands_0 priority: 2 realert: minutes: 0 -type: any \ No newline at end of file +type: any diff --git a/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml b/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml index beabda3c..9335e453 100644 --- a/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml +++ b/docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential DCSync backdoor user filter: - query: @@ -10,4 +18,4 @@ name: Windows-DCSync-backdoor-user_0 priority: 2 realert: minutes: 0 -type: any \ No newline at end of file +type: any diff --git a/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml b/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml index 85a8ad0b..bb182191 100644 --- a/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml +++ b/docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential DCSync from non-dcs filter: - query: @@ -10,4 +18,4 @@ name: Windows-dcsync-non-dc_0 priority: 2 realert: minutes: 0 -type: any \ No newline at end of file +type: any diff --git a/docker/helk-elastalert/rules/helk_security_rubes_logon_process.yml b/docker/helk-elastalert/rules/helk_security_rubes_logon_process.yml index cdf9b538..ca7fbd97 100644 --- a/docker/helk-elastalert/rules/helk_security_rubes_logon_process.yml +++ b/docker/helk-elastalert/rules/helk_security_rubes_logon_process.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential use of rubeus via the trusted logon process filter: - query: @@ -10,4 +18,4 @@ name: Windows-Rubeus-logon-process_0 priority: 2 realert: minutes: 0 -type: any \ No newline at end of file +type: any diff --git a/docker/helk-elastalert/rules/helk_security_share_chrome_pipe.yml b/docker/helk-elastalert/rules/helk_security_share_chrome_pipe.yml index 5264be09..d96bced0 100644 --- a/docker/helk-elastalert/rules/helk_security_share_chrome_pipe.yml +++ b/docker/helk-elastalert/rules/helk_security_share_chrome_pipe.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects suspicious use the common chrome named pipe filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_bits.yml b/docker/helk-elastalert/rules/helk_sysmon_bits.yml index a00b6bba..81efc25c 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_bits.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_bits.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects suspicious bits activity filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_cmdline_file_creation.yml b/docker/helk-elastalert/rules/helk_sysmon_cmdline_file_creation.yml index 520c3110..59bc2d73 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_cmdline_file_creation.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_cmdline_file_creation.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects cmdline files being created on victim filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_cobalt_strike_msagent.yml b/docker/helk-elastalert/rules/helk_sysmon_cobalt_strike_msagent.yml index c832f9ad..c2e91962 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_cobalt_strike_msagent.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_cobalt_strike_msagent.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential use of named pipes by Cobalt Strike agents filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_cs_rundll32_network.yml b/docker/helk-elastalert/rules/helk_sysmon_cs_rundll32_network.yml index 4b569c91..42c228a5 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_cs_rundll32_network.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_cs_rundll32_network.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential use of CS with rundll32 calling out filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_csharp_compile.yml b/docker/helk-elastalert/rules/helk_sysmon_csharp_compile.yml index 16849603..7e56cce6 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_csharp_compile.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_csharp_compile.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential Csharp compiling filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_dcom_lm.yml b/docker/helk-elastalert/rules/helk_sysmon_dcom_lm.yml index 240a9ff3..f7313f31 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_dcom_lm.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_dcom_lm.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential lateral movement via dcom filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_internal_monologue.yml b/docker/helk-elastalert/rules/helk_sysmon_internal_monologue.yml index bf20d2ea..9f42cdfc 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_internal_monologue.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_internal_monologue.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential internal monologue filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_kerb_no_lsass.yml b/docker/helk-elastalert/rules/helk_sysmon_kerb_no_lsass.yml index 887d6c6f..b7710a2f 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_kerb_no_lsass.