jfrantz1-r7

class sethostname {
  file { "/etc/hostname":
    ensure  => present,
    owner   => root,
    group   => root,
    mode    => '0644',
    content => "$::fqdn\n",
    notify  => Exec["set-hostname"],
  }
  exec { "set-hostname":

jfrantz1-r7

SELECT to_char(fav.date, 'Mon-YY') AS date, COUNT(*) AS count,
	CASE
		WHEN age(dv.date_published) < '30 days' THEN '<30 days'
		WHEN age(dv.date_published) <= '60 days' THEN '30-60 days'
		ELSE '60+ days'
	END AS vuln_age
-- The fav table has the asset test date...
FROM fact_asset_vulnerability_instance AS fav
-- and the dv table has the vulnerability release date
	INNER JOIN dim_vulnerability AS dv

jfrantz1-r7

#!/bin/zsh

# This script is meant to be used with Jamf Pro and makes use of Jamf Helper.
# The idea behind this script is that it alerts the user that there are required OS
# updates that need to be installed. Rather than forcing updates to take place through the
# command line using "softwareupdate", the user is encouraged to use the GUI to update.
# In recent OS versions, Apple has done a poor job of testing command line-based workflows
# of updates and failed to account for scenarios where users may or may not be logged in.
# The update process through the GUI has not suffered from these kind of issues. The
# script will allow end users to postpone/defer updates X amount of times and then will

jfrantz1-r7

Threat detection in AWS using InsightIDR

Just some notes

• A list of all current eventName fields https://gist.github.com/jfrantz1-r7/207225e8811588a50c1e230222469053
• responseElements will only apper in a cloudtrail log if something actually changes
• When a role is assume in one account from another, there is a sharedEventID key in the logs that gets added. By searching multiple log streams, you can combine the view for multiple accounts to find matching logs to verify suspicious activity
• There are a few different userIdentity types:
  • Root
  • IAMUser
  • AssumedRole
  • FederatedUser

jfrantz1-r7

AbortDocumentVersionUpload
AbortEnvironmentUpdate
AbortMultipartUpload
AbortVaultLock
AcceptAccountMapping
AcceptCertificateTransfer
AcceptDelegate
AcceptDirectConnectGatewayAssociationProposal
AcceptFxPaymentCurrencyTermsAndConditions
AcceptHandshake

jfrantz1-r7

SELECT count(da.asset_id) as asset_count, ds.vendor, ds.name as software_name,  ds.family, ds.version
FROM dim_asset_software das
  JOIN dim_software ds using (software_id)
  JOIN dim_asset da on da.asset_id = das.asset_id
GROUP BY ds.vendor, ds.name, ds.family, ds.version, ds.cpe
ORDER BY asset_count DESC

jfrantz1-r7

WITH max_certainty AS (
    SELECT asset_id, max(certainty) AS certainty
    FROM dim_asset_operating_system
    GROUP BY asset_id
),
asset_cred_status AS (
    SELECT DISTINCT fa.asset_id,
           CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL'
              WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS'
              ELSE 'N/A' END AS auth_status

jfrantz1-r7

//cd /opt/rapid7/panasonic_avionics_log_processor/venv
//. bin/activate
//cd /opt/rapid7/panasonic_avionics_log_processor/latest/bin/
//python3.6 main.py

jfrantz1-r7

#!/usr/bin/env bash
# check a list of gsuite emails

if [[ $# -eq 0 ]]; then
	echo 'Give me a list of emails!'
	exit 1
fi

email_list="$1"

jfrantz1-r7

SELECT DISTINCT Md5(title) AS "Unique ID",
                title AS "Vulnerability Title",
                Proofastext(description) AS "Description"
FROM   dim_vulnerability
WHERE  description NOT LIKE '%Deprecated%'
ORDER  BY title ASC