Whether you are a fan of containers or virtual machines (or both) LimaCharlie has got you covered. The LimaCharlie sensor can now be installed in template-based environments.
The installation methodology is that same as a regular install but you need to be careful to stage the sensor properly in your templates.
The most common mistake is to install the sensor directly in the template, and then instantiate the rest of the infrastructure from this template. This will result in "cloned sensors", sensors running using the same Sensor ID (SID) on different hosts/VMs/Containers.
If these occur, a sensor_clone event will be generated as well as an error in your dashboard. If this happens you have two choices:
Fix the installation process and re-deploy.
Run a de-duplication process with a Detection & Response rule like this.
Preparing sensors to run properly from templates can be done in one of two ways:
Run the installer on the template, shut down the service and delete the "identity files".
Script the sensor installation process in the templating process.
For solution 1, the identity files you will want to remove are:
Linux: depending on the install location of the sensor, the hcp* files like /usr/local/hcp*.
For solution 2, you can start a simple shell script like this to fetch the installer and run it on first boot: