Attack Range Improvements

.gitignore

@@ -1,6 +1,7 @@
 # ignore attack_range.yml that might include local custom changes
 attack_range.yml
 poetry.lock
+terraform/ansible/*vars.json
 
 #keys
 *.key

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+ "editor.defaultFormatter": "ms-python.black-formatter",
+ "editor.formatOnSave": true
+}

README.md

@@ -1,7 +1,3 @@
-<a href="https://gitpod.io/#https://github.com/splunk/attack_range/tree/attack_range_3">
-<img align="right"src="https://gitpod.io/button/open-in-gitpod.svg" />
-</a>
-
 <p align="center">
  <a href="https://github.com/splunk/attack_range/releases">
   <img src="https://img.shields.io/github/v/release/splunk/attack_range" /></a>
@@ -14,8 +10,10 @@
 </p>
 
 # Splunk Attack Range ⚔️
+> [!WARNING]
+> Packer was removed to simplify the deployment process.
 ![Attack Range Log](docs/attack_range.png)
-The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud and local environments, simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.
+The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.
 
 ## Purpose 🛡
 The Attack Range is a detection development platform, which solves three main challenges in detection engineering:
@@ -55,6 +53,7 @@ The deployment of Attack Range consists of:
 - Nginx Server
 - Linux Server
 - Zeek Server
+- Snort Server
 
 Which can be added/removed/configured using [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml). 
 
@@ -69,6 +68,8 @@ The following log sources are collected from the machines:
 - Nginx logs (```index = proxy```)
 - Network Logs with Splunk Stream (```index = main```)
 - Attack Simulation Logs from Atomic Red Team and Caldera (```index = attack```)
+- Zeek Logs (```index = zeek```)
+- Snort Logs (```index = snort```)
 
 ## Running 🏃‍♀️
 Attack Range supports different actions:
@@ -83,11 +84,6 @@ python attack_range.py configure
 python attack_range.py build
 ```
 
-### Packer Attack Range
-```
-python attack_range.py packer --image_name windows-2016
-```
-
 ### Show Attack Range Infrastructure
 ```
 python attack_range.py show

attack_range.yml

@@ -4,5 +4,4 @@ general:
  cloud_provider: "aws"
  key_name: "ar"
 windows_servers:
- - hostname: ar-win 
- image: windows-2016-v3-0-0
+ - hostname: ar-win 

configs/attack_range_default.yml

@@ -16,12 +16,6 @@ general:
  # This allow comma-separated blocks
  # ip_whitelist = 0.0.0.0/0,35.153.82.195/32
 
- version: "3.0.0"
- # The current released version of Attack Range.
-
- use_prebuilt_images_with_packer: "0"
- # Enable/Disable usage of packer to create pre-built images by setting this to 1 or 0.
-
  crowdstrike_falcon: "0"
  # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0.
 
@@ -46,9 +40,6 @@ general:
  install_contentctl: "0"
  # Install splunk/contentctl on linux servers
 
- advanced_logging: "0"
- # Enable verbose windows security logs by setting this to 1.
-
 aws:
  region: "us-west-2"
  # Region used in AWS. This should be the same as the region configured in AWS CLI.
@@ -102,8 +93,6 @@ local:
 # Attack Range Local used Virtualbox and Vagrant to build the Attack Range.
 
 splunk_server:
- splunk_image: "splunk-v3-0-0"
- # Name of the image of the Splunk Server. Packer is used to build this image.
 
  install_es: "0"
  # Enable/Disable Enterprise Security by setting this to 1 or 0.
@@ -114,15 +103,45 @@ splunk_server:
  s3_bucket_url: "https://attack-range-appbinaries.s3-us-west-2.amazonaws.com"
  # S3 bucket containing the Splunk Apps which will be installed in Attack Range.
 
- splunk_url: "https://download.splunk.com/products/splunk/releases/9.0.2/linux/splunk-9.0.2-17e00c557dc1-Linux-x86_64.tgz"
+ splunk_url: "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"
  # Url to download Splunk Enterprise.
 
- splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/linux/splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-amd64.deb"
+ splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb"
  # Url to download Splunk Universal Forwarder Linux.
 
- splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/windows/splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi"
+ splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi"
  # Url to download Splunk Universal Forwarder Windows.
 
