- A list of all current eventName fields https://gist.github.com/jfrantz1-r7/207225e8811588a50c1e230222469053
responseElements
will only apper in a cloudtrail log if something actually changes- When a role is assume in one account from another, there is a
sharedEventID
key in the logs that gets added. By searching multiple log streams, you can combine the view for multiple accounts to find matching logs to verify suspicious activity - There are a few different userIdentity types:
- Root
- IAMUser
- AssumedRole
- FederatedUser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$DateTime = Get-Date -f "yyyy-MM" | |
$CSVFile = "C:\AD_Groups"+$DateTime+".csv" | |
$CSVOutput = @() | |
$ADGroups = Get-ADGroup -Filter * | |
$i=0 | |
$tot = $ADGroups.count | |
foreach ($ADGroup in $ADGroups) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
------------------------------------------------------------------------------------------------------------------------------------------------------------ | |
-- Asset Purge v3 | |
------------------------------------------------------------------------------------------------------------------------------------------------------------ | |
SET search_path TO nxsilo_default, nxadmin, nxglobal; | |
ANALYZE VERBOSE; | |
\echo `date` 'Disable constraints' | |
SET session_replication_role = replica; | |
------------------------------------------------------------------------------------------------------------------------------------------------------------ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get-ChildItem $directory -Directory -Recurse -Force | | |
Sort-Object -Property FullName -Descending | | |
Where-Object { $($_ | Get-ChildItem -Force | Select-Object -First 1).Count -eq 0 } | | |
Remove-Item |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
############################################################################################################# | |
## Information ## | |
############################################################################################################# | |
## Created by Clay Nelson on 2/15/19 ## | |
## Sources: ## | |
## Shannon Johnson - https://www.jamf.com/jamf-nation/discussions/29555/script-to-install-update-java ## | |
## Lewis Lebentz - https://lew.im/2017/03/auto-update-chrome/ ## | |
## Joe Farage - https://www.jamf.com/jamf-nation/third-party-products/files/764/firefox-install-update ## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class sethostname { | |
file { "/etc/hostname": | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => '0644', | |
content => "$::fqdn\n", | |
notify => Exec["set-hostname"], | |
} | |
exec { "set-hostname": |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SELECT to_char(fav.date, 'Mon-YY') AS date, COUNT(*) AS count, | |
CASE | |
WHEN age(dv.date_published) < '30 days' THEN '<30 days' | |
WHEN age(dv.date_published) <= '60 days' THEN '30-60 days' | |
ELSE '60+ days' | |
END AS vuln_age | |
-- The fav table has the asset test date... | |
FROM fact_asset_vulnerability_instance AS fav | |
-- and the dv table has the vulnerability release date | |
INNER JOIN dim_vulnerability AS dv |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AbortDocumentVersionUpload | |
AbortEnvironmentUpdate | |
AbortMultipartUpload | |
AbortVaultLock | |
AcceptAccountMapping | |
AcceptCertificateTransfer | |
AcceptDelegate | |
AcceptDirectConnectGatewayAssociationProposal | |
AcceptFxPaymentCurrencyTermsAndConditions | |
AcceptHandshake |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SELECT count(da.asset_id) as asset_count, ds.vendor, ds.name as software_name, ds.family, ds.version | |
FROM dim_asset_software das | |
JOIN dim_software ds using (software_id) | |
JOIN dim_asset da on da.asset_id = das.asset_id | |
GROUP BY ds.vendor, ds.name, ds.family, ds.version, ds.cpe | |
ORDER BY asset_count DESC |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WITH max_certainty AS ( | |
SELECT asset_id, max(certainty) AS certainty | |
FROM dim_asset_operating_system | |
GROUP BY asset_id | |
), | |
asset_cred_status AS ( | |
SELECT DISTINCT fa.asset_id, | |
CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL' | |
WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS' | |
ELSE 'N/A' END AS auth_status |