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_kerb_no_lsass.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential calls to DCs via Kerberos port from non lsass filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_logonscripts_lm.yml b/docker/helk-elastalert/rules/helk_sysmon_logonscripts_lm.yml index a4dfd09d..beeecd73 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_logonscripts_lm.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_logonscripts_lm.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential lateral movement via logon scripts filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_net_administrators.yml b/docker/helk-elastalert/rules/helk_sysmon_net_administrators.yml index 5f9f23ee..50eb97ca 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_net_administrators.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_net_administrators.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential recon for admininstrators via net samrp filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_net_group_domains.yml b/docker/helk-elastalert/rules/helk_sysmon_net_group_domains.yml index 640d6d51..a4bce450 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_net_group_domains.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_net_group_domains.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential recon for domain admins via net samrp filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_sc_query_securitydescriptor.yml b/docker/helk-elastalert/rules/helk_sysmon_sc_query_securitydescriptor.yml index 618b051a..641d24c2 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_sc_query_securitydescriptor.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_sc_query_securitydescriptor.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects adversaries accessing services security descriptors filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_scriptable_protocol_handlers.yml b/docker/helk-elastalert/rules/helk_sysmon_scriptable_protocol_handlers.yml index 98617065..6af07db1 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_scriptable_protocol_handlers.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_scriptable_protocol_handlers.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential scriptable handlers filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_services_rare_child.yml b/docker/helk-elastalert/rules/helk_sysmon_services_rare_child.yml index f7f3a8db..0859eaae 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_services_rare_child.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_services_rare_child.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects rare childs from services.exe (gold image based) filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_wevtutil.yml b/docker/helk-elastalert/rules/helk_sysmon_wevtutil.yml index 98b86264..f1cd3b34 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_wevtutil.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_wevtutil.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects adversaries clearing logs via wevtutil filter: - query: diff --git a/docker/helk-elastalert/rules/helk_sysmon_wsmprovhost_winrm.yml b/docker/helk-elastalert/rules/helk_sysmon_wsmprovhost_winrm.yml index 38276880..e8f4114b 100644 --- a/docker/helk-elastalert/rules/helk_sysmon_wsmprovhost_winrm.yml +++ b/docker/helk-elastalert/rules/helk_sysmon_wsmprovhost_winrm.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects use of winrm over the network filter: - query: diff --git a/docker/helk-elastalert/rules/helk_system_psexec_psh.yml b/docker/helk-elastalert/rules/helk_system_psexec_psh.yml index b2c589a8..f4249e7f 100644 --- a/docker/helk-elastalert/rules/helk_system_psexec_psh.yml +++ b/docker/helk-elastalert/rules/helk_system_psexec_psh.yml @@ -1,5 +1,13 @@ alert: - debug +- email +email: + - "your@emailaddress.com" +smtp_host: "smtp.outlook.com" #for O365 email addresses +smtp_port: 587 #for O365 email addresses +smtp_ssl: true +from_addr: "your@emailaddress.com" +smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml" description: Detects potential psexec via powershell module filter: - query: diff --git a/docker/helk-elastalert/smtp_auth_file.yaml b/docker/helk-elastalert/smtp_auth_file.yaml new file mode 100644 index 00000000..2ff9bde7 --- /dev/null +++ b/docker/helk-elastalert/smtp_auth_file.yaml @@ -0,0 +1,2 @@ +user: "" +password: "" \ No newline at end of file diff --git a/docker/helk-kibana-analysis-alert-basic.yml b/docker/helk-kibana-analysis-alert-basic.yml index bfec88a3..53cbdcf2 100644 --- a/docker/helk-kibana-analysis-alert-basic.yml +++ b/docker/helk-kibana-analysis-alert-basic.yml @@ -25,6 +25,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -151,6 +153,17 @@ services: ES_PORT: 9200 networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + networks: + helk: networks: helk: diff --git a/docker/helk-kibana-analysis-alert-trial.yml b/docker/helk-kibana-analysis-alert-trial.yml index 027ab206..9ccf224f 100644 --- a/docker/helk-kibana-analysis-alert-trial.yml +++ b/docker/helk-kibana-analysis-alert-trial.yml @@ -26,6 +26,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -153,6 +155,18 @@ services: ELASTIC_PASSWORD: ${ELASTIC_PASSWORD} networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + ELASTIC_PASSWORD: ${ELASTIC_PASSWORD} + networks: + helk: networks: helk: diff --git a/docker/helk-kibana-analysis-basic.yml b/docker/helk-kibana-analysis-basic.yml index 4e9fbba8..0d65d41a 100644 --- a/docker/helk-kibana-analysis-basic.yml +++ b/docker/helk-kibana-analysis-basic.yml @@ -25,6 +25,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -140,6 +142,17 @@ services: tty: true networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + networks: + helk: networks: helk: @@ -157,4 +170,4 @@ secrets: kibana.yml: file: ./helk-kibana/config/kibana.yml htpasswd.users: - file: ./helk-nginx/htpasswd.users \ No newline at end of file + file: ./helk-nginx/htpasswd.users diff --git a/docker/helk-kibana-analysis-trial.yml b/docker/helk-kibana-analysis-trial.yml index 3b50ee57..e2ada643 100644 --- a/docker/helk-kibana-analysis-trial.yml +++ b/docker/helk-kibana-analysis-trial.yml @@ -26,6 +26,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -141,6 +143,18 @@ services: tty: true networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + ELASTIC_PASSWORD: ${ELASTIC_PASSWORD} + networks: + helk: networks: helk: @@ -154,4 +168,4 @@ secrets: elasticsearch.yml: file: ./helk-elasticsearch/config/elasticsearch.yml kibana.yml: - file: ./helk-kibana/config/kibana.yml \ No newline at end of file + file: ./helk-kibana/config/kibana.yml diff --git a/docker/helk-kibana-notebook-analysis-alert-basic.yml b/docker/helk-kibana-notebook-analysis-alert-basic.yml index 090cd305..d8f5ba0d 100644 --- a/docker/helk-kibana-notebook-analysis-alert-basic.yml +++ b/docker/helk-kibana-notebook-analysis-alert-basic.yml @@ -25,6 +25,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -190,6 +192,17 @@ services: ES_PORT: 9200 networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + networks: + helk: networks: helk: diff --git a/docker/helk-kibana-notebook-analysis-alert-trial.yml b/docker/helk-kibana-notebook-analysis-alert-trial.yml index 9baedfa9..0c82d936 100644 --- a/docker/helk-kibana-notebook-analysis-alert-trial.yml +++ b/docker/helk-kibana-notebook-analysis-alert-trial.yml @@ -193,6 +193,18 @@ services: ELASTIC_PASSWORD: ${ELASTIC_PASSWORD} networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + ELASTIC_PASSWORD: ${ELASTIC_PASSWORD} + networks: + helk: networks: helk: diff --git a/docker/helk-kibana-notebook-analysis-basic.yml b/docker/helk-kibana-notebook-analysis-basic.yml index b1032f74..42529bae 100644 --- a/docker/helk-kibana-notebook-analysis-basic.yml +++ b/docker/helk-kibana-notebook-analysis-basic.yml @@ -25,6 +25,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -179,6 +181,17 @@ services: - helk-spark-master networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + networks: + helk: networks: helk: @@ -198,4 +211,4 @@ secrets: kibana.yml: file: ./helk-kibana/config/kibana.yml htpasswd.users: - file: ./helk-nginx/htpasswd.users \ No newline at end of file + file: ./helk-nginx/htpasswd.users diff --git a/docker/helk-kibana-notebook-analysis-trial.yml b/docker/helk-kibana-notebook-analysis-trial.yml index f058e7b3..0a92c942 100644 --- a/docker/helk-kibana-notebook-analysis-trial.yml +++ b/docker/helk-kibana-notebook-analysis-trial.yml @@ -26,6 +26,8 @@ services: soft: 160000 hard: 160000 restart: always + ports: + - "9200:9200" networks: helk: helk-logstash: @@ -181,6 +183,18 @@ services: - helk-spark-master networks: helk: + helk-curator: + image: alfiej04/helk-curator:0.0.3 + container_name: helk-curator + restart: always + depends_on: + - helk-elasticsearch + environment: + ES_HOST: helk-elasticsearch + ES_PORT: 9200 + ELASTIC_PASSWORD: ${ELASTIC_PASSWORD} + networks: + helk: networks: helk: diff --git a/docker/helk_install.sh b/docker/helk_install.sh index 726e6559..141eacfe 100755 --- a/docker/helk_install.sh +++ b/docker/helk_install.sh @@ -499,11 +499,13 @@ show_final_information(){ echo "HELK KIBANA URL: https://${HOST_IP}" echo "HELK KIBANA USER: helk" echo "HELK KIBANA PASSWORD: ${KIBANA_UI_PASSWORD_INPUT}" + echo "HELK ELASTICSEARCH URL: http://${HOST_IP}:9200" echo "HELK SPARK MASTER UI: http://${HOST_IP}:8080" echo "HELK JUPYTER SERVER URL: http://${HOST_IP}/jupyter" get_jupyter_credentials elif [[ ${HELK_BUILD} == "helk-kibana-analysis" ]] || [[ ${HELK_BUILD} == "helk-kibana-analysis-alert" ]]; then echo "HELK KIBANA URL: https://${HOST_IP}" + echo "HELK ELASTICSEARCH URL: http://${HOST_IP}:9200" echo "HELK KIBANA USER: helk" echo "HELK KIBANA PASSWORD: ${KIBANA_UI_PASSWORD_INPUT}" fi