Skip to content
The Hunting ELK
Jupyter Notebook CSS Shell Ruby Other
Branch: master
Clone or download

Latest commit

Latest commit e819bc8 Feb 15, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE update issue template Jan 31, 2020
configs Created helk.xml Jan 20, 2020
docker Update Gemfile.lock Feb 15, 2020
docs Updating Gemfiles Feb 15, 2020
resources Initial Documentation Jan 21, 2020
scripts Sigma to Notebooks Integration Jan 11, 2020
.gitignore gitignore python and compiled code stuff Jan 31, 2020
.gitmodules Update .gitmodules Jan 14, 2020 [Alpha] v0.1.7-alpha02242019 Feb 24, 2019
LICENSE Updating License Jul 12, 2018 Update May 17, 2018 Updated README and Links Jan 21, 2020


License: GPL v3 GitHub issues-closed Twitter Open Source Love stability-alpha

The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.

alt text


  • Provide an open source hunting platform to the community and share the basics of Threat Hunting.
  • Expedite the time it takes to deploy a hunt platform.
  • Improve the testing and development of hunting use cases in an easier and more affordable way.
  • Enable Data Science capabilities while analyzing data via Apache Spark, GraphFrames & Jupyter Notebooks.

Current Status: Alpha

The project is currently in an alpha stage, which means that the code and the functionality are still changing. We haven't yet tested the system with large data sources and in many scenarios. We invite you to try it and welcome any feedback.




Current Committers


There are a few things that I would like to accomplish with the HELK as shown in the To-Do list below. I would love to make the HELK a stable build for everyone in the community. If you are interested on making this build a more robust one and adding some cool features to it, PLEASE feel free to submit a pull request. #SharingIsCaring

License: GPL-3.0

HELK's GNU General Public License


  • Kubernetes Cluster Migration
  • OSQuery Data Ingestion
  • MITRE ATT&CK mapping to logs or dashboards
  • Cypher for Apache Spark Integration (Adding option for Zeppelin Notebook)
  • Test and integrate neo4j spark connectors with build
  • Add more network data sources (i.e Bro)
  • Research & integrate spark structured direct streaming
  • Packer Images
  • Terraform integration (AWS, Azure, GC)
  • Add more Jupyter Notebooks to teach the basics
  • Auditd beat intergation

More coming soon...

You can’t perform that action at this time.