| # Download and dot source Get-WinEventData | |
| # https://gallery.technet.microsoft.com/scriptcenter/Get-WinEventData-Extract-344ad840 | |
| . "\\path\to\Get-WinEventData.ps1" | |
| # Download and Set up Sysmon as desired | |
| # http://technet.microsoft.com/en-us/sysinternals/dn798348 | |
| # http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon | |
| #Use Get-WinEvent and Get-WinEventData to obtain events and extract XML data from them - let's see all the properties behind one! | |
| Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} | |
This KQL query grabs defined RMM domains within the RMML project and matches them against MDE telemetry.
See also the original blog post here.
// Define the regex constructor function which transforms an array of patterns into regex.
let regexConstructor = (arr:dynamic) { replace_string( replace_string(replace_string( replace_string(strcat('((?i)', strcat_array( arr,'|') ,')'), '.','[.]'), @'\',@'\\'), @'/',@'\/'), @'*', @'.*') };
// ----------------------------------------------------------------
// Download the JSON string and convert to a usable object.
let RMMs = externaldata(RMMs:string)[h@'https://github.com/LivingInSyn/RMML/releases/download/v1.4.0/rmms.json'] with(format='raw');
This KQL query grabs defined RMM domains within the Splunk Security Content project and matches them against MDE telemetry.
See also the original blog post here.
// Define the regex constructor function which transforms an array of patterns into regex.
let regexConstructor = (arr:dynamic) { replace_string( replace_string(replace_string( replace_string(strcat('((?i)', strcat_array( arr,'|') ,')'), '.','[.]'), @'\',@'\\'), @'/',@'\/'), @'*', @'.*') };
// ----------------------------------------------------------------
// Download the CSV.
az account get-access-token --resource https://management.azure.com --tenant $TENANT_ID
az account get-access-token --resource https://graph.azure.com --tenant $TENANT_IDGet-AzAccessToken -ResourceUrl "https://management.azure.com" -TenantId $TENANT_ID
Get-AzAccessToken -ResourceUrl "https://graph.azure.com" -TenantId $TENANT_ID
| #!/bin/bash | |
| # SPDX-License-Identifier: MIT | |
| ## Copyright (C) 2009 Przemyslaw Pawelczyk <[email protected]> | |
| ## | |
| ## This script is licensed under the terms of the MIT license. | |
| ## https://opensource.org/licenses/MIT | |
| # | |
| # Lockable script boilerplate | |
| # 20161122 https://github.com/ConradIrwin/rxxr2/blob/master/data/input/regexlib-raw.txt http://www.cs.bham.ac.uk/~hxt/research/rxxr2/ | |
| # This will find URLs in plain text. With or without protocol. It matches against all toplevel domains to find the URL in the text. | |
| # ID: 1016 | |
| ([\d\w-.]+?\.(a[cdefgilmnoqrstuwz]|b[abdefghijmnorstvwyz]|c[acdfghiklmnoruvxyz]|d[ejkmnoz]|e[ceghrst]|f[ijkmnor]|g[abdefghilmnpqrstuwy]|h[kmnrtu]|i[delmnoqrst]|j[emop]|k[eghimnprwyz]|l[abcikrstuvy]|m[acdghklmnopqrstuvwxyz]|n[acefgilopruz]|om|p[aefghklmnrstwy]|qa|r[eouw]|s[abcdeghijklmnortuvyz]|t[cdfghjkmnoprtvwz]|u[augkmsyz]|v[aceginu]|w[fs]|y[etu]|z[amw]|aero|arpa|biz|com|coop|edu|info|int|gov|mil|museum|name|net|org|pro)(\b|\W(?<!&|=)(?!\.\s|\.{3}).*?))(\s|$) | |
| # Retrieves all anchor links in a html document, useful for spidering. You will need to do a replace of " and ' after the regular expression, as the expression gets all links. As far as I know there is no way, even with \1 groupings, of getting a condition on whether the link |