Before opening this PR I've talked to @d1vious if there is any interest in our approach of integrating the Attack Range with an existing Splunk development environment.
This enables us in the first step to use an environment known and loved to create searches based on all events of the attacks coming from the Attack Range. In the second step, we use the Deployment Server to ship a production grade UF config to the Attack Range clients, attack again and then validate our searches.
This PR contains the mechanics to use an existing Splunk server and some general modifications on the repo (cosmetics, consistency).
I would love some feedback and hope other people could profit from this feature as well.
Changes
Added option to bring your own Splunk instance
added splunk_server switch
If splunk_server is set to 0, clients will be pointed to your own Splunk instance - provided via splunk_server_private_ip and no splunk_server VM will be installed
to guarantee the functionality of caldera, a dedicated caldera_server will be installed
dependent on splunk_server, caldera clients will be pointed towards the splunk_server VM or the caldera_server
Consistency
added kali_machine_memory and kali_machine_cpu variables for vagrant
switched hardcoded ip to splunk_server_private_ip from caldera config
Cosmetics
fixed link to issue tracker of this repository to README.md
fixed link to attack_range_local.conf in README.md
added vagrant/Vagrantfile to .gitignore
removed vagrant/Vagrantfile
added spaces in ansible/roles/windows_universal_forwarder/files/win_event_log_inputs.conf
Idea
Before opening this PR I've talked to @d1vious if there is any interest in our approach of integrating the Attack Range with an existing Splunk development environment.
This enables us in the first step to use an environment known and loved to create searches based on all events of the attacks coming from the Attack Range. In the second step, we use the Deployment Server to ship a production grade UF config to the Attack Range clients, attack again and then validate our searches.
This PR contains the mechanics to use an existing Splunk server and some general modifications on the repo (cosmetics, consistency).
I would love some feedback and hope other people could profit from this feature as well.
Changes
Added option to bring your own Splunk instance
splunk_server
switchsplunk_server
is set to0
, clients will be pointed to your own Splunk instance - provided viasplunk_server_private_ip
and nosplunk_server
VM will be installedcaldera_server
will be installedsplunk_server
, caldera clients will be pointed towards thesplunk_server
VM or thecaldera_server
Consistency
kali_machine_memory
andkali_machine_cpu
variables for vagrantsplunk_server_private_ip
from caldera configCosmetics
README.md
attack_range_local.conf
inREADME.md
vagrant/Vagrantfile
to .gitignorevagrant/Vagrantfile
ansible/roles/windows_universal_forwarder/files/win_event_log_inputs.conf