# HELK

[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
[![GitHub issues-closed](https://img.shields.io/github/issues-closed/Cyb3rward0g/HELK.svg)](https://GitHub.com/Cyb3rWard0g/HELK/issues?q=is%3Aissue+is%3Aclosed)
[![Twitter](https://img.shields.io/twitter/follow/THE_HELK.svg?style=social&label=Follow)](https://twitter.com/THE_HELK)
[![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.png?v=103)](https://github.com/ellerbrock/open-source-badges/)
[![stability-alpha](https://img.shields.io/badge/stability-alpha-f4d03f.svg)](https://github.com/mkenney/software-guides/blob/master/STABILITY-BADGES.md#alpha)

The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.

# Current Status

The project is currently in an alpha stage, which means that the code and the functionality are still changing. We haven't yet tested the system with large data sources and in many scenarios. We invite you to try it and welcome any feedback.

## Docs: It provides high-level APIs in Java, Scala, Python and R, and an optimized engine that supports general execution graphs. -* **GraphFrames:** A package for Apache Spark which provides DataFrame-based Graphs. -* **Jupyter Notebook:** An open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. -* **KSQL:** Confluent KSQL is the open source, streaming SQL engine that enables real-time data processing against Apache Kafka®. * [Introduction](https://github.com/Cyb3rWard0g/HELK/wiki)
* [Architecture Overview](https://github.com/Cyb3rWard0g/HELK/wiki/Architecture-Overview)
* [Elasticsearch](https://github.com/Cyb3rWard0g/HELK/wiki/Elasticsearch)
* [Logstash](https://github.com/Cyb3rWard0g/HELK/wiki/Logstash)
* [Kibana](https://github.com/Cyb3rWard0g/HELK/wiki/Kibana)
* [Kafka](https://github.com/Cyb3rWard0g/HELK/wiki/Kafka)
* [Spark](https://github.com/Cyb3rWard0g/HELK/wiki/Spark)
* [Installation](https://github.com/Cyb3rWard0g/HELK/wiki/Installation) You can see all your docker containers by running the following command: -``` -sudo docker ps - -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES -a97bd895a2b3 cyb3rward0g/helk-spark-worker:2.3.0 "./spark-worker-entr…" About an hour ago Up About an hour>8082/tcp helk-spark-worker2 -cbb31f688e0a cyb3rward0g/helk-spark-worker:2.3.0 "./spark-worker-entr…" About an hour ago Up About an hour>8081/tcp helk-spark-worker -5d58068aa7e3 cyb3rward0g/helk-kafka-broker:1.1.0 "./kafka-entrypoint.…" About an hour ago Up About an hour>9092/tcp helk-kafka-broker -bdb303b09878 cyb3rward0g/helk-kafka-broker:1.1.0 "./kafka-entrypoint.…" About an hour ago Up About an hour>9093/tcp helk-kafka-broker2 -7761d1e43d37 cyb3rward0g/helk-nginx:0.0.2 "./nginx-entrypoint.…" About an hour ago Up About an hour>80/tcp helk-nginx -ede2a2503030 cyb3rward0g/helk-jupyter:0.32.1 "./jupyter-entrypoin…" About an hour ago Up About an hour>4040/tcp,>8880/tcp helk-jupyter -ede19510e959 cyb3rward0g/helk-logstash:6.2.4 # Resources
* [Welcome to HELK! : Enabling Advanced Analytics Capabilities](https://cyberwardog.blogspot.com/2018/04/welcome-to-helk-enabling-advanced_9.html) SEE ORIGINAL FILES IN /content***" +--- + +
+ +


HELK's Elasticsearch Heap Size

Elasticsearch uses heap, which can more specifically be referred to as memory/RAM, in order to perform various functions.
+A list of some of the functions this heap/memory does is as follows (keep in mind this is not an exhaustive list):

  • Keep track of indexes
  • +
  • When aggregations are run such as calculating sums, mathematical variations, sub aggregations of aggregations, etc..
  • +
  • When certain searches are
  • +
  • Keep track of offsets of the tokens/terms of indexed values (aka events/logs/data)
  • +

As you can see, heap and the amount of it is important in a healthy setup. The HELK installation process uses various functions to try to set the "perfect" amount of heap, however there are thousands of variables in all the different ways people use/install HELK.
+Therefore, we are unable to account for them all and thus our logic will never be perfect and unfortunately may not work best for you. However, we have given you an ability to set your own heap and we have described the logic if you choose to let HELK determine what to set it.


