Comments (8)
@WasKa001 thank you for the details. Regarding the powershell-* index. Did you set your endpoint to send PowerShell logs over to the HELK?? For example, this is the Winlogbeat config that I use in my lab: https://github.com/Cyb3rWard0g/HELK/blob/master/winlogbeat/winlogbeat.yml . Let me know if you are doing that already. if you are already doing that, can you just refresh your Kibana interface in your browser by typing the IP of your HELK and refreshing the page?? Sometimes there might be a delay for the logs to get to the HELK but the browser caches kibana results (i.e the warning message). Also, regarding wmiprvse.exe yes that could be normal. The Sysmon config provided in my blog post (https://gist.github.com/Cyb3rWard0g/136481552d8845e52962534d1a4b8664) is just a basic one to allow others to customize the way it is needed or wanted. Let me know if this is helpful and if I was able to help or answer your questions.
from helk.
Hey @WasKa001 I hope you had a good weekend. Let me know if you were able to take a look at the suggestions I shared. let me know if this could be closed or if you still need help. Thank you!
from helk.
@Cyb3rWard0g hi, sorry I didn't have a chance to check it yet. I am using .yml config file from your blog. I guess it's the same as the one you've posted above. I'll check once again later on today in the evening and will get back to you soon, thanks!
from helk.
@WasKa001 sounds good. no rush. The YML file is a good start but needs to be customized for your own need and use cases. Let me know if you were able to install the HELK without any issues 👍 Whenever you have a chance. Thank you
from helk.
@Cyb3rWard0g HELK installation is not the issue, I've installed it and everything is working properly apart from powershell-* section - "No indices match pattern "powershell-*"
Do I need to modify your YML to get this working? I used YML from your blog post about threat hunting lab. Thanks!
from helk.
ok so HELK installation is not the issue. Can you provide the link to the YML file? The one that I used for the threat hunting lab is not set up to pull PowerShell logs. The YML that you should use is this one: https://github.com/Cyb3rWard0g/HELK/blob/master/winlogbeat/winlogbeat.yml. Also, make sure you have enhanced PowerShell logging enabled: https://cyberwardog.blogspot.com/2017/06/enabling-enhanced-ps-logging-shipping.html . Let me know if this makes sense.
from helk.
@Cyb3rWard0g ok thank you, I will have a chance to test it out over the weekend. I will replace my config file with the above YML and will let you now. I also don't have currently Enhanced PowerShell logging enabled so I guess this is why I am getting the error related to powershell-* indices pattern match
from helk.
Sounds good @WasKa001. I will close this issue since it is a configuration happening at the client side and not in HELK. Feel free to reopen it or create a new one if the HELK fails at install or if any index does not work at all after you have all the data you need being sent to it. Thank you
from helk.
Related Issues (20)
- Running SIGMA from Kibana
- Consider replacing Logstash by Vector.dev HOT 3
- Documentation leaves NXLog configuration blank
- Installation question
- Missing Dockerfile for otrf/jupyter-hunter docker image HOT 1
- No data in All Miter Att & ck,
- helk-kibana stuck at restarting
- Other systems integration within HELK
- What is the difference between HELK and "Spark + Graphframes + ELK" ?
- Every time I restart the machine the kibana UI is not longer accessible
- How filter kibana' s logs with ossem yamls?
- Need Metric Beats Config
- unable to access 'https://github.com/Cyb3rWard0g/HELK.git/'
- Unable to complete HELK installation HOT 1
- Docker IP subnets
- HELK with Kafka (not winlogbeats but Filebeat)
- Ubuntu 18.04 to 20.04
- EQL and Security options
- SSL error when accesing Spark Master UI
- Elastalert send alert to Slack
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helk.