+ splunk_apps:
+ - splunk-add-on-for-microsoft-windows_880.tgz
+ - splunk-timeline-custom-visualization_162.tgz
+ - status-indicator-custom-visualization_150.tgz
+ - splunk-sankey-diagram-custom-visualization_160.tgz
+ - punchcard-custom-visualization_150.tgz
+ - splunk_attack_range_reporting-1.0.9.tar.gz
+ - splunk-common-information-model-cim_532.tgz
+ - DA-ESS-ContentUpdate-latest.tar.gz
+ - python-for-scientific-computing-for-linux-64-bit_420.tgz
+ - splunk-machine-learning-toolkit_541.tgz
+ - splunk-security-essentials_380.tgz
+ - splunk-add-on-for-sysmon_400.tgz
+ - splunk-add-on-for-sysmon-for-linux_100.tgz
+ - splunk-add-on-for-amazon-web-services-aws_760.tgz
+ - splunk-add-on-for-microsoft-office-365_451.tgz
+ - splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz
+ - splunk-add-on-for-unix-and-linux_910.tgz
+ - ta-for-zeek_108.tgz
+ - splunk-add-on-for-nginx_322.tgz
+ - phantom-app-for-splunk_4035.tgz
+ - TA-osquery.tar.gz
+ - splunk-add-on-for-microsoft-cloud-services_530.tgz
+ - splunk-add-on-for-crowdstrike-fdr_150.tgz
+ - vmware-carbon-black-cloud_115.tgz
+ - splunk-add-on-for-carbon-black_210.tgz
+ - TA-aurora-0.2.0.tar.gz
+ - snort-alert-for-splunk_111.tgz
+ # List of Splunk Apps to install on the Splunk Server
+
  byo_splunk: "0"
  # Enable/Disable Bring your own Splunk by setting this to 1 or 0.
 
@@ -139,9 +158,6 @@ phantom_server:
  phantom_server: "0"
  # Enable/Disable Phantom Server
 
- phantom_image: "phantom-v3-0-0"
- # name of the image of the Phantom Server. Packer is used to build this images.
-
  phantom_app: "splunk_soar-unpriv-6.2.1.305-7c40b403-el7-x86_64.tgz"
  # name of the Splunk SOAR package located in apps folder
 
@@ -158,8 +174,8 @@ windows_servers_default:
  hostname: ar-win
  # Define the hostname for the Windows Server.
 
- windows_image: windows-2016-v3-0-0
- # Name of the image of the Windows Server. Packer is used to build this images.
+ windows_image: "windows-server-2019"
+ # Name of the image of the Windows Server. 
 
  create_domain: "0"
  # Create Domain will turn this Windows Server into a Domain Controller. Enable by setting this to 1.
@@ -180,13 +196,13 @@ windows_servers_default:
  aurora_agent: "0"
  # Install Aurora Agent
 
+ advanced_logging: "0"
+ # Enable verbose windows security logs by setting this to 1.
+
 linux_servers_default:
  hostname: ar-linux
  # Define the hostname for the Linux Server.
 
- linux_image: linux-v3-0-0
- # Name of the image of the Linux Server. Packer is used to build this image.
-
  sysmon_config: "SysMonLinux-CatchAll.xml"
 # Specify a Sysmon config located under configs/ .
 
@@ -201,9 +217,6 @@ nginx_server:
  hostname: "nginx"
  # Specify the image used for Nginx Server.
 
- nginx_image: nginx-web-proxy-v3-0-0
- # Name of the image of the Web proxy. Packer is used to build this images.
-
  proxy_server_ip: "10.0.1.12"
  # Specify what ip to proxy.
 
@@ -214,22 +227,13 @@ zeek_server:
  zeek_server: "0"
  # Enable Zeek Server by setting this to 1.
 
- zeek_image: "zeek-v3-0-0"
-# Specify the image used for Zeek Server.
+snort_server:
+ snort_server: "0"
+ # Enable Snort Server by setting this to 1.
 
 simulation:
  atomic_red_team_repo: redcanaryco
  # Specify the repository owner for Atomic Red Team.
 
  atomic_red_team_branch: master
- # Specify the branch for Atomic Red Team.
-
- prelude: "0"
- # Install Prelude by setting this to 1.
-
- prelude_operator_url: "https://download.prelude.org/latest?arch=x64&platform=linux&variant=zip&edition=headless"
- # Specify where to download Prelude Operator from.
-
- prelude_account_email: "[email protected]"
-# Email account login into a Prelude Operator UI.
-# Required for connecting to redirector, can be found on the GUI under connect -> deploy manual redirector -> accountEmail.
+ # Specify the branch for Atomic Red Team.

configs/github_actions_config_aws.yml

@@ -8,6 +8,5 @@ aws:
  private_key_path: "~/.ssh/ar-github-actions"
 windows_servers: 
  - hostname: ar-win
- windows_image: windows-2016-v3-0-0
 linux_servers: 
  - hostname: ar-linux

configs/github_actions_config_azure.yml

@@ -9,6 +9,5 @@ azure:
  subscription_id: "xxx"
 windows_servers: 
  - hostname: ar-win
- windows_image: windows-2016-v3-0-0
 linux_servers: 
  - hostname: ar-linux

docs/source/Attack_Range_AWS.md

@@ -67,13 +67,6 @@ unzip terraform.zip && \
 mv terraform /usr/local/bin/
 ````
 
-Install Packer:
-````bash
-curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
-sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
-sudo apt-get update && sudo apt-get install packer
-````
-
 Install the AWS CLI:
 ````bash
 apt-get install -y awscli

docs/source/Attack_Range_Azure.md

@@ -55,13 +55,6 @@ unzip terraform.zip && \
 mv terraform /usr/local/bin/
 ````
 
-Install Packer:
-````bash
-curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
-sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
-sudo apt-get update && sudo apt-get install packer
-````
-
 Install the Azure CLI:
 ````bash
 apt-get install -y azure-cli