Good morning @ssi0202 . Yes thats actually a very good idea. I had a conversation with Nate @neu5ron (one of our contributors) and he also recommended that set up when we were talking about scalability. Thank you for sharing. I will make sure I add that to one of the sections in the wiki that I am planning on creating ("Production"). I will close this issue once I create that section.

from helk.

from helk.

one more thing i like to test it in our environment, is there a way to run the docker script so i can make multiple elasticsearch nodes and or install directly on a windows/linux machine(s) I'd be happy to provide you with any load data etc form the deployment

from helk.

Niceee!!! I love that. One of the main goals for the HELK is to be able to scale. I was wondering if you had any recommendations or feedback about the configurations assigned to the ELK portion of the build. That would be very helpful and I would appreciate it. The more use cases and suggestions the better. 👍

from helk.

That would be great actually. Regarding the multiple elasticsearch set ups, I was thinking on doing something similar but for Kafka Brokers via Docker-Compose, but I have not tested that with multiple nodes.

from helk.

sorry the format is screwy i just c/p'ed from the winlogbeat config

here are the events that i collect from the winlogs there are based on the SANS 508 course that i took in dec 2017 so the recommendations are new, sorry for the fluf but its a quick c/p.

i have a sysmon config also but i'll have to clean that up a bit before i can share this as it, right not that sysmon config puts approx 1% extra on the cpu on client machines and it collects what i need to hunt for powershell etc. we have not put this sysmon in prod yet because we are awaiting that trend micro fixes a cpu load bug in conjuction with sysmon driver on officescan 11.6. if you use the XG version it works fine in our poc environment.

winlogbeat config these event id's need to be "ported" to the windows event collector server its really easy to do., you then tell the winlogbeat (installed on the WEC server to send "forwarded events")

let me know if you want the winlogbeat yml for that?

All logon/logoff events include a Logon Type code, the precise type of logon or logoff:

2 Interactive

3 Network (remote file shares / printers/iis)

4 Batch (scheduled task)

5 Service (service account)

7 Unlock

8 NetworkCleartext (IIS)

9 NewCredentials (RunAs /netonly)

10 RemoteInteractive (Terminal Services,RDP)

11 CachedInteractive (cached credentials)

security log event_ids from FOR508 book 3/4 and MS recoomendation as of 31/05/2017

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise

event_ids are win10 earlier platforms may not match the event_id below or exist.

http://syspanda.com/index.php/2017/10/10/threat-hunting-sysmon-word-document-macro/

be careful of using tabs when editing it may break the config

winlogbeat.event_logs:

• name: Security

choose version 1 OR 2:

#Version 1 event_id: 1102, 4608, 4609, 4610, 4611, 4618, 4624, 4625, 4649, 4672, 4673, 4688, 4692, 4698, 4699, 4700, 4701, 4702, 4719, 4720, 4724, 4728, 4732, 4735, 4764, 4766, 4768, 4769, 4771, 4776, 4778, 4779, 4897, 4960, 4964, 5038, 5124, 5140, 6279
#Version 2 event_id: 1102, 4624, 4625, 4672, 4688, 4698, 4699, 4700, 4701, 4702, 4720, 4724, 4728, 4732, 4735, 4768, 4769, 4771, 4776, 4778, 4779, 5140

• name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  event_id: 131
• name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  event_id: 1149
• name: Application
  event_id: 11707
• name: System
  event_id: 6013, 7040, 7045, 7030, 7034, 7036

(Get-WinEvent -ListProvider Microsoft-Windows-Powershell).Events | Format-Table ID, Description -AutoSize

• name: Microsoft-Windows-Powershell/Operational
  event_id: 4103, 4104, 32849, 32856
• name: Microsoft-Windows-Sysmon/Operational
  event_id: 1, 3 ,7, 8, 10, 11, 13, 17, 18

- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

event_id :

you get this with the powershell logging

add windows fireall log port 5985/5986 remote powershell port

from helk.

Nice thank you for sharing @ssi0202 ! 👍

from helk.

from helk.

I added the recommendation of using WEF in the wiki. This is going to be explored soon. https://github.com/Cyb3rWard0g/HELK/wiki/Kafka .

from helk.

Installation of WEF with Winlogbeat installed on the WEF Server explained in a talk @neu5ron and I gave in BSColumbus 2018. Slides

from helk.