HELK icon indicating copy to clipboard operation
HELK copied to clipboard
verified publisher icon Cyb3rWard0g

HELK [Sigma & Elastalert] Quality of Life improvements

Open webhead404 opened this issue 6 years ago • 2 comments

This issue is solely related to conversations I have had with @neu5ron on improving HELK. He asked me to track them here.

Improvements:

  1. Custom sigma rules * Possible solutions are a custom folder that references a host folder.

  2. Custom ElastAlert rules * Possible solutions are a custom folder that references a host folder.

  3. Changes to ElastAlert rule buffer from 45 seconds to 1800 seconds

https://github.com/Cyb3rWard0g/HELK/blob/fa329ccdb168e6735791649ea848be577f34373c/docker/helk-elastalert/config.yaml#L15

(Issue was identified after creating a custom ElastAlert rule that when triggered would not create an entry in any elastalert indexes.

  1. Sync latest Sigma rules https://github.com/Neo23x0/sigma/pull/554

  2. improve / discuss how would be the best way to keep the sigma ruleset up to date * Possible to give the user an option to manually pull the rules from the main Sigma repo.

webhead404 avatar Jan 08 '20 15:01 webhead404

additionally I have been thinking, an index just for logs for alerting. then have this index age out / delete after 1-2 days. timestamps across logs whether timezone, delays, laptop offline, etc can make any database alerting inconsistent. the timestamp would be used at write, and buffer time of an hour or so should be good... just think, if database is in UTC and logs are in EST your 4-5 hours

neu5ron avatar Jan 11 '20 01:01 neu5ron

#397

neu5ron avatar Jan 11 '20 01:01 neu5ron