From 15049f44b993239f29fb8fa0f79b5d2c935c475d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 14 Oct 2021 15:15:23 +0000 Subject: [PATCH 1/3] Add EG pivot --- salt/soc/files/soc/menu.actions.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json index 665ca4c39..0c144c3cb 100644 --- a/salt/soc/files/soc/menu.actions.json +++ b/salt/soc/files/soc/menu.actions.json @@ -1,3 +1,4 @@ +{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", "links": [ @@ -29,5 +30,12 @@ { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", "links": [ "https://www.virustotal.com/gui/search/{value}" - ]} + ]} + {%- if HIGHLANDER %} + {%- set EGHOST = salt['pillar.get']('soc:endgamehost', 'EGHOSTNOTPOPULATED') %} + ,{ "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://{{ EGHOST }}/endpoints/{:agent.id}" + ]} + {% endif %} ] From 6cdc214582feca6ed6d7632526253a8a44865a41 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 14 Oct 2021 15:33:37 +0000 Subject: [PATCH 2/3] Add pillar in setup and change name of EG variable --- setup/so-functions | 7 +++++++ setup/so-setup | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4398cfbcc..3a1d05757 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1640,6 +1640,13 @@ manager_pillar() { printf '%s\n'\ " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" + + if [[ -n $ENDGAMEHOST ]]; then + printf '%s\n'\ + "soc:"\ + " endgamehost: '$ENDGAMEHOST'"\ + "" >> "$pillar_file" + fi } manager_global() { diff --git a/setup/so-setup b/setup/so-setup index 71401602e..95cf84b27 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -967,9 +967,9 @@ else so-learn enable logscan --apply >> $setup_log 2>&1 fi - if [[ -n $ENDGAME_SMP_IP ]]; then + if [[ -n $ENDGAMEHOST ]]; then set_progress_str 99 'Configuring firewall for Endgame SMP' - so-firewall --apply includehost endgame $ENDGAME_SMP_IP >> $setup_log 2>&1 + so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 fi } | whiptail_gauge_post_setup "Running post-installation steps..." From f1fafa015edc8c0b52897546256ba3846a2b628d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 14 Oct 2021 16:27:28 +0000 Subject: [PATCH 3/3] Add EG to list of groups to include 127.0.0.1 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3a1d05757..27c4daf95 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1421,7 +1421,7 @@ firewall_generate_templates() { cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1 - for i in analyst beats_endpoint sensor manager minion osquery_endpoint search_node wazuh_endpoint; do + for i in analyst beats_endpoint endgame sensor manager minion osquery_endpoint search_node wazuh_endpoint; do $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 done