Skip to content

Commit

Permalink
Cisco Secure Endpoint integration
Browse files Browse the repository at this point in the history
  • Loading branch information
Patrick Bareiss committed Sep 25, 2024
1 parent 1c06c2b commit ad93745
Show file tree
Hide file tree
Showing 17 changed files with 429 additions and 59 deletions.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@ The following log sources are collected from the machines:
- Attack Simulation Logs from Atomic Red Team and Caldera (```index = attack```)
- Zeek Logs (```index = zeek```)
- Snort Logs (```index = snort```)
- Cisco Secure Endpoint Logs (```index = cisco_secure_endpoint```)
- CrowdStrike Falcon Logs (```index = crowdstrike_falcon```)
- Carbon Black Logs (```index = carbon_black_cloud```)

## Running 🏃‍♀️
Attack Range supports different actions:
Expand Down Expand Up @@ -196,3 +199,4 @@ We welcome feedback and contributions from the community! Please see our [contri
* Eric McGinnis
* [Micheal Haag](https://twitter.com/M_haggis)
* Gowthamaraj Rajendran
* [Christopher Caldwell](https://github.com/cudgel)
19 changes: 17 additions & 2 deletions configs/attack_range_default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ general:
# ip_whitelist = 0.0.0.0/0,35.153.82.195/32

crowdstrike_falcon: "0"
# Enable/Disable CrowdStrike Falcon by setting this to 1 or 0.
# Enable/Disable CrowdStrike Falcon log forwarding to Splunk by setting this to 1 or 0.

crowdstrike_customer_ID: ""
crowdstrike_logs_region: ""
Expand All @@ -28,13 +28,19 @@ general:
# See the chapter CrowdStrike Falcon in the docs page Attack Range Features.

carbon_black_cloud: "0"
# Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0.
# Enable/Disable VMWare Carbon Black Cloud log forwarding to Splunkby setting this to 1 or 0.

carbon_black_cloud_company_code: ""
carbon_black_cloud_s3_bucket: ""
# All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server.
# See the chapter Carbon Black in the docs page Attack Range Features.

cisco_secure_endpoint: "0"
# Enable/Disable Cisco Secure Endpoint log forwarding to Splunk by setting this to 1 or 0.
cisco_secure_endpoint_api_id: ""
cisco_secure_endpoint_api_secret: ""
# All these fields are needed to automatically ingest Cisco Secure Endpoint logs into the Splunk Server.

install_contentctl: "0"
# Install splunk/contentctl on linux servers

Expand Down Expand Up @@ -114,10 +120,13 @@ splunk_server:
- TA-aurora-0.2.0.tar.gz
- TA-osquery.tar.gz
- app-for-circleci_011.tgz
- cisco-secure-endpoint-formerly-amp-for-endpoints-cim-add-on_212.tgz
- cisco-secure-endpoint-formerly-amp-for-endpoints_300.tgz
- palo-alto-networks-add-on-for-splunk_813.tgz
- punchcard---custom-visualization_150.tgz
- python-for-scientific-computing-(for-linux-64-bit)_421.tgz
- snort-alert-for-splunk_111.tgz
- snort-3-json-alerts_105.tgz
- splunk-add-on-for-amazon-web-services-(aws)_770.tgz
- splunk-add-on-for-crowdstrike-fdr_200.tgz
- splunk-add-on-for-github_300.tgz
Expand Down Expand Up @@ -209,6 +218,12 @@ windows_servers_default:
carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi"
# Name of the Carbon Black Windows Agent stored in apps/ folder.

install_cisco_secure_endpoint: "0"
# Install Cisco Secure Endpoint by setting this to 1.

cisco_secure_endpoint_windows_agent: "amp_Server.exe"
# Name of the Cisco Secure Endpoint Windows Agent stored in apps/ folder.

aurora_agent: "0"
# Install Aurora Agent

Expand Down
100 changes: 69 additions & 31 deletions docs/source/Attack_Range_Config.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,8 @@ general:
# ip_whitelist = 0.0.0.0/0,35.153.82.195/32

crowdstrike_falcon: "0"
# Enable/Disable CrowdStrike Falcon by setting this to 1 or 0.
# Enable/Disable CrowdStrike Falcon log forwarding to Splunk by setting this to 1 or 0.

crowdstrike_agent_name: "WindowsSensor.exe"
crowdstrike_customer_ID: ""
crowdstrike_logs_region: ""
crowdstrike_logs_access_key_id: ""
Expand All @@ -37,14 +36,19 @@ general:
# See the chapter CrowdStrike Falcon in the docs page Attack Range Features.

carbon_black_cloud: "0"
# Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0.
# Enable/Disable VMWare Carbon Black Cloud log forwarding to Splunkby setting this to 1 or 0.

carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi"
carbon_black_cloud_company_code: ""
carbon_black_cloud_s3_bucket: ""
# All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server.
# See the chapter Carbon Black in the docs page Attack Range Features.

