Merge pull request splunk#935 from splunk/edr_agent_improvements

EDR Agent Improvements

configs/attack_range_default.yml

@@ -19,7 +19,6 @@ general:
   crowdstrike_falcon: "0"
   # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0.
 
-  crowdstrike_agent_name: "WindowsSensor.exe"
   crowdstrike_customer_ID: ""
   crowdstrike_logs_region: ""
   crowdstrike_logs_access_key_id: ""
@@ -31,7 +30,6 @@ general:
   carbon_black_cloud: "0"
   # Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0.
 
-  carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi"
   carbon_black_cloud_company_code: ""
   carbon_black_cloud_s3_bucket: ""
   # All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server.
@@ -142,6 +140,7 @@ splunk_server:
     - splunk_attack_range_reporting-1.0.9.tar.gz
     - status-indicator---custom-visualization_150.tgz
     - ta-for-zeek_108.tgz
+    - vmware-carbon-black-cloud_210.tgz
   # List of Splunk Apps to install on the Splunk Server
 
   byo_splunk: "0"
@@ -198,6 +197,18 @@ windows_servers_default:
   # Install Bad Blood by setting this to 1 or 0.
   # More information in chapter Bad Blood under Attack Range Features.
 
+  install_crowdstrike: "0"
+  # Install CrowdStrike Falcon by setting this to 1.
+
+  crowdstrike_windows_agent: "WindowsSensor.exe"
+  # Name of the CrowdStrike Windows Agent stored in apps/ folder.
+
+  install_carbon_black: "0"
+  # Install Carbon Black Cloud by setting this to 1.
+
+  carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi"
+  # Name of the Carbon Black Windows Agent stored in apps/ folder.
+
   aurora_agent: "0"
   # Install Aurora Agent
 
@@ -211,6 +222,13 @@ linux_servers_default:
   sysmon_config: "SysMonLinux-CatchAll.xml"
 # Specify a Sysmon config located under configs/ .
 
+  install_crowdstrike: "0"
+  # Install CrowdStrike Falcon by setting this to 1.
+
+  crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb"
+  # Name of the CrowdStrike Windows Agent stored in apps/ folder.
+
+
 kali_server:
   kali_server: "0"
 # Enable Kali Server by setting this to 1.

scripts/helpers/attack_range_apps.py

@@ -47,6 +47,10 @@
         "name": "Snort Alert for Splunk",
         "url": "https://splunkbase.splunk.com/app/5488",
     },
+    {
+        "name": "VMware Carbon Black Cloud",
+        "url": "https://splunkbase.splunk.com/app/5332",
+    },
 ]
 
 ATTACK_RANGE_LOCAL_APPS = [

terraform/ansible/linux_server.yml

@@ -12,4 +12,5 @@
     - linux_server_post
     - update_sysmon_config_linux
     - splunk_byo_linux
-    - contentctl
+    - contentctl
+    - crowdstrike_falcon_agent_linux

terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml → terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/install.yml

@@ -2,7 +2,7 @@
 
 - name: Copy carbon black cloud agent 
   win_copy:
-    src: "../../apps/{{ general.carbon_black_cloud_agent_name }}"
+    src: "../../apps/{{ windows_servers.carbon_black_windows_agent }}"
     dest: C:\Temp\WindowsSensor.msi
 
 - name: install carbon black cloud agent

terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+
+- include_tasks: install.yml
+  when: windows_servers.install_carbon_black == "1"

terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2

@@ -1,5 +1,5 @@
 [aws_s3://cb_events]
-aws_account = splunk_role_{{ general.attack_range_name }}_{{ general.key_name }}
+aws_account = splunk_role_{{ general.key_name }}_{{ general.attack_range_name }}
 bucket_name = {{ general.carbon_black_cloud_s3_bucket }}
 character_set = auto
 ct_blacklist = ^$

terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/crowdstrike_install.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Copy CrowdStrike Falcon agent
+  copy:
+    src: "../../apps/{{ linux_servers.crowdstrike_linux_agent }}"
+    dest: /tmp/crowdstrike_linux_agent.deb
+
+- name: Install CrowdStrike Falcon agent
+  apt:
+    deb: "/tmp/crowdstrike_linux_agent.deb"
+    state: present
+  become: yes
+
+- name: Set your CID on the sensor
+  shell: /opt/CrowdStrike/falconctl -s --cid={{ general.crowdstrike_customer_ID }}
+  become: yes
+
+- name: restart crowdstrike falcon agent
+  service:
+    name: falcon-sensor
+    state: restarted

terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+
+- include_tasks: crowdstrike_install.yml
+  when: linux_servers.install_crowdstrike == "1"

terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml → terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/crowdstrike_install.yml

@@ -2,7 +2,7 @@
 
 - name: Copy crowdstrike falcon agent 
   win_copy:
-    src: "../../apps/{{ general.crowdstrike_agent_name }}"
+    src: "../../apps/{{ windows_servers.crowdstrike_windows_agent }}"
     dest: c:\temp\WindowsSensor.exe
 
 - name: install crowdstrike falcon agent 

terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+
+- include_tasks: crowdstrike_install.yml
+  when: windows_servers.install_crowdstrike == "1"

terraform/ansible/windows.yml

@@ -20,5 +20,5 @@
     - splunk_byo_windows
     - windows_aurora_agent
     - windows_install_attack_simulation
-    - crowdstrike_falcon_agent
-    - carbon_black_cloud_agent
+    - crowdstrike_falcon_agent_win
+    - carbon_black_cloud_agent_win