Merged small improvements into search command

blo0dshe3d · Dec 19, 2019 · f742c02 · f742c02
2 parents f645dae + 1a085b3
commit f742c02
Show file tree

Hide file tree

Showing 14 changed files with 26 additions and 23 deletions.
diff --git a/ansible/roles/search_head/tasks/install_asx_app.yml b/ansible/roles/search_head/tasks/install_asx_app.yml
@@ -14,7 +14,7 @@
     url: "https://127.0.0.1:8089/services/apps/local"
     method: POST
     user: "admin"
-    password: "{{ splunk_pass }}"
+    password: "{{ splunk_admin_password }}"
     validate_certs: false
     body: "name=/tmp/asx_app.tgz&update=true&filename=true"
     headers:

diff --git a/ansible/roles/search_head/tasks/install_cim_app.yml b/ansible/roles/search_head/tasks/install_cim_app.yml
@@ -14,7 +14,7 @@
     url: "https://127.0.0.1:8089/services/apps/local"
     method: POST
     user: "admin"
-    password: "{{ splunk_pass }}"
+    password: "{{ splunk_admin_password }}"
     validate_certs: false
     body: "name=/tmp/cim_app.tgz&update=true&filename=true"
     headers:

diff --git a/ansible/roles/search_head/tasks/install_escu_app.yml b/ansible/roles/search_head/tasks/install_escu_app.yml
@@ -14,7 +14,7 @@
     url: "https://127.0.0.1:8089/services/apps/local"
     method: POST
     user: "admin"
-    password: "{{ splunk_pass }}"
+    password: "{{ splunk_admin_password }}"
     validate_certs: false
     body: "name=/tmp/escu_app.tgz&update=true&filename=true"
     headers:

diff --git a/ansible/roles/search_head/tasks/install_stream_app.yml b/ansible/roles/search_head/tasks/install_stream_app.yml
@@ -14,7 +14,7 @@
     url: "https://127.0.0.1:8089/services/apps/local"
     method: POST
     user: "admin"
-    password: "{{ splunk_pass }}"
+    password: "{{ splunk_admin_password }}"
     validate_certs: false
     body: "name=/tmp/stream_app.tgz&update=true&filename=true"
     headers:

diff --git a/ansible/roles/search_head/tasks/install_sysmon_ta.yml b/ansible/roles/search_head/tasks/install_sysmon_ta.yml
@@ -14,7 +14,7 @@
     url: "https://127.0.0.1:8089/services/apps/local"
     method: POST
     user: "admin"
-    password: "{{ splunk_pass }}"
+    password: "{{ splunk_admin_password }}"
     validate_certs: false
     body: "name=/tmp/sysmon_ta.tgz&update=true&filename=true"
     headers:

diff --git a/ansible/roles/search_head/tasks/install_windows_ta.yml b/ansible/roles/search_head/tasks/install_windows_ta.yml
@@ -14,7 +14,7 @@
     url: "https://127.0.0.1:8089/services/apps/local"
     method: POST
     user: "admin"
-    password: "{{ splunk_pass }}"
+    password: "{{ splunk_admin_password }}"
     validate_certs: false
     body: "name=/tmp/windows_ta.tgz&update=true&filename=true"
     headers:

diff --git a/ansible/roles/search_head/tasks/splunk.yml b/ansible/roles/search_head/tasks/splunk.yml
@@ -46,7 +46,7 @@
 - name: accept license and start splunk
   tags:
    - install
-  shell: /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd {{splunk_pass}}
+  shell: /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd {{splunk_admin_password}}
   become: yes
   become_user: splunk
   when: splunk_path.stat.exists == false

diff --git a/ansible/roles/universal_forwarder/tasks/install_splunk_uf.yml b/ansible/roles/universal_forwarder/tasks/install_splunk_uf.yml
@@ -7,7 +7,7 @@
 - name: Install Splunk_UF MSI
   win_package:
     path: C:\splunkuf.msi
-    arguments: 'WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 SPLUNKPASSWORD={{ splunk_pass }} RECEIVING_INDEXER="{{ splunk_indexer_ip }}:9997" AGREETOLICENSE=YES /quiet'
+    arguments: 'WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 SPLUNKPASSWORD={{ splunk_admin_password }} RECEIVING_INDEXER="{{ splunk_indexer_ip }}:9997" AGREETOLICENSE=YES /quiet'
 
 - name: Start Splunk
   win_service:

diff --git a/ansible/vars/vars.yml b/ansible/vars/vars.yml
@@ -1,7 +1,7 @@
 ## Variables for Splunk Search Head
 splunk_url: https://www.splunk.com/page/download_track?file=7.3.2/linux/splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=7.3.2&product=splunk&typed=release
 splunk_binary: splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz
-splunk_pass: changeme
+splunk_admin_password: changeme
 
 # Apps
 sysmon: true
@@ -12,12 +12,12 @@ splunk_uf_win_url: https://www.splunk.com/page/download_track?file=7.3.2/windows
 
