SIEM / Threat Hunting / DFIR / Live Response lab with HELK + Velociraptor [1, 2]
Data Science research with HELK server, Jupyter notebooks
Detection Engineering research with Mordor [3, 4]
Features and Information
New Feature: Combined Velociraptor + HELK System! Velociraptor [1] + Hunting ELK [2] System: Windows 10 Endpoints instrumented with agents to auto register Velociraptor and send Sysmon logs
New Feature: Three tools for Adversary Simulation: Script to automatically invoke Atomic Red Team unit tests using Ansible playbook.
New Feature: Support for AWS and Azure - Terraform provider support for AWS, Azure.
Deploys one Linux 18.04 HELK Server with data science capabiliies. Deploys HELK install option #4, including KAFKA + KSQL + ELK + NGNIX + SPARK + JUPYTER + ELASTALERT
Windows endpoint is automatically configured with Sysmon (SwiftOnSecurity) and Winlogbeat
Windows endpoint is automatically configured to use HELK configuration + Kafka Winlogbeat output to send logs to HELK
Automatically registers the Windows endpoint to the Velociraptor server with TLS self-signed certificate configuration
Windows endpoint includes Atomic Red Team (ART), Elastic Detection RTA, and APTSimulator
Uses Terraform templates to automatically deploy in Azure with VMs
Azure NSGs and AWS Security Groups can whitelist your source prefix (for added security)
The following ports are opened through Azure and AWS Security Groups for ingress TCP traffic: RDP (3389), WinRM HTTP (5985), WinRM HTTPS (5986), SSH (22), HTTPS (443), Spark (8080), KQL (8088), Zookeeper (2181), Velociraptor GUI (8889), Velociraptor Agent (8000)