Manas Bellani manasmbellani

## !splunkappsdoco.md

      
              5 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                manasmbellani
                / !splunkappsdoco.md
            
            
              Last active
              June 10, 2023 09:34
            
              
                splunkawssecuritymon - Alerts built in AWS Security Monitoring App for Splunk
              
          
    README

This gist contains information about various splunk apps pertaining to detection engineering that have been released on Splunkbase.
Usage

Review the files on gist.github.com OR consider cloning this and opening it in a Markdown editor such as Typora to obtain a navigational outline

  
## splunk-app-deployment-steps.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                manasmbellani
                / splunk-app-deployment-steps.md
            
            
              Created
              November 26, 2022 01:44
            
              
                Practical tips/steps to consider prior to deploying and updating apps in Splunk
              
          
    Steps to build new alerts in Splunk

To build new alerts, perform the following steps:

Ensure that the correct app is selected via the Apps menu option in Splunk UI
Leverage an existing search macro that has been recently built and update it to meet the search query for detection
Test if the alert works
Use MITRE Attack Framework to add relevant fields from the Matrix here if applicable
Create a new search macro with updated permissions. Search macro should be prefixed with appropriate keyword e.g. gcp_detect_ or sysmon_detect
Update the search macro permissions to be publicly readable, and admin writable


## inputs.conf
#   Version 9.0.1
# these here just override and disable stuff that in system/default.

################################
# Data thru parsingQueue always
################################

[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

## flatten_dict_to_csv.py
#!/usr/bin/env python3
import json

dictionary = {
    'duration': 720,
    'language': 'sv',
    'link': 'https://vimeo.com/neweuropefilmsale/incidentbyabank',
    'name': 'INCIDENT BY A BANK',
    'test': {
        'test2': {

## .aws-lambda-layers
Please review the `README.md` file.

## get_domain_from_ssl_info_on_host.sh
#!/bin/bash
USAGE="[-] $0 <hostname>"
if [ $# -lt 1 ]; then
    echo "$USAGE"
    exit 1
fi
hostname="$1"
echo | openssl s_client -connect $hostname:443 2>&1 | grep -iE "0 s:.*CN = "  | grep -ioE "CN = .*" | cut -d "=" -f2

## get_hibp_breach_details.sh
#!/bin/bash
DELIM="|"
OUT_FILE="out-hibp-breach-details.txt"
USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
HIBP_ENDPOINT="https://haveibeenpwned.com/api/v3"
SLEEP_INTERVAL=3
CURL_TIMEOUT=6
USAGE="[-]
Syntax:
    $0 <breaches_list/breaches_file>  [hibp_api_key=$HIBP_KEY] [sleep_interval=$SLEEP_INTERVAL] [out_file=$OUT_FILE]

## .cent.yaml
# Directories to exclude
exclude-dirs:
  - SOMETHING

# Files to exclude
exclude-files:
  - README.md
  - .gitignore
  - .pre-commit-config.yaml
  - LICENSE

## scan_url_in_urlscan_io.sh
VISIBILITY="public"
SLEEP_TIMEOUT=10
USAGE="[-]
Usage:
    $0 <url> <apikey> [visibility=]

Summary:
    Scan URL in urlscan.io and open it with default browser

Args:

## detect_azure_omi_servers.sh
#!/bin/bash
OMI_PORT=5986
SERVICE_REGEX=".*http.*Microsoft HTTPAPI"
IP_REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
USAGE="
[-] $0 <host>

Summary:
  Detect possible OMI service which runs on Azure instances
	# Version 9.0.1
	# these here just override and disable stuff that in system/default.

	################################
	# Data thru parsingQueue always
	################################

	[splunktcp]
	route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue
	#!/usr/bin/env python3
	import json

	dictionary = {
	'duration': 720,
	'language': 'sv',
	'link': 'https://vimeo.com/neweuropefilmsale/incidentbyabank',
	'name': 'INCIDENT BY A BANK',
	'test': {
	'test2': {
	#!/bin/bash
	USAGE="[-] $0 <hostname>"
	if [ $# -lt 1 ]; then
	echo "$USAGE"
	exit 1
	fi
	hostname="$1"
	echo \| openssl s_client -connect $hostname:443 2>&1 \| grep -iE "0 s:.CN = " \| grep -ioE "CN = ." \| cut -d "=" -f2
	#!/bin/bash
	DELIM="\|"
	OUT_FILE="out-hibp-breach-details.txt"
	USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
	HIBP_ENDPOINT="https://haveibeenpwned.com/api/v3"
	SLEEP_INTERVAL=3
	CURL_TIMEOUT=6
	USAGE="[-]
	Syntax:
	$0 <breaches_list/breaches_file> [hibp_api_key=$HIBP_KEY] [sleep_interval=$SLEEP_INTERVAL] [out_file=$OUT_FILE]
	# Directories to exclude
	exclude-dirs:
	- SOMETHING

	# Files to exclude
	exclude-files:
	- README.md
	- .gitignore
	- .pre-commit-config.yaml
	- LICENSE
	VISIBILITY="public"
	SLEEP_TIMEOUT=10
	USAGE="[-]
	Usage:
	$0 <url> <apikey> [visibility=]

	Summary:
	Scan URL in urlscan.io and open it with default browser

	Args:
	#!/bin/bash
	OMI_PORT=5986
	SERVICE_REGEX=".http.Microsoft HTTPAPI"
	IP_REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
	USAGE="
	[-] $0 <host>

	Summary:
	Detect possible OMI service which runs on Azure instances