-
Notifications
You must be signed in to change notification settings - Fork 689
Home
HELK is an ELK (Elasticsearch, Logstash & Kibana) stack with advanced hunting analytic capabilities provided by the implementation of Spark & Graphframes technologies. The Hunting ELK or simply the HELK is one of the first public builds that enables data science features to an ELK stack for free. In addition, it comes with a Jupyter Notebook integration for prototyping in Big Data/Machine learning use cases. This stack provides a full-text search engine mixed with great visualizations, graph relational queries and advanced analytics.
Nowadays, enabling the right event logging and centralizing the collection of different data sources is finally becoming a basic security standard. This allows organizations to not just increase the level of visibility from an endpoint and network perspective, but to adopt new concepts within their security teams such as threat hunting. Even though it might seem that collecting a lot of data is all a hunt team needs to be successful, there are several challenges that hunters face when using large, unstructured and sometimes incomplete data. One of this challenges is to make sense of the disparate data sources in an easy and consistent way when trying to effectively detect adversarial techniques.
ELK stacks have already been adopted considerably by small and large organizations for data ingestion, storage and visualization. Therefore, using it as a main structure with Spark and GraphFrames on the top of it allow hunt teams to effectively take their hunt skills and program to the next level. This approach is affordable, scalable, and can be used during research or any other engagement where blue and red teams meet.
HELK was built primarily for research, but due to its flexible design, it can be deployed in larger environments with the right configurations and scalable infrastructure. You can go from simply searching a specific string to create advanced graph queries and apply algorithms to the data stored in an Elasticsearch database. Therefore, there are a variety of use cases that can be prototyped with the HELK. The main implementation of this project is Threat Hunting (Active Defense).
If you have used an ELK stack before or followed any of the "Chronicles of a Threat Hunter" series by @Cyb3rWard0g, you will find the HELK pretty easy to follow. The new data science features will be explained in more details in the HOW TO section of this wiki. Also, stay tuned for future blog posts on how to use the new HELK capabilities. Follow @THE_HELK & @Cyb3rWard0g for any updates.