neu5ron
commented
5 years ago thanks for the suggestion @hamzaouadia , I will let @Cyb3rWard0g chime in a bit more and confirm if he agrees, we have played with this idea before.
Few things here: 1) We already include the x-pack security trial feature that includes these features (granted it is only a trial). 2) The speed of updates by search guard (or any outside plugin from the Elastic branch) which Elastalert used to have this issue but they have done much better. It appears search guard support 7.X already which is good, but how long do their release cycles take?
I think supporting these sort of features are getting into various enterprise features that may be out of scope of the ideology of why Roberto built the HELK - which is to be a data science/analytic tool for the community. We leave people the opportunity/option to scale and integrate enterprise features as they see fit with both X-Pack and everything being opensource
However, with that said - if you are open to creating a pull request for the integration I would be more than happy to review and discuss more. Lastly, I want to state - this concept could change just like it did with Elastalert.
Again thanks for your suggestion and keep them coming!
Cyb3rSn0rlax
Describe the problem
Suggesting the integration of Search Guard Community Edition with HELK for :
What steps did you take trying to fix the issue? Not an issue. It is a feature request
How could we replicate the issue? Not an issue. It is a feature request
If you are having issue during the installation stage, please provide the HELK installation logs located at /var/log/helk-install.log Not an issue. It is a feature request
What version of HELK are you using? Latest
What OS are you using to host the HELK? Ubuntu Server 16.04 LTS
Any additional context? Planning to use HELK to level up our visibility on Endpoints and integrate it with QRadar as an EDR solution for detecting sofisticated, user-level, attacks.
Thank you for the great work