 # Apps and TAs
 s3_bucket_url: https://attack-range-appbinaries.s3-us-west-2.amazonaws.com
-splunk_windows_ta: splunk-add-on-for-microsoft-windows_600.tgz
-splunk_sysmon_ta: add-on-for-microsoft-sysmon_800.tgz
+splunk_windows_ta: splunk-add-on-for-microsoft-windows_700.tgz
+splunk_sysmon_ta: add-on-for-microsoft-sysmon_810.tgz
 splunk_stream_ta: Splunk_TA_stream.zip
 splunk_stream_app: splunk-stream_713.tgz
 splunk_cim_app: splunk-common-information-model-cim_4130.tgz
-splunk_escu_app: DA-ESS-ContentUpdate-v1.0.41.tar.gz
+splunk_escu_app: splunk-es-content-update_1046.tgz
 splunk_asx_app: Splunk_Analytic_Story_Execution-latest.tar.gz
 
 #Variables for Firedrill

diff --git a/ansible/vars/vars.yml.default b/ansible/vars/vars.yml.default
@@ -1,7 +1,7 @@
 ## Variables for Splunk Search Head
 splunk_url: https://www.splunk.com/page/download_track?file=7.3.2/linux/splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=7.3.2&product=splunk&typed=release
 splunk_binary: splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz
-splunk_pass: changeme
+splunk_admin_password: changeme
 
 # Apps
 sysmon: true

diff --git a/attack_range.conf b/attack_range.conf
@@ -15,12 +15,12 @@ splunk_binary = splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz
 
 # s3 bucket where the Splunk TA's are located
 s3_bucket_url = https://attack-range-appbinaries.s3-us-west-2.amazonaws.com
-splunk_windows_ta = splunk-add-on-for-microsoft-windows_600.tgz
-splunk_sysmon_ta = add-on-for-microsoft-sysmon_800.tgz
+splunk_windows_ta = splunk-add-on-for-microsoft-windows_700.tgz
+splunk_sysmon_ta = add-on-for-microsoft-sysmon_810.tgz
 splunk_stream_ta = Splunk_TA_stream.zip
 splunk_stream_app = splunk-stream_713.tgz
 splunk_cim_app = splunk-common-information-model-cim_4130.tgz
-splunk_escu_app = DA-ESS-ContentUpdate-v1.0.41.tar.gz
+splunk_escu_app = splunk-es-content-update_1046.tgz
 splunk_asx_app = Splunk_Analytic_Story_Execution-latest.tar.gz
 
 

diff --git a/attack_range.py b/attack_range.py
@@ -88,7 +88,7 @@ def prep_ansible(settings):
     # Replace the ansible variables
     ansiblevars = re.sub(r'domain_admin_password: .+', 'domain_admin_password: ' + str(settings['win_password']),
                          ansiblevars, re.M)
-    ansiblevars = re.sub(r'splunk_pass: .+', 'splunk_pass: ' + str(settings['splunk_admin_password']),
+    ansiblevars = re.sub(r'splunk_admin_password: .+', 'splunk_admin_password: ' + str(settings['splunk_admin_password']),
                          ansiblevars, re.M)
     ansiblevars = re.sub(r's3_bucket_url: .+', 's3_bucket_url: ' + str(settings['s3_bucket_url']),
                          ansiblevars, re.M)

diff --git a/default/attack_range.conf.default b/default/attack_range.conf.default
@@ -11,19 +11,18 @@ win_password = myTempPassword123
 private_key_path = ~/.ssh/id_rsa
 
 [splunk_settings]
+splunk_admin_password = changeme
 splunk_url = https://www.splunk.com/page/download_track?file=7.3.2/linux/splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=7.3.2&product=splunk&typed=release
 splunk_binary = splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz
-splunk_pass = changeme
 
 # s3 bucket where the Splunk TA's are located
 s3_bucket_url = https://attack-range-appbinaries.s3-us-west-2.amazonaws.com
-splunk_admin_password = changeme
-splunk_windows_ta = splunk-add-on-for-microsoft-windows_600.tgz
-splunk_sysmon_ta = add-on-for-microsoft-sysmon_800.tgz
+splunk_windows_ta = splunk-add-on-for-microsoft-windows_700.tgz
+splunk_sysmon_ta = add-on-for-microsoft-sysmon_810.tgz
 splunk_stream_ta = Splunk_TA_stream.zip
 splunk_stream_app = splunk-stream_713.tgz
 splunk_cim_app = splunk-common-information-model-cim_4130.tgz
-splunk_escu_app = DA-ESS-ContentUpdate-v1.0.41.tar.gz
+splunk_escu_app = splunk-es-content-update_1046.tgz
 splunk_asx_app = Splunk_Analytic_Story_Execution-latest.tar.gz
 
 

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -86,10 +86,10 @@ resource "aws_eip" "splunk_ip" {
   instance = aws_instance.splunk-server.id
 }
 
+
 resource "aws_ebs_volume" "win2016_volume" {
   availability_zone = "us-west-2a"
   size              = 50
-
 }
 
 
@@ -132,6 +132,10 @@ EOF
 
 }
 
+resource "aws_eip" "windows_server_ip" {
+  instance = aws_instance.windows_2016_dc.id
+}
+
 
 output "splunk_server" {
   value = "http://${aws_eip.splunk_ip.public_ip}:8000"