Implement detectionlab

[zwinnerman-fleetdm]

Goal

Writing queries, we need to test the queries on different versions of windows. Detectionlab allows us to quickly spin up windows versions.

TODO

Implement detectionlab https://www.detectionlab.network/deployment/aws/

Figma

TODO

API wireframes

TODO

How?

Frontend

TODO

• [ ]

Backend

TODO

• [ ]

[zwinnerman-fleetdm]

Created these issues to address upstream issues: clong/DetectionLab#838 clong/DetectionLab#840

[zwinnerman-fleetdm]

Working on a forked version because of upstream issues zwinnerman-fleetdm/detectionlab

[zwinnerman-fleetdm]

clong/DetectionLab#841 also created

[zwinnerman-fleetdm]

its deployed, awaiting QA since I have no idea how to tell if this is working or not.

[chiiph]

Assigning to @GuillaumeRoss for review on what we have live.

[GuillaumeRoss]

Osquery and Fleet worked - Active Directory worked. Splunk worked.

I think the main issue is:

• What happens when Windows license expiration is hit? Do we have a way to easily kill and rebuild?
• We should add a VPN profile for this instead of having to allow list home IPs (absolutely no actual Internet exposure makes sense since it is vulnerable by design)

[rfairburn]

The subnets and VPC are actually already allowed over VPN, but I am not sure what anything looks like to integrate the private IPs into detectionlab itself (or if it "just works" if you have the private addresses).

[zwinnerman-fleetdm]

What happens when Windows license expiration is hit? Do we have a way to easily kill and rebuild?

I (or anyone with terraform) can taint the instances to refresh them, that should refresh the license expiration

@rfairburn answered the VPN question I think, but I agree with the overall statement.

[chiiph]

This is ready for anybody to use, closing since it's an internal thing.