Skip to content

Instantly share code, notes, and snippets.

View ag-michael's full-sized avatar
💭
for(;;){}

Michael ag-michael

💭
for(;;){}
19 followers · 17 following
View GitHub Profile
@ag-michael
ag-michael / ADenrichment.html
Created April 16, 2019 17:05
ADEnrichment report template
<style>
#reportrow {
position:relative;
overflow-wrap:anywhere;
border-bottom:solid 1px;
}
</style>
<div class="panel panel-info" ng-if="success">
<div class="panel-heading">
@ag-michael
ag-michael / FalconHuntqueries.md
Last active November 14, 2024 09:29
Falcon hunt queries

timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count &lt;4 | sort – count
@ag-michael
ag-michael / thehivefileobservable.py
Last active March 26, 2019 20:14
Add a file as an observable
def thehive_alert(alert):
global CONFIG
authheader={'Content-Type': 'application/json', 'Authorization': 'Bearer '+CONFIG['thehiveapikey']}
print(requests.post("http://127.0.0.1:9000/api/alert",headers=authheader,data=json.dumps(alert),verify=False))
myfile=''
try:
with open(fname,"rb") as f:
myfile=fname+";text/plain;"+base64.b64encode(f.read())
except Exception:
@ag-michael
ag-michael / thehivedump.py
Created March 19, 2019 20:17
Dump case information from thehive to CSV
import sys
import datetime
from thehive4py.api import TheHiveApi
from thehive4py.query import String
def mkstmp(ts,tfmt='%m/%d/%Y %H:%M CDT'):
if not type(ts) is int:
ts=int(ts)
return datetime.datetime.fromtimestamp(ts/1000).strftime(tfmt)