Add velociraptor

ESXi/ansible/roles/common/tasks/main.yml

@@ -27,6 +27,15 @@
 
 - debug: msg="{{ sysinternals.stdout_lines }}"
 
+- name: Installing Velociraptor
+  win_shell: ".\\install-velociraptor.ps1"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  register: velociraptor
+  failed_when: "'Exception' in velociraptor.stdout"
+
+- debug: msg="{{ velociraptor.stdout_lines }}"
+
 - name: Installing AutorunsToWineventlog
   win_shell: ".\\install-autorunstowineventlog.ps1"
   args:

ESXi/ansible/roles/logger/tasks/main.yml

@@ -387,6 +387,14 @@
     suricata-update enable-source et/open
     suricata-update enable-source ptresearch/attackdetection
 
+    # Configure the Splunk inputs
+    mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0
+
     # Update suricata and restart
     suricata-update
     service suricata stop
@@ -425,10 +433,6 @@
   shell: |
     # Environment variables
     NODECFG=/opt/zeek/etc/node.cfg
-    SPLUNK_ZEEK_JSON=/opt/splunk/etc/apps/Splunk_TA_bro
-    SPLUNK_ZEEK_MONITOR='monitor:///opt/zeek/spool/manager'
-    SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
-    SPLUNK_SURICATA_SOURCETYPE='json_suricata'
     export PATH=$PATH:/opt/zeek/bin
     pip install zkg==2.1.1
     zkg refresh
@@ -474,22 +478,16 @@
     systemctl enable zeek
     systemctl start zeek
 
-    mkdir -p $SPLUNK_ZEEK_JSON/local
-    cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf
-
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
-    crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
+    # Configure the Splunk inputs 
+    mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$'
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$'
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
 
     # Ensure permissions are correct and restart splunk
-    chown -R splunk $SPLUNK_ZEEK_JSON
+    chown -R splunk:splunk /opt/splunk/etc/apps/Splunk_TA_bro
     /opt/splunk/bin/splunk restart
 
     # Verify that Zeek is running