Comments (10)
Good morning @ssi0202 . Yes thats actually a very good idea. I had a conversation with Nate @neu5ron (one of our contributors) and he also recommended that set up when we were talking about scalability. Thank you for sharing. I will make sure I add that to one of the sections in the wiki that I am planning on creating ("Production"). I will close this issue once I create that section.
from helk.
from helk.
one more thing i like to test it in our environment, is there a way to run the docker script so i can make multiple elasticsearch nodes and or install directly on a windows/linux machine(s) I'd be happy to provide you with any load data etc form the deployment
from helk.
Niceee!!! I love that. One of the main goals for the HELK is to be able to scale. I was wondering if you had any recommendations or feedback about the configurations assigned to the ELK portion of the build. That would be very helpful and I would appreciate it. The more use cases and suggestions the better. 👍
from helk.
That would be great actually. Regarding the multiple elasticsearch set ups, I was thinking on doing something similar but for Kafka Brokers via Docker-Compose, but I have not tested that with multiple nodes.
from helk.
sorry the format is screwy i just c/p'ed from the winlogbeat config
here are the events that i collect from the winlogs there are based on the SANS 508 course that i took in dec 2017 so the recommendations are new, sorry for the fluf but its a quick c/p.
i have a sysmon config also but i'll have to clean that up a bit before i can share this as it, right not that sysmon config puts approx 1% extra on the cpu on client machines and it collects what i need to hunt for powershell etc. we have not put this sysmon in prod yet because we are awaiting that trend micro fixes a cpu load bug in conjuction with sysmon driver on officescan 11.6. if you use the XG version it works fine in our poc environment.
winlogbeat config these event id's need to be "ported" to the windows event collector server its really easy to do., you then tell the winlogbeat (installed on the WEC server to send "forwarded events")
let me know if you want the winlogbeat yml for that?
All logon/logoff events include a Logon Type code, the precise type of logon or logoff:
2 Interactive
3 Network (remote file shares / printers/iis)
4 Batch (scheduled task)
5 Service (service account)
7 Unlock
8 NetworkCleartext (IIS)
9 NewCredentials (RunAs /netonly)
10 RemoteInteractive (Terminal Services,RDP)
11 CachedInteractive (cached credentials)
security log event_ids from FOR508 book 3/4 and MS recoomendation as of 31/05/2017
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise
event_ids are win10 earlier platforms may not match the event_id below or exist.
http://syspanda.com/index.php/2017/10/10/threat-hunting-sysmon-word-document-macro/
be careful of using tabs when editing it may break the config
winlogbeat.event_logs:
- name: Security
choose version 1 OR 2:
#Version 1 event_id: 1102, 4608, 4609, 4610, 4611, 4618, 4624, 4625, 4649, 4672, 4673, 4688, 4692, 4698, 4699, 4700, 4701, 4702, 4719, 4720, 4724, 4728, 4732, 4735, 4764, 4766, 4768, 4769, 4771, 4776, 4778, 4779, 4897, 4960, 4964, 5038, 5124, 5140, 6279
#Version 2 event_id: 1102, 4624, 4625, 4672, 4688, 4698, 4699, 4700, 4701, 4702, 4720, 4724, 4728, 4732, 4735, 4768, 4769, 4771, 4776, 4778, 4779, 5140
- name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
event_id: 131 - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
event_id: 1149 - name: Application
event_id: 11707 - name: System
event_id: 6013, 7040, 7045, 7030, 7034, 7036
(Get-WinEvent -ListProvider Microsoft-Windows-Powershell).Events | Format-Table ID, Description -AutoSize
- name: Microsoft-Windows-Powershell/Operational
event_id: 4103, 4104, 32849, 32856 - name: Microsoft-Windows-Sysmon/Operational
event_id: 1, 3 ,7, 8, 10, 11, 13, 17, 18
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_id :
you get this with the powershell logging
add windows fireall log port 5985/5986 remote powershell port
from helk.
Nice thank you for sharing @ssi0202 ! 👍
from helk.
from helk.
I added the recommendation of using WEF in the wiki. This is going to be explored soon. https://github.com/Cyb3rWard0g/HELK/wiki/Kafka .
from helk.
Installation of WEF with Winlogbeat installed on the WEF Server explained in a talk @neu5ron and I gave in BSColumbus 2018. Slides
from helk.
Related Issues (20)
- Running SIGMA from Kibana
- Consider replacing Logstash by Vector.dev HOT 3
- Documentation leaves NXLog configuration blank
- Installation question
- Missing Dockerfile for otrf/jupyter-hunter docker image HOT 1
- No data in All Miter Att & ck,
- helk-kibana stuck at restarting
- Other systems integration within HELK
- What is the difference between HELK and "Spark + Graphframes + ELK" ?
- Every time I restart the machine the kibana UI is not longer accessible
- How filter kibana' s logs with ossem yamls?
- Need Metric Beats Config
- unable to access 'https://github.com/Cyb3rWard0g/HELK.git/'
- Unable to complete HELK installation HOT 1
- Docker IP subnets
- HELK with Kafka (not winlogbeats but Filebeat)
- Ubuntu 18.04 to 20.04
- EQL and Security options
- SSL error when accesing Spark Master UI
- Elastalert send alert to Slack
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helk.