Fix threathunting and DNS issues

AWS/Terraform/main.tf

@@ -36,8 +36,8 @@ resource "aws_subnet" "default" {
 # Adjust VPC DNS settings to not conflict with lab
 resource "aws_vpc_dhcp_options" "default" {
   domain_name          = "windomain.local"
-  domain_name_servers  = concat([aws_instance.dc.private_ip], var.external_dns_servers)
+  domain_name_servers  = concat(["192.168.38.102"], var.external_dns_servers)
-  netbios_name_servers = [aws_instance.dc.private_ip]
+  netbios_name_servers = ["192.168.38.102"]
   tags = var.custom-tags
 }
 
@@ -159,7 +159,6 @@ resource "aws_security_group" "windows" {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
@@ -211,6 +210,10 @@ resource "aws_instance" "logger" {
 
 resource "aws_instance" "dc" {
   instance_type = "t3.medium"
+  depends_on = [
+    aws_vpc_dhcp_options.default,
+    aws_vpc_dhcp_options_association.default
+  ]
 
   provisioner "file" {
     source      = "scripts/bootstrap.ps1"
@@ -253,6 +256,10 @@ resource "aws_instance" "dc" {
 
 resource "aws_instance" "wef" {
   instance_type = "t3.medium"
+    depends_on = [
+    aws_vpc_dhcp_options.default,
+    aws_vpc_dhcp_options_association.default
+  ]
 
   provisioner "file" {
     source      = "scripts/bootstrap.ps1"
@@ -295,6 +302,10 @@ resource "aws_instance" "wef" {
 
 resource "aws_instance" "win10" {
   instance_type = "t2.large"
+    depends_on = [
+    aws_vpc_dhcp_options.default,
+    aws_vpc_dhcp_options_association.default
+  ]
 
   provisioner "file" {
     source      = "scripts/bootstrap.ps1"

AWS/Terraform/scripts/bootstrap.ps1

@@ -1,8 +1,5 @@
 # Purpose: Prepare the AWS AMIs for use
 
-# Install npcap so Wireshark recognizes the AWS network adapters
-Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 }
-
 # Hardcode IP addresses in the HOSTS file
 If ($env:COMPUTERNAME -eq "DC") {
   Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.103    wef.windomain.local'
@@ -16,10 +13,13 @@ Else {
 # Keep renewing the IP address until the domain controller is set as a DNS server
 while (!(Get-DNSClientServerAddress | Where-Object { $_.ServerAddresses -eq "192.168.38.102" })) { 
   write-host "Waiting to receive the correct DNS settings from DHCP..."; 
-  start-sleep 1; 
+  start-sleep 5; 
   ipconfig /renew
 }
 
+# Install npcap so Wireshark recognizes the AWS network adapters
+Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 }
+
 # Check if gpupdate works
 if ($env:COMPUTERNAME -ne "DC") { 
   Write-Host "Attempting a Group Policy Update..."

Vagrant/logger_bootstrap.sh

@@ -210,8 +210,13 @@ install_splunk() {
 
     # Add custom Macro definitions for ThreatHunting App
     cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
-    # Fix props.conf in ThreatHunting App
+    # Fix some misc stuff
-    sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
+    sed -i 's/index=windows/`windows`/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml
+    sed -i 's/$host$)/$host$*)/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml
+    # This is probably horrible and may break some stuff, but I'm hoping it fixes more than it breaks
+    find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/host_fqdn/ComputerName/g' {} \;
+    find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/event_id/EventCode/g' {} \;
+
     # Fix Windows TA macros
     mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
     cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local