Skip to content

Instantly share code, notes, and snippets.

View animetauren's full-sized avatar

Henry Robalino animetauren

View GitHub Profile
@animetauren
animetauren / ACMESharpAzureDNS.ps1
Last active April 30, 2017 05:50
ACMESharp DNS Challenge with Azure DNS
$compACMEChall = Complete-ACMEChallenge $domain -ChallengeType dns-01 -Handler manual
$dnsRRName = ($compACMEChall.Challenges | Where-Object {$_.Type -eq "dns-01"}).Challenge.RecordName
$dnsRRValue = ($compACMEChall.Challenges | Where-Object {$_.Type -eq "dns-01"}).Challenge.RecordValue
$rs = New-AzureRmDnsRecordSet -Name $dnsRRName -RecordType TXT -Ttl 60 -ZoneName $url -ResourceGroupName $RGName
Add-AzureRmDnsRecordConfig -RecordSet $rs -Value $dnsRRValue
Set-AzureRmDnsRecordSet -RecordSet $rs
@animetauren
animetauren / props.conf
Last active May 4, 2023 17:57 — forked from automine/props.conf
Windows Event Clean Up in Splunk
[source::WinEventLog:System]
SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g
[source::WinEventLog:Security]
SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
SEDCMD-remove_ffff = s/::ffff://g
SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
@animetauren
animetauren / inputs.conf
Last active April 19, 2023 19:50
Windows Event Blacklisting for Splunk
blacklist1 = EventCode="(4662|566)" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:\s*([^\s\$]+[^\s\$])"
blacklist3 = EventCode="4624" Message="An account was successfully logged on(\n|\r)*"
blacklist4 = EventCode="(4688|4689)" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy."
@animetauren
animetauren / drop_events.txt
Created December 14, 2023 16:03
Regex to Drop Windows Events using Splunk Ingest Actions
blacklist1 = \bEventCode=(4662|566)\b[\s\S]*?\bObject Type:\s+(?!groupPolicyContainer)\b
blacklist2 = \bEventCode=(4656|4670|4663|4703|4658|4688)\b[\s\S]*?\bAccount Name:\s*([^\s\$]+[^\s\$])\b
blacklist3 = \bEventCode=4624\b[\s\S]*?\bAn account was successfully logged on(\n|\r)*\b
blacklist4 = \bEventCode=(4688|4689)\b[\s\S]*?\bProcess Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)\b
blacklist5 = \bEventCode=6278\b[\s\S]*?\bNetwork Policy Server granted full access to a user because the host met the defined health policy.\b