cisco_secure_endpoint: "0"
# Enable/Disable Cisco Secure Endpoint log forwarding to Splunk by setting this to 1 or 0.
cisco_secure_endpoint_api_id: ""
cisco_secure_endpoint_api_secret: ""
# All these fields are needed to automatically ingest Cisco Secure Endpoint logs into the Splunk Server.

install_contentctl: "0"
# Install splunk/contentctl on linux servers

Expand Down Expand Up @@ -121,33 +125,39 @@ splunk_server:
# Url to download Splunk Universal Forwarder Windows.

splunk_apps:
- splunk-add-on-for-microsoft-windows_880.tgz
- splunk-timeline-custom-visualization_162.tgz
- status-indicator-custom-visualization_150.tgz
- splunk-sankey-diagram-custom-visualization_160.tgz
- punchcard-custom-visualization_150.tgz
- splunk_attack_range_reporting-1.0.9.tar.gz
- splunk-common-information-model-cim_532.tgz
- DA-ESS-ContentUpdate-latest.tar.gz
- python-for-scientific-computing-for-linux-64-bit_420.tgz
- splunk-machine-learning-toolkit_541.tgz
- splunk-security-essentials_380.tgz
- splunk-add-on-for-sysmon_400.tgz
- splunk-add-on-for-sysmon-for-linux_100.tgz
- splunk-add-on-for-amazon-web-services-aws_760.tgz
- splunk-add-on-for-microsoft-office-365_451.tgz
- splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz
- splunk-add-on-for-unix-and-linux_910.tgz
- ta-for-zeek_108.tgz
- splunk-add-on-for-nginx_322.tgz
- phantom-app-for-splunk_4035.tgz
- TA-osquery.tar.gz
- splunk-add-on-for-microsoft-cloud-services_530.tgz
- splunk-add-on-for-crowdstrike-fdr_150.tgz
- vmware-carbon-black-cloud_115.tgz
- splunk-add-on-for-carbon-black_210.tgz
- TA-aurora-0.2.0.tar.gz
- TA-osquery.tar.gz
- app-for-circleci_011.tgz
- cisco-secure-endpoint-formerly-amp-for-endpoints-cim-add-on_212.tgz
- cisco-secure-endpoint-formerly-amp-for-endpoints_300.tgz
- palo-alto-networks-add-on-for-splunk_813.tgz
- punchcard---custom-visualization_150.tgz
- python-for-scientific-computing-(for-linux-64-bit)_421.tgz
- snort-alert-for-splunk_111.tgz
- snort-3-json-alerts_105.tgz
- splunk-add-on-for-amazon-web-services-(aws)_770.tgz
- splunk-add-on-for-crowdstrike-fdr_200.tgz
- splunk-add-on-for-github_300.tgz
- splunk-add-on-for-google-workspace_281.tgz
- splunk-add-on-for-microsoft-cloud-services_532.tgz
- splunk-add-on-for-microsoft-office-365_451.tgz
- splunk-add-on-for-microsoft-windows_890.tgz
- splunk-add-on-for-nginx_322.tgz
- splunk-add-on-for-okta-identity-cloud_221.tgz
- splunk-add-on-for-sysmon-for-linux_100.tgz
- splunk-add-on-for-sysmon_401.tgz
- splunk-add-on-for-unix-and-linux_920.tgz
- splunk-app-for-stream_813.tgz
- splunk-common-information-model-(cim)_532.tgz
- splunk-es-content-update_4391.tgz
- splunk-machine-learning-toolkit_542.tgz
- splunk-sankey-diagram---custom-visualization_160.tgz
- splunk-security-essentials_380.tgz
- splunk-timeline---custom-visualization_162.tgz
- splunk_attack_range_reporting-1.0.9.tar.gz
- status-indicator---custom-visualization_150.tgz
- ta-for-zeek_108.tgz
- vmware-carbon-black-cloud_210.tgz
# List of Splunk Apps to install on the Splunk Server

byo_splunk: "0"
Expand All @@ -166,8 +176,10 @@ phantom_server:
phantom_server: "0"
# Enable/Disable Phantom Server

phantom_app: "splunk_soar-unpriv-6.2.1.305-7c40b403-el7-x86_64.tgz"
# name of the Splunk SOAR package located in apps folder
phantom_app: "splunk_soar-unpriv-6.2.2.134-8f694086-el8-x86_64.tgz"
# name of the Splunk SOAR package located in apps folder.
# aws: Make sure you use the RHEL 8 version which contains ....el8... in the file name
# azure, local: Make sure you use the RHEL 7 version which contains ....el7... in the file name

phantom_byo: "0"
# Enable/Disable Bring your own Phantom
Expand All @@ -184,6 +196,7 @@ windows_servers_default:

windows_image: "windows-server-2019"
# Name of the image of the Windows Server.
# allowd values: windows-server-2016, windows-server-2019, windows-server-2022

create_domain: "0"
# Create Domain will turn this Windows Server into a Domain Controller. Enable by setting this to 1.
Expand All @@ -201,6 +214,24 @@ windows_servers_default:
# Install Bad Blood by setting this to 1 or 0.
# More information in chapter Bad Blood under Attack Range Features.

