Added Curator to HELK build, added email alerts to Elastalert, exposed ES port to host

docker/helk-curator/Dockerfile

@@ -0,0 +1,56 @@
+# HELK script: HELK Curator Dockerfile
+# HELK build Stage: Alpha
+# Author: Ashlee Jones (@AshleeJones04)
+# License: GPL-3.0
+
+# References: 
+# https://github.com/elastic/curator
+
+FROM cyb3rward0g/helk-base:0.0.3
+LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
+LABEL description="Dockerfile base for the HELK Curator."
+
+ENV CURATOR_GID=934
+ENV CURATOR_UID=934
+ENV CURATOR_USER=curatoruser
+ENV CURATOR_HOME=/usr/share/curator
+ENV DEBIAN_FRONTEND noninteractive
+
+# *********** Installing Prerequisites ***************
+# -qq : No output except for errors
+RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \
+  libmagic-dev \
+  build-essential \
+  python3-setuptools \
+  git \
+  python3-pip \
+  python3-dev \
+  tzdata \
+  nano \
+  cron \
+  # ********* Clean ****************************
+  && apt-get -qy clean \
+  autoremove \
+  && rm -rf /var/lib/apt/lists/* \
+  # ********* Install Curator **************
+  && bash -c 'mkdir -pv /usr/share/curator' \
+  && cd ${CURATOR_HOME} \
+  && wget https://raw.githubusercontent.com/elastic/curator/master/requirements.txt \
+  && pip3 install wheel \
+  && pip3 install -r requirements.txt \
+  && pip3 install elasticsearch-curator
+
+# ********* Copy Curator files and setup cron **************
+COPY actions.yaml ${CURATOR_HOME}/
+COPY curator.yml ${CURATOR_HOME}/
+COPY helk-curator-cron /etc/cron.d/helk-curator-cron
+RUN chmod 0644 /etc/cron.d/helk-curator-cron
+RUN crontab /etc/cron.d/helk-curator-cron
+RUN touch /var/log/helk-curator-cron.log
+
+
+# *********** RUN Curator ***************
+WORKDIR ${CURATOR_HOME}
+#ENTRYPOINT ["./curator-entrypoint.sh"]
+#CMD ["curator","--config","/usr/share/curator/curator.yml","/usr/share/curator/actions.yaml"]
+CMD cron && tail -f /var/log/helk-curator-cron.log

docker/helk-curator/actions.yaml

@@ -0,0 +1,123 @@
+---
+# Remember, leave a key empty if there is no value.  None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True.  If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+  1:
+    action: delete_indices
+    description: >-
+      Delete indices older than 7 days (based on index name), for winlogbeat-
+      prefixed indices. Ignore the error if the filter does not result in an
+      actionable list of indices (ignore_empty_list) and exit cleanly.
+    options:
+      ignore_empty_list: True
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: prefix
+      value: logs-endpoint-winevent-
+      exclude:
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 7
+      exclude:
+  2:
+    action: delete_indices
+    description: >-
+      Delete indices older than 7 days (based on index name), for filebeat-
+      prefixed indices. Ignore the error if the filter does not result in an
+      actionable list of indices (ignore_empty_list) and exit cleanly.
+    options:
+      ignore_empty_list: True
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: prefix
+      value: winlogbeat-
+      exclude:
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 7
+      exclude:
+  3:
+    action: delete_indices
+    description: >-
+      Delete indices older than 7 days (based on index name), for packetbeat-
+      prefixed indices. Ignore the error if the filter does not result in an
+      actionable list of indices (ignore_empty_list) and exit cleanly.
+    options:
+      ignore_empty_list: True
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: prefix
+      value: .monitoring-kibana-
+      exclude:
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 7
+      exclude:
+  4:
+    action: delete_indices
+    description: >-
+      Delete indices older than 7 days (based on index name), for metricbeat-
+      prefixed indices. Ignore the error if the filter does not result in an
+      actionable list of indices (ignore_empty_list) and exit cleanly.
+    options:
+      ignore_empty_list: True
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: prefix
+      value: mitre-attack-
+      exclude:
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 7
+      exclude:
+  5:
+    action: delete_indices
+    description: >-
+      Delete indices older than 7 days (based on index name), for metricbeat-
+      prefixed indices. Ignore the error if the filter does not result in an
+      actionable list of indices (ignore_empty_list) and exit cleanly.
+    options:
+      ignore_empty_list: True
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: prefix
+      value: .monitoring-logstash-
+      exclude:
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 7
+      exclude:

