Elastic Security SIEM
Modern, cost-efficient SIEM with years of searchable data.
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Centralized SIEM for Red Teams to monitor and detect Blue Team activity
RedELK aggregates operational and traffic logs from multiple Red Team assets, enriches data, and provides searchable dashboards and alerts to spot Blue Team investigations and streamline long‑term operations.
RedELK is built for Red Team operators, White Team overseers, and security consultants who need a single pane of glass for all operational logs across multi‑scenario, multi‑team engagements. It centralizes logs from teamservers and redirectors, enriches them, and stores the data in Elasticsearch for fast, historic searching and forensic analysis.
The platform visualizes enriched data through Kibana dashboards, offering read‑only views for White Teams and easy access to screenshots, IOCs, keystrokes, and other artifacts. Pre‑configured queries highlight Blue Team investigative activity, enabling rapid detection and response. Alerts can be customized via Logstash pipelines.
RedELK ships as Docker images for Elasticsearch, Logstash, Kibana, Jupyter, and supporting services, with Ansible playbooks for both server and client setup. It runs on‑premise or in cloud environments and is released under the BSD‑3‑Clause license.
When teams consider RedELK, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Multi‑team Red Team campaign monitoring
Aggregates logs from all teamservers, enabling coordinated analysis and real‑time alerts across the entire operation.
Detecting Blue Team reconnaissance
Queries enriched redirector traffic to flag when defenders probe compromised assets, allowing immediate tactical response.
White Team compliance review
Provides a read‑only Kibana view of all activity, screenshots, and IOCs for audit without exposing control capabilities.
Post‑engagement forensic hunting
Allows investigators to search historic logs months later to uncover missed indicators or refine future tactics.
RedELK relies on Elasticsearch, Logstash, Kibana, and optional Jupyter; each component is available as a Docker image and can be orchestrated via the provided Ansible playbooks.
The project is designed for Red Team operations; while it can ingest defensive data, its alerts and dashboards focus on spotting Blue Team activity against offensive infrastructure.
It enriches traffic logs from redirectors and provides pre‑built queries that identify patterns typical of defender investigation, such as repeated scans or credential checks.
RedELK is released under the BSD‑3‑Clause license and can be used, modified, and redistributed freely.
Familiarity with Docker and basic Ansible usage is recommended; the documentation includes step‑by‑step guides for both manual and automated installations.
Project at a glance
ActiveLast synced 4 days ago