install_crowdstrike: "0"
# Install CrowdStrike Falcon by setting this to 1.

crowdstrike_windows_agent: "WindowsSensor.exe"
# Name of the CrowdStrike Windows Agent stored in apps/ folder.

install_carbon_black: "0"
# Install Carbon Black Cloud by setting this to 1.

carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi"
# Name of the Carbon Black Windows Agent stored in apps/ folder.

install_cisco_secure_endpoint: "0"
# Install Cisco Secure Endpoint by setting this to 1.

cisco_secure_endpoint_windows_agent: "amp_Server.exe"
# Name of the Cisco Secure Endpoint Windows Agent stored in apps/ folder.

aurora_agent: "0"
# Install Aurora Agent

Expand All @@ -214,6 +245,13 @@ linux_servers_default:
sysmon_config: "SysMonLinux-CatchAll.xml"
# Specify a Sysmon config located under configs/ .

install_crowdstrike: "0"
# Install CrowdStrike Falcon by setting this to 1.

crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb"
# Name of the CrowdStrike Windows Agent stored in apps/ folder.


kali_server:
kali_server: "0"
# Enable Kali Server by setting this to 1.
Expand Down
30 changes: 24 additions & 6 deletions docs/source/Attack_Range_Features.md
Original file line number Diff line number Diff line change
@@ -1,22 +1,40 @@
# Attack Range Features

## Cisco Secure Endpoint
A Cisco Secure Endpoint agent can be automatically installed on the Windows server in Attack Range. It is required that the agent is downloaded into the apps folder before running the build command. The logs can ingested automatically to the Splunk server when you enable the Cisco Secure Endpoint log forwarding. You can use the following attack_range.yml configuration:
````yml
general:
attack_range_password: "ChangeMe123!"
cloud_provider: "aws"
key_name: "ar"
cisco_secure_endpoint: "1" # forward cisco secure endpoint logs to splunk
cisco_secure_endpoint_api_id: ""
cisco_secure_endpoint_api_secret: ""
windows_servers:
- hostname: ar-win
install_cisco_secure_endpoint: "1"
cisco_secure_endpoint_windows_agent: "amp_Server.exe"
````
You need to update all the fields with your values.


## CrowdStrike Falcon
A CrowdStrike Falcon agent can be automatically installed on the Windows Servers in Attack Range. It is required that the agent is downloaded into the apps folder before running the build command. The logs can ingested automatically to the Splunk server when you have the CrowdStrike Falcon Data Replicator (FDR) entitlement. You can use the following `attack_range.yml` configuration:
````yml
general:
attack_range_password: "ChangeMe123!"
cloud_provider: "aws"
key_name: "ar"
crowdstrike_falcon: "1"
crowdstrike_agent_name: "WindowsSensor.exe"
crowdstrike_falcon: "1" # forward crowdstrike logs to splunk
crowdstrike_customer_ID: ""
crowdstrike_logs_region: ""
crowdstrike_logs_access_key_id: ""
crowdstrike_logs_secret_access_key: ""
crowdstrike_logs_sqs_url: ""
windows_servers:
- hostname: ar-win
image: windows-2016-v3-0-0
install_crowdstrike: "1"
crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb"
````
You need to update all the fields with your values.

Expand All @@ -29,13 +47,13 @@ general:
attack_range_password: "ChangeMe123!"
cloud_provider: "aws"
key_name: "ar"
carbon_black_cloud: "1"
carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi"
carbon_black_cloud: "1" # forward carbon black logs to splunk
carbon_black_cloud_company_code: ""
carbon_black_cloud_s3_bucket: ""
windows_servers:
- hostname: ar-win
image: windows-2016-v3-0-0
install_carbon_black: "1"
carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi"
````
You need to update all the fields with your values.

Expand Down
12 changes: 10 additions & 2 deletions scripts/helpers/attack_range_apps.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,16 @@
"url": "https://splunkbase.splunk.com/app/5488",
},
{
"name": "VMware Carbon Black Cloud",
"url": "https://splunkbase.splunk.com/app/5332",
"name": "Cisco Secure Endpoint App",
"url": "https://splunkbase.splunk.com/app/3670",
},
{
"name": "Cisco Secure Endpoint CIM Add-On",
"url": "https://splunkbase.splunk.com/app/3686",
},
{
"name": "Snort 3 JSON Alerts",
"url": "https://splunkbase.splunk.com/app/4633",
},
]

Expand Down
Loading

0 comments on commit ad93745

Please sign in to comment.