RedELK is a specialized SIEM tool designed for Red Teams to centrally track, analyze, and alert on Blue Team activities and improve operational oversight during long-term engagements.
Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
RedELK is primarily used by Red Team operators to collect and enrich operational logs from multiple teamservers and redirectors, enabling historic searching, real-time monitoring, and detection of Blue Team investigations. It is ideal for complex, multi-scenario, multi-member, and long-duration Red Team operations, providing a centralized, read-only overview for operators and White Teams alike.
RedELK requires a multi-component Elastic Stack environment and is best deployed using provided Ansible playbooks for ease of setup. It is designed for Red Team operations and assumes familiarity with Red Team infrastructure and concepts. Users should ensure proper operational security as RedELK collects sensitive operational data. The tool provides a read-only view for White Teams to monitor Red Team activities without interfering.
Refer to the official RedELK wiki for manual installation instructions
Use the RedELK Server Ansible playbook maintained by one of the developers: https://github.com/fastlorenzo/redelk-server
Use the RedELK Client Ansible playbook maintained by one of the developers: https://github.com/fastlorenzo/redelk-client
Alternatively, use the community-maintained ansible-redelk playbook: https://github.com/curi0usJack/ansible-redelk
Ensure Docker images for base, Elasticsearch, Jupyter, Kibana, and Logstash are built or pulled as part of deployment