Skip to content

Instantly share code, notes, and snippets.

View jorritfolmer's full-sized avatar

Jorrit Folmer jorritfolmer

View GitHub Profile
@jorritfolmer
jorritfolmer / com.example.tmpwatch.plist
Created September 24, 2023 08:56
Launchd plist for tmpwatch via Brew on macOS
View com.example.tmpwatch.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.tmpwatch</string>
<key>ProgramArguments</key>
<array>
<string>/opt/homebrew/sbin/tmpwatch</string>
<string>--mtime</string>
@jorritfolmer
jorritfolmer / rsyslog-server.md
Created December 5, 2022 13:12
Syslog server for Splunk
View rsyslog-server.md

Generic syslog building block

The rsyslog config below realises a reusable building block to onboard syslog data, for example into Splunk. It assumes an on-prem enterprise environment and uses the file system as a buffer/queue to decouple syslog senders from a receiver like Splunk Universal Forwarder (UF). This way you can restart Splunk UF without any data loss.

The following four configuration files ensure:

  • Reception of syslog into one log file for every source IP address.
  • Fitness for a high volume syslog setup by having rsyslog NOT throttle
  • Least privilege for Splunk UF by having rsyslog create files with appropriate umask and group
  • Retention of all log files for 1 day to prevent availability issues from "disk full" scenarios
@jorritfolmer
jorritfolmer / securonix-rin-installation.md
Last active December 21, 2021 15:53
Securonix RIN installation
View securonix-rin-installation.md

Securonix RIN installation

Prerequisites

You need at least 8 GB of RAM for the installation to succeed. If not, the installer will give you weird errors. See below for the difference in output between a successful and unsuccessful installation.

Replace a1redacted-abcd` with your own tenant name and code.

Preparation

@jorritfolmer
jorritfolmer / mounting-azure-blob-storage-defender-telemetry-blobfuse.md
Last active October 5, 2021 13:26
Mounting Defender for Endpoint Telemetry Azure Blob Storage in Linux using blobfuse
View mounting-azure-blob-storage-defender-telemetry-blobfuse.md

Mounting Defender for Endpoint Telemetry data on Linux

Defender Telemetry data can be persisted in Azure Blob Storage. This results in datetimestamped directories containing JSON files.

Why?

So you can easily Splunk, gzip or jq some of your telemetry data

How?

@jorritfolmer
jorritfolmer / offline_windows_lab_from_scratch.md
Last active December 30, 2021 09:18
Installing an offline lab with Windows Server 2019 AD, Windows 10 Pro and Office from scratch
View offline_windows_lab_from_scratch.md
@jorritfolmer
jorritfolmer / mitre-edr-evals-carbanak-fin7-to-splunk.md
Last active January 23, 2022 11:31
Onboarding MITRE EDR evaluations round 3 (Carbanak+FIN7) into Splunk
View mitre-edr-evals-carbanak-fin7-to-splunk.md

MITRE EDR evaluations round 3

For easier Splunking use the steps and Python script below.

Download MITRE EDR json files

wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
@jorritfolmer
jorritfolmer / pelican-tailwind-css.md
Last active November 29, 2023 06:59
Pelican with Tailwind CSS
View pelican-tailwind-css.md

How to use Tailwind CSS with Pelican

These steps show how to install Tailwind CSS in a Pelican project, purge and minify it so you don't have to reference a 3+ MB CSS file but only several kB.

  1. virtualenv venv
  2. . venv/bin/activate
  3. pip install nodeenv
  4. nodeenv env
  5. . env/bin/activate
  6. npm install postcss postcss-cli autoprefixer tailwindcss purgecss cssnano
@jorritfolmer
jorritfolmer / gist:c421749cd1520b8e2425bd80dc7f25de
Created February 16, 2021 09:09
Regex to parse AWS Route53 DNS logging in Splunk via CloudWatch logs
View gist:c421749cd1520b8e2425bd80dc7f25de

AWS Route53 DNS logging via CloudWatch Logs

^\S+ \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+Z \S+ (?<query>\S+) (?<record_type>\S+) (?<reply_code>\S+) (?<transport>\w+) (?<dest>\S+) (?<src>\S+) (?<vendor_edns_client_subnet>\S+)

@jorritfolmer
jorritfolmer / gist:d6713c344e173765b06352b858b186ba
Created October 17, 2020 08:05
Installing MITRE Caldera on RHEL7
View gist:d6713c344e173765b06352b858b186ba

Installing MITRE Caldera on RHEL7

Doesn't seem to want to run in a virtualenv, not sure why.

Steps

  1. yum install rh-python36
  2. yum install gcc
  3. scl enable rh-python36 bash
  4. git clone https://github.com/mitre/caldera.git --recursive --branch 2.7.0
@jorritfolmer
jorritfolmer / transpose_mitre_eval_apt29.md
Created April 27, 2020 13:19
Transpose MITRE EDR APT29 results for better Splunking
View transpose_mitre_eval_apt29.md

Onboarding MITRE EDR evaluations round 2 (APT29) into Splunk

MITRE have just published the JSON results of their EDR evalutions simulating APT29. However also this time their structure makes it difficult to Splunk. Use this Python script for easier Splunking.

Usage

$ python transpose_mitre_eval_apt29.py file.json > file_for_splunk.json