Merge pull request #397 from MHaggis/master

Update - Add BOTSv3 and update Apps
2020-03-19 11:31:40 -07:00
parent d252a41fae e52f8eee5a
commit 16c58561e9
32 changed files with 56 additions and 9 deletions
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -131,8 +131,8 @@ install_splunk() {
    /opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
    /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
    /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
@@ -151,22 +151,22 @@ install_splunk() {
    ### BOTSv2 COMMENT BLOCK BEGINS ###
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/base64_11.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/jellyfisher_010.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_611.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_620.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/SA-ctf_scoreboard_admin-master.zip  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/SA-ctf_scoreboard-master.zip  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sa-investigator-for-enterprise-security_200.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-apache-web-server_100.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_310.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-iis_101.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_600.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_230.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_602.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-app-for-osquery_10.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-common-information-model-cim_4130.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-security-essentials_241.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_701.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/osquery-app-for-splunk_060.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-common-information-model-cim_4150.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-security-essentials_306.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-ta-for-suricata_233.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/ssl-certificate-checker_32.tgz  -auth 'admin:changeme'
-    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/url-toolbox_16.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/url-toolbox_18.tgz  -auth 'admin:changeme'
    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/website-monitoring_274.tgz  -auth 'admin:changeme'

    ### UNCOMMENT THIS BLOCK FOR THE ATTACK-ONLY DATASET (Recommended) ###
@@ -187,6 +187,53 @@ install_splunk() {

    ### BOTSv2 COMMENT BLOCK ENDS ###

+    # Uncomment the following block to install BOTSv3
+    # Thanks to @MHaggis for this addition!
+    # More information on BOTSv3 can be found at https://github.com/splunk/botsv3
+
+    ### BOTSv3 COMMENT BLOCK BEGINS ###
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/base64_11.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/jellyfisher_010.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_620.tgz  -auth 'admin:changeme'    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/SA-ctf_scoreboard_admin-master.zip  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/SA-ctf_scoreboard-master.zip  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sa-investigator-for-enterprise-security_200.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-apache-web-server_100.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-iis_101.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-ta-for-suricata_233.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/ssl-certificate-checker_32.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/website-monitoring_274.tgz  -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/amazon-guardduty-add-on-for-splunk_104.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_20187.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/code42-for-splunk_3012.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/decrypt_20.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/microsoft-365-app-for-splunk_301.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/microsoft-azure-add-on-for-splunk_202.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/osquery-app-for-splunk_060.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-amazon-web-services_500.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-cisco-asa_340.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_401.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-office-365_201.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_301.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-tenable_514.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_701.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-common-information-model-cim_4150.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-es-content-update_1052.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-security-essentials_306.tgz -auth 'admin:changeme'
+    ## /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-stream_720.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/ta-for-code42-app-for-splunk_3012.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/url-toolbox_18.tgz -auth 'admin:changeme'
+    # /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/virustotal-workflow-actions-for-splunk_020.tgz -auth 'admin:changeme'
+
+    ### UNCOMMENT THIS BLOCK FOR BOTSv3 DATASET ###
+    # echo "[$(date +%H:%M:%S)]: Downloading Splunk BOTSv3 Attack Only Dataset..."
+    # wget --progress=bar:force -P /opt/ https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz
+    # echo "[$(date +%H:%M:%S)]: Download Complete."
+    # echo "[$(date +%H:%M:%S)]: Extracting to Splunk Apps directory"
+    # tar zxvf /opt/botsv3_data_set.tgz -C /opt/splunk/etc/apps/
+    ### BOTSv3 COMMENT BLOCK ENDS ###    
+
    # Add custom Macro definitions for ThreatHunting App
    cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
    # Fix Windows TA macros
--- a/Vagrant/resources/splunk_server/amazon-guardduty-add-on-for-splunk_104.tgz
+++ b/Vagrant/resources/splunk_server/amazon-guardduty-add-on-for-splunk_104.tgz
--- a/Vagrant/resources/splunk_server/cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_20187.tgz
+++ b/Vagrant/resources/splunk_server/cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_20187.tgz
--- a/Vagrant/resources/splunk_server/code42-for-splunk_3012.tgz
+++ b/Vagrant/resources/splunk_server/code42-for-splunk_3012.tgz
--- a/Vagrant/resources/splunk_server/decrypt_20.tgz
+++ b/Vagrant/resources/splunk_server/decrypt_20.tgz
--- a/Vagrant/resources/splunk_server/microsoft-365-app-for-splunk_301.tgz
+++ b/Vagrant/resources/splunk_server/microsoft-365-app-for-splunk_301.tgz
--- a/Vagrant/resources/splunk_server/microsoft-azure-add-on-for-splunk_202.tgz
+++ b/Vagrant/resources/splunk_server/microsoft-azure-add-on-for-splunk_202.tgz
--- a/Vagrant/resources/splunk_server/osquery-app-for-splunk_060.tgz
+++ b/Vagrant/resources/splunk_server/osquery-app-for-splunk_060.tgz
--- a/Vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_611.tgz
+++ b/Vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_611.tgz
--- a/Vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_620.tgz
+++ b/Vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_620.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-amazon-web-services_500.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-amazon-web-services_500.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-cisco-asa_340.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-cisco-asa_340.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_310.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_310.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_401.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_401.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-office-365_201.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-office-365_201.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_600.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_600.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_230.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_230.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_301.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_301.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-tenable_514.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-tenable_514.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_602.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_602.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_701.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_701.tgz
--- a/Vagrant/resources/splunk_server/splunk-app-for-osquery_10.tgz
+++ b/Vagrant/resources/splunk_server/splunk-app-for-osquery_10.tgz
--- a/Vagrant/resources/splunk_server/splunk-common-information-model-cim_4130.tgz
+++ b/Vagrant/resources/splunk_server/splunk-common-information-model-cim_4130.tgz
--- a/Vagrant/resources/splunk_server/splunk-common-information-model-cim_4150.tgz
+++ b/Vagrant/resources/splunk_server/splunk-common-information-model-cim_4150.tgz
--- a/Vagrant/resources/splunk_server/splunk-es-content-update_1052.tgz
+++ b/Vagrant/resources/splunk_server/splunk-es-content-update_1052.tgz
--- a/Vagrant/resources/splunk_server/splunk-security-essentials_306.tgz
+++ b/Vagrant/resources/splunk_server/splunk-security-essentials_306.tgz
--- a/Vagrant/resources/splunk_server/ta-for-code42-app-for-splunk_3012.tgz
+++ b/Vagrant/resources/splunk_server/ta-for-code42-app-for-splunk_3012.tgz
--- a/Vagrant/resources/splunk_server/url-toolbox_16.tgz
+++ b/Vagrant/resources/splunk_server/url-toolbox_16.tgz
--- a/Vagrant/resources/splunk_server/url-toolbox_18.tgz
+++ b/Vagrant/resources/splunk_server/url-toolbox_18.tgz
--- a/Vagrant/resources/splunk_server/virustotal-workflow-actions-for-splunk_020.tgz
+++ b/Vagrant/resources/splunk_server/virustotal-workflow-actions-for-splunk_020.tgz