Evaluation of the detection capabilities of the open source SIEM HELK

In this thesis we examine the use and the capabilities of the HELK SIEM as implemented by Roberto Rodriguez. The appliance is based on three lately introduced analytics tools, Elasticsearch – Logstash – Kibana (ELK) by which it was named by, appended by the letter (H) to define its threat Hunting purpose. After going through the installation process and multiple configurations, the HELK is tested in order to define its efficiency, by simulating several conditions. These conditions could be HELK’s task is to detect, could be a suspicious activity, an ongoing cyber attack or a malware of infection of a system.