trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix threathunting and DNS issues

Browse Source
This commit is contained in:
Chris Long
2021-07-29 21:05:01 -07:00
parent 76978b7b03
commit a36cf9a904
4 changed files with 25 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Vagrant/logger_bootstrap.sh
View File

@@ -210,8 +210,13 @@ install_splunk() {
# Add custom Macro definitions for ThreatHunting App
cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
# Fix props.conf in ThreatHunting App
sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
# Fix some misc stuff
sed -i 's/index=windows/`windows`/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml
sed -i 's/$host$)/$host$*)/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml
# This is probably horrible and may break some stuff, but I'm hoping it fixes more than it breaks
find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/host_fqdn/ComputerName/g' {} \;
find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/event_id/EventCode/g' {} \;
# Fix Windows TA macros
mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local