Add BOTS to Logger

This will add the BOTSv2 dataset to DetectionLab. One app required for BOTS: Splunk Stream - https://splunkbase.splunk.com/app/1809/ Recommended: Boss of the SOC (BOTS) Advanced APT Hunting Companion App for Splunk - https://splunkbase.splunk.com/app/4430/
2019-09-05 10:02:05 -06:00
parent d8389399df
commit 2d5d6f508e
20 changed files with 38 additions and 0 deletions
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -115,6 +115,44 @@ install_splunk() {
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_134.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/base64_11.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/jellyfisher_010.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_611.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/SA-ctf_scoreboard_admin-master.zip  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/SA-ctf_scoreboard-master.zip  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sa-investigator-for-enterprise-security_200.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-apache-web-server_100.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_310.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-iis_101.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_600.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_230.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_602.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-app-for-osquery_10.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-common-information-model-cim_4130.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-security-essentials_241.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-ta-for-suricata_233.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/ssl-certificate-checker_32.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/url-toolbox_16.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/website-monitoring_274.tgz  -auth 'admin:changeme'
+
+    # Install Splunk BOTsv2 FULL dataset
+    # More information https://github.com/splunk/botsv2
+
+    #echo "[$(date +%H:%M:%S)]: Downloading Splunk BOTSv2..."
+    #wget --progress=bar:force https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set.tgz /opt/
+    #echo "[$(date +%H:%M:%S)]: Download Complete."
+    #echo "[$(date +%H:%M:%S)]: Extracting to Splunk Apps directory"
+    #tar zxvf botsv2_data_set.tgz /opt/splunk/etc/apps
+
+    # Install Splunk BOTsv2 Attack Only dataset
+    # More information https://github.com/splunk/botsv2
+
+    echo "[$(date +%H:%M:%S)]: Downloading Splunk BOTSv2 Attack Only Dataset..."
+    wget --progress=bar:force -P /opt/ https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set_attack_only.tgz
+    echo "[$(date +%H:%M:%S)]: Download Complete."
+    echo "[$(date +%H:%M:%S)]: Extracting to Splunk Apps directory"
+    tar zxvf /opt/botsv2_data_set_attack_only.tgz -C /opt/splunk/etc/apps/
+
    # Add custom Macro definitions for ThreatHunting App
    cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
    # Fix Windows TA macros
--- a/Vagrant/resources/splunk_server/SA-ctf_scoreboard-master.zip
+++ b/Vagrant/resources/splunk_server/SA-ctf_scoreboard-master.zip
--- a/Vagrant/resources/splunk_server/SA-ctf_scoreboard_admin-master.zip
+++ b/Vagrant/resources/splunk_server/SA-ctf_scoreboard_admin-master.zip
--- a/Vagrant/resources/splunk_server/base64_11.tgz
+++ b/Vagrant/resources/splunk_server/base64_11.tgz
--- a/Vagrant/resources/splunk_server/jellyfisher_010.tgz
+++ b/Vagrant/resources/splunk_server/jellyfisher_010.tgz
--- a/Vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_611.tgz
+++ b/Vagrant/resources/splunk_server/palo-alto-networks-add-on-for-splunk_611.tgz
--- a/Vagrant/resources/splunk_server/sa-investigator-for-enterprise-security_200.tgz
+++ b/Vagrant/resources/splunk_server/sa-investigator-for-enterprise-security_200.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-apache-web-server_100.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-apache-web-server_100.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_310.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-cloud-services_310.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-iis_101.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-iis_101.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_600.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_600.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_230.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-symantec-endpoint-protection_230.tgz
--- a/Vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_602.tgz
+++ b/Vagrant/resources/splunk_server/splunk-add-on-for-unix-and-linux_602.tgz
--- a/Vagrant/resources/splunk_server/splunk-app-for-osquery_10.tgz
+++ b/Vagrant/resources/splunk_server/splunk-app-for-osquery_10.tgz
--- a/Vagrant/resources/splunk_server/splunk-common-information-model-cim_4130.tgz
+++ b/Vagrant/resources/splunk_server/splunk-common-information-model-cim_4130.tgz
--- a/Vagrant/resources/splunk_server/splunk-security-essentials_241.tgz
+++ b/Vagrant/resources/splunk_server/splunk-security-essentials_241.tgz
--- a/Vagrant/resources/splunk_server/splunk-ta-for-suricata_233.tgz
+++ b/Vagrant/resources/splunk_server/splunk-ta-for-suricata_233.tgz
--- a/Vagrant/resources/splunk_server/ssl-certificate-checker_32.tgz
+++ b/Vagrant/resources/splunk_server/ssl-certificate-checker_32.tgz
--- a/Vagrant/resources/splunk_server/url-toolbox_16.tgz
+++ b/Vagrant/resources/splunk_server/url-toolbox_16.tgz
--- a/Vagrant/resources/splunk_server/website-monitoring_274.tgz
+++ b/Vagrant/resources/splunk_server/website-monitoring_274.tgz