Heap can and or is set one of four ways, as detailed below.


1) Allow HELK to calculate how much to assign.

This is based on the available memory and variables shown in the code block below.
+It’s very important to note available memory, not the amount of memory the host has.
+An example to show why this is critical to understand.. If you have a 100GB RAM server, but the server is actively using 90GBs of RAM - then you will NOT get the max 31GB heap/memory for elasticsearch. In this example you would actually end up getting roughly 3 GBs for the heap. Because, with only 10 GBs of available/free memory, it could cause drastic issues to lock up all of the remaining memory!

+ +
if available memory >= 1000 MBs and <= 5999 MBs:
+  then set to 2000 MBs
+else if available memory => 6000 MBs and <= 8999 MBs:
+  then set to 3200 MBs
+else if available memory => 9000 MBs and <= 12999 MBs:
+  then set to 5000 MBs
+else if available memory => 13000 MBs and <= 16000 MBs:
+  then set to 7100 MBs
+  if available memory => 31 GBs:
+    then set to 31 GBs
+  else:
+    set to available memory in GBs

2) Set your own heap

In order to define your own heap settings, in the file HELK/docker/helk-elasticsearch/config/jvm.options +edit the following two lines that begin with




Then make sure to restart elasticsearch.
+Always set the min and max JVM heap size to the same value
+Also, you will be restarting elasticsearch. Therefore your cluster will temporarily be down as the elasticsearch service/database is coming back online


Here is an example of how to perform the above:

+ +
# Edit the file jvm file
+sudo nano HELK/docker/helk-elasticsearch/config/jvm.options
+# Resulting lines (as mentioned that you should edit from above)
+# should look something like the following if you wanted to set the heap to 16GBs
+# Restart elasticsearch
+docker restart helk-elasticsearch

3) Add ES_JAVA_OPTS to the docker config file

Which docker config file to use is shown later.
+You will add this value under services.helk-elasticsearch.environment. +Example, if I used the option for ELK + Kafka with no license and no alerting and I wanted to set the heap to 16GBs
+Then I would edit HELK/docker/helk-kibana-analysis-basic.yml and add the following line under the environment seciton:
+- "ES_JAVA_OPTS=-Xms16g -Xmx16g"


Then make sure rebuild the elasticsearch docker container.
+Always set the min and max JVM heap size to the same value
+Also, you will be restarting elasticsearch. Therefore your cluster will temporarily be down as the elasticsearch service/database is coming back online

+Note if you are using (elastic) license you will need to set your ELASTIC_PASSWORD and KIBANA_UI_PASSWORD variables (and logstash password if applicable)


Here is how to perform the above:

+ +
# Example config (only showing the beginning lines) Note, that these settings may not match your config exactly, but that the important thing is to have the value under the environment section
+version: '3.5'
+  helk-elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.3.1
+    container_name: helk-elasticsearch
+    secrets:
+      - source: elasticsearch.yml
+        target: /usr/share/elasticsearch/config/elasticsearch.yml
+    volumes:
+      - esdata:/usr/share/elasticsearch/data
+      - ./helk-elasticsearch/scripts:/usr/share/elasticsearch/scripts
+      - ./helk-elasticsearch/config/jvm.options:/usr/share/elasticsearch/config/jvm.options
+    entrypoint: /usr/share/elasticsearch/scripts/elasticsearch-entrypoint.sh
+    environment:
+      - cluster.name=helk-cluster
+      - node.name=helk-1
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=false
+      - "ES_JAVA_OPTS= -Xms16g -Xmx16g"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nproc: 20480
+      nofile:
+        soft: 160000
+        hard: 160000
+    restart: always
+    networks:
+      helk:
+# Rebuild the elasticsearch docker container
+`docker-compose -f HELK/docker/helk-kibana-analysis-basic.yml up --build -d`

4) Set at run time using custom bash variable

Example bash variable such as:

export ES_JAVA_OPTS="-Xms16g -Xmx16g"

Then run the following using your own docker config file.

docker-compose -f $PlaceDockerConfigFileNameHere up --build -d

Only use this option if you explicitly need to. Please know what your getting into to ;)

