cf-elk-splunk-cribil.yml

AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template to create an EC2 instance for ELK stack with Docker, Sysmon, Splunk, Cribl, and MISP.

Resources:
  ELKInstance:
    Type: "AWS::EC2::Instance"
    Properties:
      InstanceType: "t2.xlarge"
      ImageId: "ami-0e86e20dae9224db8"
      KeyName: "nvtlab"
      IamInstanceProfile: "test"
      SecurityGroupIds:
        - "sg-01319f53d935d35fd"
      SubnetId: "subnet-0d59355bcac099acb"
      BlockDeviceMappings:
        - DeviceName: "/dev/sda1"
          Ebs:
            VolumeSize: 300
            VolumeType: gp2
      Tags:
        - Key: Name
          Value: "ELK-Splunk-Misp-Cribil" # Instance  name
      UserData:
        Fn::Base64: |
          #!/bin/bash
          # Log the output to a file for troubleshooting
          exec > /var/log/user-data.log 2>&1
          set -x

          # Update package list and install necessary packages
          sudo apt-get update
          sudo apt-get install -y ca-certificates curl unzip apt-transport-https git

          # Add Docker's official GPG key
          sudo install -m 0755 -d /etc/apt/keyrings
          sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
          sudo chmod a+r /etc/apt/keyrings/docker.asc

          # Add the Docker repository to Apt sources
          echo \
            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
            $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" | \
            sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

          # Update package list again and install Docker
          sudo apt-get update
          sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

          # Start Docker service
          sudo systemctl start docker
          sudo systemctl enable docker

          # Install AWS CLI
          curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
          unzip awscliv2.zip
          sudo ./aws/install
          rm -rf awscliv2.zip aws/

          # Register Microsoft key and feed for Sysmon for Linux
          wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg
          sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/
          wget -q https://packages.microsoft.com/config/debian/11/prod.list
          sudo mv prod.list /etc/apt/sources.list.d/microsoft-prod.list
          sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg
          sudo chown root:root /etc/apt/sources.list.d/microsoft-prod.list

          # Install Sysmon for Linux
          sudo apt-get update
          sudo apt-get install -y sysmonforlinux

          # Clone the Cloud Threat Detection Lab repository
          cd /home/ubuntu
          git clone https://github.com/saidhfm/Cloud-Threat-Detection-Lab-AWS.git

          # Navigate to the ELK directory and run the start script
          cd Cloud-Threat-Detection-Lab-AWS/ELK
          bash elastic-container.sh start

          # Go back to the parent directory and run Docker Compose for Splunk
          cd /home/ubuntu/Cloud-Threat-Detection-Lab-AWS
          # Run docker splunk
          docker compose -f splunk.yml up -d

          # Run Docker Compose for Cribl
          docker compose -f cribil.yml up -d

          # Run Docker Compose for MISP
          docker compose -f misp.yml up -d
Outputs:
  InstanceId:
    Description: "The InstanceId of the created EC2 instance"
    Value: !Ref ELKInstance