improve cisco secure endpoint

splunk · Oct 7, 2024 · 798b57d · 798b57d
1 parent 59d1211
commit 798b57d
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 9 deletions.
diff --git a/configs/attack_range_default.yml b/configs/attack_range_default.yml
@@ -39,6 +39,7 @@ general:
   # Enable/Disable Cisco Secure Endpoint log forwarding to Splunk by setting this to 1 or 0.
   cisco_secure_endpoint_api_id: ""
   cisco_secure_endpoint_api_secret: ""
+  cisco_secure_endpoint_api_host: "api.amp.cisco.com"
   # All these fields are needed to automatically ingest Cisco Secure Endpoint logs into the Splunk Server.
 
   install_contentctl: "0"
@@ -243,6 +244,11 @@ linux_servers_default:
   crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb"
   # Name of the CrowdStrike Windows Agent stored in apps/ folder.
 
+  install_cisco_secure_endpoint: "0"
+  # Install Cisco Secure Endpoint by setting this to 1.
+
+  cisco_secure_endpoint_linux_agent: "amp_Server_ubuntu-20-04-amd64.deb"
+  # Name of the Cisco Secure Endpoint Linux Agent stored in apps/ folder.
 
 kali_server:
   kali_server: "0"

diff --git a/terraform/ansible/linux_server.yml b/terraform/ansible/linux_server.yml
@@ -13,4 +13,5 @@
     - update_sysmon_config_linux
     - splunk_byo_linux
     - contentctl
-    - crowdstrike_falcon_agent_linux
+    - crowdstrike_falcon_agent_linux
+    - cisco_secure_endpoint_linux
diff --git a/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/config.yml b/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/config.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Copy Cisco Secure Endpoint Linux agent
+  copy:
+    src: "../../apps/{{ linux_servers.cisco_secure_endpoint_linux_agent }}"
+    dest: /tmp/cisco_secure_endpoint_linux_agent.deb
+
+- name: Install Cisco Secure Endpoint Linux agent
+  apt:
+    deb: "/tmp/cisco_secure_endpoint_linux_agent.deb"
+    state: present
+  become: yes
diff --git a/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/main.yml b/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+
+- include_tasks: config.yml
+  when: linux_servers.install_cisco_secure_endpoint == "1"
diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml
@@ -2,7 +2,7 @@
 
 - name: Get cval from Splunk login page
   uri:
-    url: http://localhost:8000/en-US/account/login
+    url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/account/login"
     method: GET
     return_content: yes
     validate_certs: no
@@ -14,7 +14,7 @@
 
 - name: Login to Splunk using cval
   uri:
-    url: http://localhost:8000/en-US/account/login
+    url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/account/login"
     method: POST
     headers:
       Cookie: "cval={{ cval }}"
@@ -51,7 +51,7 @@
 
 - name: Save API key
   uri:
-    url: http://localhost:8000/en-GB/custom/amp4e_events_input/amp_streams_api_controller/save_api_key
+    url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-GB/custom/amp4e_events_input/amp_streams_api_controller/save_api_key"
     method: POST
     headers:
       Authorization: "Splunk {{ splunk_session_key }}"
@@ -69,7 +69,7 @@
 
 - name: Save Inputs Configuration
   uri:
-    url: http://localhost:8000/en-US/splunkd/__raw/servicesNS/nobody/amp4e_events_input/configs/conf-inputs/amp4e_events_input
+    url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/splunkd/__raw/servicesNS/nobody/amp4e_events_input/configs/conf-inputs/amp4e_events_input"
     method: POST
     headers:
       Authorization: "Splunk {{ splunk_session_key }}"
@@ -91,7 +91,7 @@
       python_version: "python3"
       start_by_shell: 0
       api_id: "{{ general.cisco_secure_endpoint_api_id }}"
-      api_host: "api.amp.cisco.com"
+      api_host: "{{ general.cisco_secure_endpoint_api_host }}"
       api_key: ""
     validate_certs: no
     status_code: [200, 201, 202, 204]
@@ -103,7 +103,7 @@
 
 - name: Save Streams Configuration
   uri:
-    url: http://localhost:8000/en-US/custom/amp4e_events_input/amp_streams_api_controller/save_stream
+    url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/custom/amp4e_events_input/amp_streams_api_controller/save_stream"
     method: POST
     headers:
       Authorization: "Splunk {{ splunk_session_key }}"

diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 b/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2
@@ -1,5 +1,5 @@
 [amp4e_events_input]
-api_host = api.amp.cisco.com
+api_host = {{ general.cisco_secure_endpoint_api_host }}
 api_id = {{ general.cisco_secure_endpoint_api_id }}
 disabled = false
 eai_app_name = search
@@ -9,7 +9,7 @@ rcvbuf = 1572864
 start_by_shell = 0
 
 [amp4e_events_input://{{ stream_name }}]
-api_host = api.amp.cisco.com
+api_host = {{ general.cisco_secure_endpoint_api_host }}
 api_id = {{ general.cisco_secure_endpoint_api_id }}
 index = cisco_secure_endpoint
 stream_name = {{ stream_name }}