TheCloudScout’s gists

TheCloudScout / Parse demo - unparsed data

Last active January 12, 2022 14:58

	"Country: United States City: Chicago Local dish: Deep dish pizza",
	"City: New York City Attraction: Statue of Liberty Local dish: Cheesecake",
	"Country: United States State: NV Population: 641903 Attraction: Fremont Street",
	"State: CA City:San Francisco Population: 873965 Attraction: Golden Gate Bridge Local dish: Clam Chowder"

TheCloudScout / azure-firewall-log4j-kql

Last active December 13, 2021 14:15

Azure Firewall | Check log4j IoCs

	let timeWindow = datetime("2021-12-09");
	let intel = ((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
	let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
	let domains = intel \| extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)\| distinct domains\| where domains != "" \| project domains;
	let ips = intel \| extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) \| distinct ips \| where ips != "" \| project ips;
	let ports = intel \| extend ports=extract(@":([0-9]{2,5})\/",1,URL) \| distinct ports \| where ports != "" \| project ports;
	// to parse Azure Firewall logs with "AzureFirewallApplicationRule" category, we need several different parsing methods based on the type of entries
	let appl

TheCloudScout / correlate-with-outer-join-and-calculate-timestamp-difference

Created March 11, 2021 13:04

	let AlertLogs = _GetWatchlist("AlertLogs")
	\| extend AlertDateTime = todatetime(strcat(AlertDate, AlertTime))
	\| project AlertDateTime, AlertName, UID;
	let JunosLogs = _GetWatchlist("JunosLogs")
	\| extend JunosDateTime = todatetime(strcat(Date, Time))
	\| project JunosDateTime, Action, UID=UID_;
	// JunosLogs
	AlertLogs
	\| join kind=leftouter JunosLogs on UID
	\| sort by AlertDateTime

TheCloudScout / correlate-travel-alerts-with-vpn-logs

Created March 11, 2021 12:57

	let Unfamiliarsigninproperties = ExportSecurityAlerts_CL
	\| where AlertName_s == "Unfamiliar sign-in properties"
	\| extend IPAddress = tostring(parse_json(ExtendedProperties_s).["Client IP Address"])
	\| extend Location = tostring(parse_json(ExtendedProperties_s).["Client Location"])
	\| extend UID = split(tostring(parse_json(ExtendedProperties_s).["User Account"]),"@")[0]
	\| extend AlertDate = split(TimeGenerated_Local_Time__s, ",")[0]
	\| extend AlertTime = split(TimeGenerated_Local_Time__s, ",")[1]
	\| extend AlertDateTime = todatetime(strcat(AlertDate, AlertTime))
	\| project AlertDateTime, AlertName = AlertName_s, IPAddress, Location, UID;
	let AtypicalTravel = ExportSecurityAlerts_CL

TheCloudScout / show-service-connection-key.yml

Last active January 24, 2021 13:15

	trigger: none

	pool:
	vmImage: 'ubuntu-latest'

	steps:
	- task: AzureCLI@2
	displayName: Retrieve Service Connection credentials
	inputs:
	azureSubscription: '<Service Connection name>'

TheCloudScout / Set-AzureDevOpsKeyRotation.ps1

Created January 22, 2021 16:20

	<#
	.DESCRIPTION
	Azure DevOps Pipeline details:
	- AzureCLI@2
	- scriptType: 'pscore'
	- addSpnToEnvironment: true
	Permission requirements:
	- Azure DevOps: <Project> Build Service needs to be member of the Endpoint Administrators group
	- Azure AD: Application needs to be owner of it's own application
	- Azure AD: Application requires the application permission Application.ReadWrite.OwnedBy

TheCloudScout / Set-addApplicationOwner.ps1

Last active July 22, 2021 15:09

	<#
	.DESCRIPTION
	This script will add the Service Principal of the Application as Owner of the Application.
	It performs the following steps:
	- Login to the graph.microsoft.com
	- Validate the Application Id
	- Retrieve the current owner(s)
	- Add if applicable the application delegation for graph.microsoft.com/Application.ReadWrite.OwnedBy
	- Perform if applicable the admin consent for the application delegation graph.microsoft.com/Application.ReadWrite.OwnedBy
	- Add if applicable the service principal to the application as owner

TheCloudScout / postgres-to-sentinel.conf

Last active April 19, 2020 19:35

	# file: postgres-to-sentinel.conf
	input {
	jdbc {
	# Postgres jdbc connection string to our database, mydb
	jdbc_connection_string => "jdbc:postgresql://localhost:5432/security"
	# The user we wish to execute our statement as
	jdbc_user => "lutsdbuser"
	# The user we wish to execute our statement as
	jdbc_password => "<YOUR PASSWORD>"
	# The path to our downloaded jdbc driver

TheCloudScout / logstash-postgresToSentinel.dockerfile

Created April 19, 2020 16:51

	# escape=`

	# LogStash base image from Elastic version 7.6.2
	FROM docker.elastic.co/logstash/logstash:7.6.2

	# Delete logstash.conf in custom image, so that we won't retain the example config from the base image.
	RUN rm -f /usr/share/logstash/pipeline/logstash.conf

	# Copy JDBC drivers for PostgreSQL connection
	ADD postgresql-42.2.12.jar /usr/share/logstash/modules/postgres/postgresql-42.2.12.jar

TheCloudScout / Store Azure Container Registry credentials in Key Vault

Created November 4, 2019 21:33

	# Retrieve all Azure Container Registry credentials
	$RegistryCredentials = Get-AzContainerRegistry \| Get-AzContainerRegistryCredential

	# Convert first password to secure string and store it inside Key Vault as a secret
	$RegistryPw1 = ConvertTo-SecureString -string $RegistryCredentials.Password -AsPlainText -Force
	Set-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name "RegistryPassword1" -SecretValue $RegistryPw1

	# Convert second password to secure string and store it inside Key Vault as a secret
	$RegistryPw2 = ConvertTo-SecureString -string $RegistryCredentials.Password2 -AsPlainText -Force
	Set-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name "RegistryPassword2" -SecretValue $RegistryPw2

Koos Goossens TheCloudScout