From 798b57d4184b869397892782efac7dc9b140899b Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 7 Oct 2024 15:25:33 +0200 Subject: [PATCH] improve cisco secure endpoint --- configs/attack_range_default.yml | 6 ++++++ terraform/ansible/linux_server.yml | 3 ++- .../cisco_secure_endpoint_linux/tasks/config.yml | 12 ++++++++++++ .../roles/cisco_secure_endpoint_linux/tasks/main.yml | 4 ++++ .../cisco_secure_endpoint_logs/tasks/config.yml | 12 ++++++------ .../templates/inputs.conf.j2 | 4 ++-- 6 files changed, 32 insertions(+), 9 deletions(-) create mode 100644 terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/config.yml create mode 100644 terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/main.yml diff --git a/configs/attack_range_default.yml b/configs/attack_range_default.yml index 72e36214..df047631 100644 --- a/configs/attack_range_default.yml +++ b/configs/attack_range_default.yml @@ -39,6 +39,7 @@ general: # Enable/Disable Cisco Secure Endpoint log forwarding to Splunk by setting this to 1 or 0. cisco_secure_endpoint_api_id: "" cisco_secure_endpoint_api_secret: "" + cisco_secure_endpoint_api_host: "api.amp.cisco.com" # All these fields are needed to automatically ingest Cisco Secure Endpoint logs into the Splunk Server. install_contentctl: "0" @@ -243,6 +244,11 @@ linux_servers_default: crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb" # Name of the CrowdStrike Windows Agent stored in apps/ folder. + install_cisco_secure_endpoint: "0" + # Install Cisco Secure Endpoint by setting this to 1. + + cisco_secure_endpoint_linux_agent: "amp_Server_ubuntu-20-04-amd64.deb" + # Name of the Cisco Secure Endpoint Linux Agent stored in apps/ folder. kali_server: kali_server: "0" diff --git a/terraform/ansible/linux_server.yml b/terraform/ansible/linux_server.yml index b516b520..ce0d7477 100644 --- a/terraform/ansible/linux_server.yml +++ b/terraform/ansible/linux_server.yml @@ -13,4 +13,5 @@ - update_sysmon_config_linux - splunk_byo_linux - contentctl - - crowdstrike_falcon_agent_linux \ No newline at end of file + - crowdstrike_falcon_agent_linux + - cisco_secure_endpoint_linux \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/config.yml b/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/config.yml new file mode 100644 index 00000000..7e9d0f01 --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/config.yml @@ -0,0 +1,12 @@ +--- + +- name: Copy Cisco Secure Endpoint Linux agent + copy: + src: "../../apps/{{ linux_servers.cisco_secure_endpoint_linux_agent }}" + dest: /tmp/cisco_secure_endpoint_linux_agent.deb + +- name: Install Cisco Secure Endpoint Linux agent + apt: + deb: "/tmp/cisco_secure_endpoint_linux_agent.deb" + state: present + become: yes \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/main.yml b/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/main.yml new file mode 100644 index 00000000..9b1d3d75 --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_linux/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- include_tasks: config.yml + when: linux_servers.install_cisco_secure_endpoint == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml index 135af0b1..1694c4b6 100644 --- a/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml +++ b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml @@ -2,7 +2,7 @@ - name: Get cval from Splunk login page uri: - url: http://localhost:8000/en-US/account/login + url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/account/login" method: GET return_content: yes validate_certs: no @@ -14,7 +14,7 @@ - name: Login to Splunk using cval uri: - url: http://localhost:8000/en-US/account/login + url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/account/login" method: POST headers: Cookie: "cval={{ cval }}" @@ -51,7 +51,7 @@ - name: Save API key uri: - url: http://localhost:8000/en-GB/custom/amp4e_events_input/amp_streams_api_controller/save_api_key + url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-GB/custom/amp4e_events_input/amp_streams_api_controller/save_api_key" method: POST headers: Authorization: "Splunk {{ splunk_session_key }}" @@ -69,7 +69,7 @@ - name: Save Inputs Configuration uri: - url: http://localhost:8000/en-US/splunkd/__raw/servicesNS/nobody/amp4e_events_input/configs/conf-inputs/amp4e_events_input + url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/splunkd/__raw/servicesNS/nobody/amp4e_events_input/configs/conf-inputs/amp4e_events_input" method: POST headers: Authorization: "Splunk {{ splunk_session_key }}" @@ -91,7 +91,7 @@ python_version: "python3" start_by_shell: 0 api_id: "{{ general.cisco_secure_endpoint_api_id }}" - api_host: "api.amp.cisco.com" + api_host: "{{ general.cisco_secure_endpoint_api_host }}" api_key: "" validate_certs: no status_code: [200, 201, 202, 204] @@ -103,7 +103,7 @@ - name: Save Streams Configuration uri: - url: http://localhost:8000/en-US/custom/amp4e_events_input/amp_streams_api_controller/save_stream + url: "{% if splunk_server.install_es == '1' %}https{% else %}http{% endif %}://localhost:8000/en-US/custom/amp4e_events_input/amp_streams_api_controller/save_stream" method: POST headers: Authorization: "Splunk {{ splunk_session_key }}" diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 b/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 index eb43a315..ec2472d9 100644 --- a/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 +++ b/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 @@ -1,5 +1,5 @@ [amp4e_events_input] -api_host = api.amp.cisco.com +api_host = {{ general.cisco_secure_endpoint_api_host }} api_id = {{ general.cisco_secure_endpoint_api_id }} disabled = false eai_app_name = search @@ -9,7 +9,7 @@ rcvbuf = 1572864 start_by_shell = 0 [amp4e_events_input://{{ stream_name }}] -api_host = api.amp.cisco.com +api_host = {{ general.cisco_secure_endpoint_api_host }} api_id = {{ general.cisco_secure_endpoint_api_id }} index = cisco_secure_endpoint stream_name = {{ stream_name }} \ No newline at end of file