Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Curator to HELK build, added email alerts to Elastalert, exposed ES port to host #352

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions docker/helk-curator/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# HELK script: HELK Curator Dockerfile
# HELK build Stage: Alpha
# Author: Ashlee Jones (@AshleeJones04)
# License: GPL-3.0

# References:
# https://github.com/elastic/curator

FROM cyb3rward0g/helk-base:0.0.3
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
LABEL description="Dockerfile base for the HELK Curator."

ENV CURATOR_GID=934
ENV CURATOR_UID=934
ENV CURATOR_USER=curatoruser
ENV CURATOR_HOME=/usr/share/curator
ENV DEBIAN_FRONTEND noninteractive

# *********** Installing Prerequisites ***************
# -qq : No output except for errors
RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \
libmagic-dev \
build-essential \
python3-setuptools \
git \
python3-pip \
python3-dev \
tzdata \
nano \
cron \
# ********* Clean ****************************
&& apt-get -qy clean \
autoremove \
&& rm -rf /var/lib/apt/lists/* \
# ********* Install Curator **************
&& bash -c 'mkdir -pv /usr/share/curator' \
&& cd ${CURATOR_HOME} \
&& wget https://raw.githubusercontent.com/elastic/curator/master/requirements.txt \
&& pip3 install wheel \
&& pip3 install -r requirements.txt \
&& pip3 install elasticsearch-curator

# ********* Copy Curator files and setup cron **************
COPY actions.yaml ${CURATOR_HOME}/
COPY curator.yml ${CURATOR_HOME}/
COPY helk-curator-cron /etc/cron.d/helk-curator-cron
RUN chmod 0644 /etc/cron.d/helk-curator-cron
RUN crontab /etc/cron.d/helk-curator-cron
RUN touch /var/log/helk-curator-cron.log


# *********** RUN Curator ***************
WORKDIR ${CURATOR_HOME}
#ENTRYPOINT ["./curator-entrypoint.sh"]
#CMD ["curator","--config","/usr/share/curator/curator.yml","/usr/share/curator/actions.yaml"]
CMD cron && tail -f /var/log/helk-curator-cron.log
123 changes: 123 additions & 0 deletions docker/helk-curator/actions.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
---
# Remember, leave a key empty if there is no value. None will be a string,
# not a Python "NoneType"
#
# Also remember that all examples have 'disable_action' set to True. If you
# want to use this action as a template, be sure to set this to False after
# copying it.
actions:
1:
action: delete_indices
description: >-
Delete indices older than 7 days (based on index name), for winlogbeat-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: logs-endpoint-winevent-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 7
exclude:
2:
action: delete_indices
description: >-
Delete indices older than 7 days (based on index name), for filebeat-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: winlogbeat-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 7
exclude:
3:
action: delete_indices
description: >-
Delete indices older than 7 days (based on index name), for packetbeat-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: .monitoring-kibana-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 7
exclude:
4:
action: delete_indices
description: >-
Delete indices older than 7 days (based on index name), for metricbeat-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: mitre-attack-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 7
exclude:
5:
action: delete_indices
description: >-
Delete indices older than 7 days (based on index name), for metricbeat-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: .monitoring-logstash-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 7
exclude:
22 changes: 22 additions & 0 deletions docker/helk-curator/curator.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@

# Remember, leave a key empty if there is no value. None will be a string,
# not a Python "NoneType"
client:
hosts:
- localhost
port: 9200
url_prefix:
use_ssl: False
certificate:
client_cert:
client_key:
ssl_no_validate: False
http_auth:
timeout: 30
master_only: False

logging:
loglevel: INFO
logfile:
logformat: default
blacklist: ['elasticsearch', 'urllib3']
2 changes: 2 additions & 0 deletions docker/helk-curator/helk-curator-cron
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
0 0 * * * /usr/local/bin/curator --config /usr/share/curator/curator.yml /usr/share/curator/actions.yaml >> /var/log/helk-curator-cron.log 2>&1
# An empty line is required at the end of this file for a valid cron file.
2 changes: 2 additions & 0 deletions docker/helk-elastalert/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \
python3-dev \
python3-setuptools \
tzdata \
nano \
# ********* Clean ****************************
&& apt-get -qy clean \
autoremove \
Expand All @@ -47,6 +48,7 @@ RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \
# ********* Copy Elastalert files **************
COPY scripts/* ${ESALERT_HOME}/
COPY config.yaml ${ESALERT_HOME}/
COPY smtp_auth_file.yaml ${ESALERT_HOME}/
COPY rules/* ${ESALERT_HOME}/rules/
COPY sigmac/sigmac-config.yml ${ESALERT_SIGMA_HOME}/sigmac-config.yml

Expand Down
2 changes: 1 addition & 1 deletion docker/helk-elastalert/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ run_every:
seconds: 30
buffer_time:
seconds: 45
es_host: helk-elasticsearch
es_host: HELKIP

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this remain helk-elasticsearch?

es_port: 9200
alert_time_limit:
days: 1
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects potential suspicious powershell parameters
filter:
- query:
Expand All @@ -10,4 +18,4 @@ name: Windows-Suspicious-Powershell-commands_0
priority: 2
realert:
minutes: 0
type: any
type: any
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects potential DCSync backdoor user
filter:
- query:
Expand All @@ -10,4 +18,4 @@ name: Windows-DCSync-backdoor-user_0
priority: 2
realert:
minutes: 0
type: any
type: any
10 changes: 9 additions & 1 deletion docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects potential DCSync from non-dcs
filter:
- query:
Expand All @@ -10,4 +18,4 @@ name: Windows-dcsync-non-dc_0
priority: 2
realert:
minutes: 0
type: any
type: any
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects potential use of rubeus via the trusted logon process
filter:
- query:
Expand All @@ -10,4 +18,4 @@ name: Windows-Rubeus-logon-process_0
priority: 2
realert:
minutes: 0
type: any
type: any
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects suspicious use the common chrome named pipe
filter:
- query:
Expand Down
8 changes: 8 additions & 0 deletions docker/helk-elastalert/rules/helk_sysmon_bits.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects suspicious bits activity
filter:
- query:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects cmdline files being created on victim
filter:
- query:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects potential use of named pipes by Cobalt Strike agents
filter:
- query:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
alert:
- debug
- email
email:
- "[email protected]"
smtp_host: "smtp.outlook.com" #for O365 email addresses
smtp_port: 587 #for O365 email addresses
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
description: Detects potential use of CS with rundll32 calling out
filter:
- query:
Expand Down
Loading