+ +
+ + + + +
+ \ No newline at end of file diff --git a/docs/_build/architecture/kibana.html b/docs/_build/architecture/kibana.html new file mode 100644 index 00000000..dbad3672 --- /dev/null +++ b/docs/_build/architecture/kibana.html @@ -0,0 +1,56 @@ +--- +title: |- + Kibana +pagenum: 4 +prev_page: + url: /architecture/logstash.html +next_page: + url: /how-to/docker/docker.html +suffix: .md +search: logs kibana img src images png endpoint winevent overview helk monitoring sysmon elasticsearch logstash docker security right additionally currently dashboards globaldashboard networkdashboard sysmondashboard tail usr share config kibanalogs log design visualize discover sure being sent least windows events helks ip preferred browser dont away update picker top include farther back window just started sending wait minute check again creates automatically index patterns sets default application system powershell wmiactivity discovery comes views x pack basic free license initial nodes troubleshooting apart running ps follow located example exec f times not working because still starting ran into error + +comment: "***PROGRAMMATICALLY GENERATED, DO NOT EDIT. SEE ORIGINAL FILES IN /content***" +--- + +
+ +


Visualize your logs


Make sure you have logs being sent to your HELK first (At least Windows security and Sysmon events). Then, go to https://<HELK's IP> in your preferred browser. If you don’t see logs right away then update your time picker (in the top right) to include a farther back window. Additionally, if you just started sending logs then wait a minute and check again.


Currently, HELK creates automatically 7 index patterns for you and sets logs-endpoint-winevent-sysmon-* as your default one:

  • "logs-*"
  • +
  • "logs-endpoint-winevent-sysmon-*"
  • +
  • "logs-endpoint-winevent-security-*"
  • +
  • "logs-endpoint-winevent-application-*"
  • +
  • "logs-endpoint-winevent-system-*"
  • +
  • "logs-endpoint-winevent-powershell-*"
  • +
  • "logs-endpoint-winevent-wmiactivity-*"
  • +



Currently, the HELK comes with 3 dashboards:








Monitoring Views (x-Pack Basic Free License)

Kibana Initial Overview


Elasticsearch Overview


Logstash Overview




Apart from running docker ps and docker logs --follow --tail 25 helk-kibana, additionally you can look at logs located at /usr/share/kibana/config/kibana_logs.log.


Example: docker exec helk-kibana tail -f /usr/share/kibana/config/kibana_logs.log


Many times Kibana will not be "working" because elasticsearch is still starting up or has ran into an error.

+ +
+ + + + +
+ \ No newline at end of file diff --git a/docs/_build/architecture/logstash.html b/docs/_build/architecture/logstash.html new file mode 100644 index 00000000..4a89adb6 --- /dev/null +++ b/docs/_build/architecture/logstash.html @@ -0,0 +1,33 @@ +--- +title: |- + Logstash +pagenum: 3 +prev_page: + url: /architecture/elasticsearch.html +next_page: + url: /architecture/kibana.html +suffix: .md +search: logstash img src images design png + +comment: "***PROGRAMMATICALLY GENERATED, DO NOT EDIT. SEE ORIGINAL FILES IN /content***" +--- + +
+ +

+ +
+ + + + +
+ \ No newline at end of file diff --git a/docs/_build/how-to/docker/docker-export-images.html b/docs/_build/how-to/docker/docker-export-images.html new file mode 100644 index 00000000..5ea81035 --- /dev/null +++ b/docs/_build/how-to/docker/docker-export-images.html @@ -0,0 +1,109 @@ +--- +title: |- + Export Docker Images locally +pagenum: 6 +prev_page: + url: /how-to/docker/docker.html +next_page: + url: /how-to/docker/docker-load-images.html +suffix: .md +search: helk docker tar ago hours root cybrwardg tcp sudo spark feb ksql save o home rw mb logstash kibana elastic co elasticsearch images jupyter elastalert kafka zookeeper worker master days confluentinc cp server cli broker nginx system months isolated bash export internet files image command usr share locally list non via id created ps entr where planning install run another access built downloaded load those available repository tag size efaeccd gb f bdcebaf efbbee ba cffcbeee fafc weeks befce abbdae bbdb fcde db containers running container status ports names decdcf bin sh ecc etc confluent dock dcc entrypoint edd cadba + +comment: "***PROGRAMMATICALLY GENERATED, DO NOT EDIT. SEE ORIGINAL FILES IN /content***" +--- + +