docker/helk-curator/curator.yml

@@ -0,0 +1,22 @@
+
+# Remember, leave a key empty if there is no value.  None will be a string,
+# not a Python "NoneType"
+client:
+  hosts:
+    - localhost
+  port: 9200
+  url_prefix:
+  use_ssl: False
+  certificate:
+  client_cert:
+  client_key:
+  ssl_no_validate: False
+  http_auth:
+  timeout: 30
+  master_only: False
+
+logging:
+  loglevel: INFO
+  logfile:
+  logformat: default
+  blacklist: ['elasticsearch', 'urllib3']

docker/helk-curator/helk-curator-cron

@@ -0,0 +1,2 @@
+0 0 * * * /usr/local/bin/curator --config /usr/share/curator/curator.yml /usr/share/curator/actions.yaml >> /var/log/helk-curator-cron.log 2>&1
+# An empty line is required at the end of this file for a valid cron file.

docker/helk-elastalert/Dockerfile

@@ -28,6 +28,7 @@ RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \
   python3-dev \
   python3-setuptools \
   tzdata \
+  nano \
   # ********* Clean ****************************
   && apt-get -qy clean \
   autoremove \
@@ -47,6 +48,7 @@ RUN apt-get update -qq && apt-get install -qqy --no-install-recommends \
 # ********* Copy Elastalert files **************
 COPY scripts/* ${ESALERT_HOME}/
 COPY config.yaml ${ESALERT_HOME}/
+COPY smtp_auth_file.yaml ${ESALERT_HOME}/
 COPY rules/* ${ESALERT_HOME}/rules/
 COPY sigmac/sigmac-config.yml ${ESALERT_SIGMA_HOME}/sigmac-config.yml
 

docker/helk-elastalert/config.yaml

@@ -13,7 +13,7 @@ run_every:
     seconds: 30
 buffer_time:
     seconds: 45
-es_host: helk-elasticsearch
+es_host: HELKIP
 es_port: 9200
 alert_time_limit:
     days: 1

docker/helk-elastalert/rules/helk_powershell_susp_ps_commands.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects potential suspicious powershell parameters
 filter:
 - query:
@@ -10,4 +18,4 @@ name: Windows-Suspicious-Powershell-commands_0
 priority: 2
 realert:
   minutes: 0
-type: any
+type: any

docker/helk-elastalert/rules/helk_security_dcsync_backdoor_user.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects potential DCSync backdoor user
 filter:
 - query:
@@ -10,4 +18,4 @@ name: Windows-DCSync-backdoor-user_0
 priority: 2
 realert:
   minutes: 0
-type: any
+type: any

docker/helk-elastalert/rules/helk_security_dcsync_non_dc.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects potential DCSync from non-dcs
 filter:
 - query:
@@ -10,4 +18,4 @@ name: Windows-dcsync-non-dc_0
 priority: 2
 realert:
   minutes: 0
-type: any
+type: any

docker/helk-elastalert/rules/helk_security_rubes_logon_process.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects potential use of rubeus via the trusted logon process
 filter:
 - query:
@@ -10,4 +18,4 @@ name: Windows-Rubeus-logon-process_0
 priority: 2
 realert:
   minutes: 0
-type: any
+type: any

docker/helk-elastalert/rules/helk_security_share_chrome_pipe.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects suspicious use the common chrome named pipe
 filter:
 - query:

docker/helk-elastalert/rules/helk_sysmon_bits.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects suspicious bits activity
 filter:
 - query:

docker/helk-elastalert/rules/helk_sysmon_cmdline_file_creation.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects cmdline files being created on victim
 filter:
 - query:

docker/helk-elastalert/rules/helk_sysmon_cobalt_strike_msagent.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects potential use of named pipes by Cobalt Strike agents
 filter:
 - query:

docker/helk-elastalert/rules/helk_sysmon_cs_rundll32_network.yml

@@ -1,5 +1,13 @@
 alert:
 - debug
+- email
+email: 
+      - "[email protected]"
+smtp_host: "smtp.outlook.com" #for O365 email addresses
+smtp_port: 587 #for O365 email addresses
+smtp_ssl: true
+from_addr: "[email protected]"
+smtp_auth_file: "/etc/elastalert/smtp_auth_file.yaml"
 description: Detects potential use of CS with rundll32 calling out
 filter:
 - query: