Actually add files

Vagrant/Vagrantfile

@@ -26,7 +26,7 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.define "dc" do |cfg|
-    cfg.vm.box = "detectionlab/win2016"
+    cfg.vm.box = "../Boxes/windows_2016_vmware.box"
     cfg.vm.hostname = "dc"
     cfg.vm.boot_timeout = 600
     cfg.winrm.transport = :plaintext
@@ -79,7 +79,7 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.define "wef" do |cfg|
-    cfg.vm.box = "detectionlab/win2016"
+    cfg.vm.box = "../Boxes/windows_2016_vmware.box"
     cfg.vm.hostname = "wef"
     cfg.vm.boot_timeout = 600
     cfg.vm.communicator = "winrm"

Vagrant/bootstrap.sh

@@ -13,7 +13,7 @@ apt_install_prerequisites() {
   apt-get -qq update
   apt-get -qq install -y apt-fast
   echo "[$(date +%H:%M:%S)]: Running apt-fast install..."
-  apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip
+  apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip htop
 }
 
 test_prerequisites() {
@@ -110,12 +110,17 @@ install_splunk() {
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_100.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_13.tar.gz  -auth 'admin:changeme'
     # Add custom Macro definitions for ThreatHunting App
     cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
+    # Fix Windows TA macros
+    mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
+    cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local
+    sed -i 's/wineventlog_windows/wineventlog/g' /opt/splunk/etc/apps/Splunk_TA_windows/local/macros.conf
     # Fix Force Directed App until 2.0.1 is released (https://answers.splunk.com/answers/668959/invalid-key-in-stanza-default-value-light.html#answer-669418)
     rm /opt/splunk/etc/apps/force_directed_viz/default/savedsearches.conf
 
@@ -140,7 +145,7 @@ install_splunk() {
  dismissedInstrumentationOptInVersion = 2
  [general_default]
  hideInstrumentationOptInModal = 1
- showWhatsNew = 0' > /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
+ showWhatsNew = 0' > /opt/splunk/etc/system/local/user-prefs.conf
 
     # Enable SSL Login for Splunk
     echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf

Vagrant/resources/splunk_forwarder/inputs.conf

@@ -3,27 +3,27 @@ index = sysmon
 disabled = false
 renderXml = true
 
-[monitor://c:\programdata\osquery\log\osqueryd.results.log]
+[monitor://c:\Program Files\osquery\log\osqueryd.results.log]
 index = osquery
 disabled = false
 sourcetype = osquery:json
 
-[monitor://c:\programdata\osquery\log\osqueryd.snapshots.log]
+[monitor://c:\Program Files\osquery\log\osqueryd.snapshots.log]
 index = osquery
 disabled = false
 sourcetype = osquery:json
 
-[monitor://c:\programdata\osquery\log\osqueryd.INFO.*]
+[monitor://c:\Program Files\osquery\log\osqueryd.INFO.*]
 index = osquery-status
 disabled = false
 sourcetype = osquery-info:syslog
 
-[monitor://c:\programdata\osquery\log\osqueryd.WARNING.*]
+[monitor://c:\Program Files\osquery\log\osqueryd.WARNING.*]
 index = osquery-status
 disabled = false
 sourcetype = osquery-warn:syslog
 
-[monitor://c:\programdata\osquery\log\osqueryd.ERROR.*]
+[monitor://c:\Program Files\osquery\log\osqueryd.ERROR.*]
 index = osquery-status
 disabled = false
 sourcetype = osquery-error:syslog

Vagrant/resources/splunk_server/macros.conf

@@ -69,3 +69,7 @@ iseval = 0
 [remote_thread_whitelist]
 definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
 iseval = 0
+
+[indextime]
+definition = _index_earliest=-15m@m AND _index_latest=now
+iseval = 0