Skip to content

Configurations

Jump to bottom
Christian Cloutier edited this page Apr 12, 2022 · 1 revision

Configuration options

Setting up default instance size (AWS/Azure)

By default, Attack Range uses AWS t2.2xlarge instance types with 30GB of general purpose (gp2) storage. If you plan on using Attack Range to test/demonstrate a lot of use cases/detections, consider using c5d.18xlarge with 300GB of storage for at least the Splunk instance to meet basic hardware/IOPS recommendations.

This is configured in attack_range/attack_range.conf for the instance type globally:

[aws]
instance_type_ec2 = t2.2xlarge

[azure]
azure_subscription_id = xxxXXX
instance_type_vms = Standard_D4_v4

If you want to change the type used for all resources, simply change t2.2xlarge with the desired ec2 instance type here.

Configuration can be overridden on a per-instance basis (Splunk Server, etc.) and can be found in attack_range/terraform/aws/modules/<instance type>/resources.tf:

resource "aws_instance" "splunk-server" {
  ami                    = data.aws_ami.latest-ubuntu[count.index].id
  instance_type          = var.config.instance_type_ec2
  <... snipped for brevity ...>
  root_block_device {
    volume_type = "gp2"
    volume_size = "60"
    delete_on_termination = "true"
  }
  <... snipped for brevity ...>

(here, simply replace instance_type = var.config.instance_type_ec2 with instance_type = "<desired instance type>", volume_size from 60 to 300 as relevant, etc.)

Configure according to your needs globally and/or on a per instance basis.

Note: The same recipe applies on Azure with resource configurations living under: attack_range/terraform/azure/modules/<instance type>/resources.tf and using the instance_type_vms variable instead of instance_type_ec2.

A cost estimate of running a typical Attack Range environment on AWS can be found here.

Enabling Splunk Enterprise Security (Optional)

Splunk Enterprise Security is a premium security solution requiring a paid license.

  1. Purchase a license as applicable, download Enterprise Security and store it in the Attack Range apps folder to use it:

ES in Apps

  1. Enable Splunk Enterprise Security in attack_range.conf:
[enterprise_security]
install_es = 1
splunk_es_app = splunk-enterprise-security_641.spl

Note: Make sure to properly match the package filename you've moved to the apps folder.

Clone this wiki locally