-
Notifications
You must be signed in to change notification settings - Fork 363
Configurations
By default, Attack Range uses AWS t2.2xlarge
instance types with 30GB of general purpose (gp2
) storage. If you plan on using Attack Range to test/demonstrate a lot of use cases/detections, consider using c5d.18xlarge
with 300GB of storage for at least the Splunk instance to meet basic hardware/IOPS recommendations.
This is configured in attack_range/attack_range.conf
for the instance type globally:
[aws]
instance_type_ec2 = t2.2xlarge
[azure]
azure_subscription_id = xxxXXX
instance_type_vms = Standard_D4_v4
If you want to change the type used for all resources, simply change t2.2xlarge
with the desired ec2 instance type here.
Configuration can be overridden on a per-instance basis (Splunk Server, etc.) and can be found in attack_range/terraform/aws/modules/<instance type>/resources.tf
:
resource "aws_instance" "splunk-server" {
ami = data.aws_ami.latest-ubuntu[count.index].id
instance_type = var.config.instance_type_ec2
<... snipped for brevity ...>
root_block_device {
volume_type = "gp2"
volume_size = "60"
delete_on_termination = "true"
}
<... snipped for brevity ...>
(here, simply replace instance_type = var.config.instance_type_ec2
with instance_type = "<desired instance type>"
, volume_size
from 60
to 300
as relevant, etc.)
Configure according to your needs globally and/or on a per instance basis.
❕ Note: The same recipe applies on Azure with resource configurations living under: attack_range/terraform/azure/modules/<instance type>/resources.tf
and using the instance_type_vms
variable instead of instance_type_ec2
.
A cost estimate of running a typical Attack Range environment on AWS can be found here.
Splunk Enterprise Security is a premium security solution requiring a paid license.
- Purchase a license as applicable, download Enterprise Security and store it in the Attack Range
apps
folder to use it:
- Enable Splunk Enterprise Security in attack_range.conf:
[enterprise_security]
install_es = 1
splunk_es_app = splunk-enterprise-security_641.spl
❕ Note: Make sure to properly match the package filename you've moved to the apps
folder.