Skip to content

Instantly share code, notes, and snippets.

View jorritfolmer's full-sized avatar

Jorrit Folmer jorritfolmer

View GitHub Profile
jorritfolmer / com.example.tmpwatch.plist
Created September 24, 2023 08:56
Launchd plist for tmpwatch via Brew on macOS
View com.example.tmpwatch.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
jorritfolmer /
Created December 5, 2022 13:12
Syslog server for Splunk

Generic syslog building block

The rsyslog config below realises a reusable building block to onboard syslog data, for example into Splunk. It assumes an on-prem enterprise environment and uses the file system as a buffer/queue to decouple syslog senders from a receiver like Splunk Universal Forwarder (UF). This way you can restart Splunk UF without any data loss.

The following four configuration files ensure:

  • Reception of syslog into one log file for every source IP address.
  • Fitness for a high volume syslog setup by having rsyslog NOT throttle
  • Least privilege for Splunk UF by having rsyslog create files with appropriate umask and group
  • Retention of all log files for 1 day to prevent availability issues from "disk full" scenarios
jorritfolmer /
Last active December 21, 2021 15:53
Securonix RIN installation

Securonix RIN installation


You need at least 8 GB of RAM for the installation to succeed. If not, the installer will give you weird errors. See below for the difference in output between a successful and unsuccessful installation.

Replace a1redacted-abcd` with your own tenant name and code.


jorritfolmer /
Last active October 5, 2021 13:26
Mounting Defender for Endpoint Telemetry Azure Blob Storage in Linux using blobfuse

Mounting Defender for Endpoint Telemetry data on Linux

Defender Telemetry data can be persisted in Azure Blob Storage. This results in datetimestamped directories containing JSON files.


So you can easily Splunk, gzip or jq some of your telemetry data


jorritfolmer /
Last active December 30, 2021 09:18
Installing an offline lab with Windows Server 2019 AD, Windows 10 Pro and Office from scratch
jorritfolmer /
Last active January 23, 2022 11:31
Onboarding MITRE EDR evaluations round 3 (Carbanak+FIN7) into Splunk

MITRE EDR evaluations round 3

For easier Splunking use the steps and Python script below.

Download MITRE EDR json files

jorritfolmer /
Last active November 29, 2023 06:59
Pelican with Tailwind CSS

How to use Tailwind CSS with Pelican

These steps show how to install Tailwind CSS in a Pelican project, purge and minify it so you don't have to reference a 3+ MB CSS file but only several kB.

  1. virtualenv venv
  2. . venv/bin/activate
  3. pip install nodeenv
  4. nodeenv env
  5. . env/bin/activate
  6. npm install postcss postcss-cli autoprefixer tailwindcss purgecss cssnano
jorritfolmer / gist:c421749cd1520b8e2425bd80dc7f25de
Created February 16, 2021 09:09
Regex to parse AWS Route53 DNS logging in Splunk via CloudWatch logs
View gist:c421749cd1520b8e2425bd80dc7f25de

AWS Route53 DNS logging via CloudWatch Logs

^\S+ \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+Z \S+ (?<query>\S+) (?<record_type>\S+) (?<reply_code>\S+) (?<transport>\w+) (?<dest>\S+) (?<src>\S+) (?<vendor_edns_client_subnet>\S+)

jorritfolmer / gist:d6713c344e173765b06352b858b186ba
Created October 17, 2020 08:05
Installing MITRE Caldera on RHEL7
View gist:d6713c344e173765b06352b858b186ba

Installing MITRE Caldera on RHEL7

Doesn't seem to want to run in a virtualenv, not sure why.


  1. yum install rh-python36
  2. yum install gcc
  3. scl enable rh-python36 bash
  4. git clone --recursive --branch 2.7.0
jorritfolmer /
Created April 27, 2020 13:19
Transpose MITRE EDR APT29 results for better Splunking

Onboarding MITRE EDR evaluations round 2 (APT29) into Splunk

MITRE have just published the JSON results of their EDR evalutions simulating APT29. However also this time their structure makes it difficult to Splunk. Use this Python script for easier Splunking.


$ python file.json > file_for_splunk.json