From 0c9a096c173d39609f3d7968c33883f16e1990bb Mon Sep 17 00:00:00 2001
From: Sean Ryan <seanryan23@gmail.com>
Date: Sun, 18 Oct 2020 19:08:57 -0700
Subject: [PATCH] added missing commands from bootstrap file for threathunting
 app to work

---
 ESXi/ansible/roles/logger/tasks/main.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml
index 89b72e2..295e052 100644
--- a/ESXi/ansible/roles/logger/tasks/main.yml
+++ b/ESXi/ansible/roles/logger/tasks/main.yml
@@ -231,8 +231,17 @@
         sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
       fi
 
+      # Replace the props.conf for Sysmon TA and Windows TA
+      # Removed all the 'rename = xmlwineventlog' directives
+      # I know youre not supposed to modify files in "default",
+      # but for some reason adding them to "local" wasnt working
+      cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
+      cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
+
       # Add custom Macro definitions for ThreatHunting App
       cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
+      # Fix props.conf in ThreatHunting App
+      sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
       # Fix Windows TA macros
       mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
       cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local