Joe Lopes lopes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # will match everything but lines wit `substring` | |
| /^(?!substring).*$/ |
lopes
/ git-all-commits-author.sh
Last active
August 7, 2024 15:00
Shell snippets using common Unix tools. #shell #shellscript #unix #linux #bsd
lopes
/ chronicle-dstip-stats.yaral
Created
August 7, 2024 14:44
Chronicle searches in YARA-L. #siem #log #yara-l #chronicle #google
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| metadata.event_type = "NETWORK_CONNECTION" | |
| $srcip = principal.ip | |
| target.ip = "34.231.161.67" | |
| match: | |
| $srcip over 1h | |
| outcome: | |
| $event_count = count_distinct(metadata.id) | |
| $sum_bytes_sent = sum(network.sent_bytes) | |
| $sum_bytes_received = sum(network.received_bytes) | |
| $dst_ports = array_distinct(target.port) |
lopes
/ ip-expand.py
Last active
August 7, 2024 13:22
Expand IP ranges into individual addresses. #python #ip #regex
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #ip-expand.py | |
| # | |
| # Expand IP ranges into individual addresses. | |
| # | |
| # REQUIREMENTS | |
| # The `cidr-ranges-list.txt` file must be in the same directory as this script. | |
| # This file must follow the format: | |
| # <CIDR>, "<COMMENT>" | |
| # |
lopes
/ chronicle-list-cleaner.py
Last active
August 7, 2024 13:58
Cleans up lines in the reference lists in Chronicle SIEM with expired dates. #chronicle #gcp #functions #python #siem #list #management
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Cleans up lines in the reference lists in Chronicle SIEM with expired dates. | |
| This script can be used to clean up some or all Reference Lists in Chronicle SIEM. | |
| It scans each list and removes expired lines with the same pattern it is set to | |
| monitor. Lines outside this pattern are just ignored. The pattern is: | |
| <value> // expires:YYYY-MM-DD | |
lopes
/ torpids.py
Last active
August 7, 2024 13:58
Connects to the Tor Project's exit-addresses page and parses the exit node data into JSON format. #python #tor #exitnodes #web #scrapper #parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #torpids.py | |
| ''' | |
| Connects to the Tor Project's exit-addresses page and parses the | |
| exit node data into JSON format. | |
| Data is fetched from: https://check.torproject.org/exit-addresses | |
| Data is "Node ID-centric" in Tor Project's page, but here it is |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #moth.py | |
| ''' | |
| Convert Kindle or O'Reilly annotations to JSON or Markdown format. | |
| Usage: | |
| moth.py -i <input> -o <output> [-s <source>] [-f <format>] | |
| Example: |
lopes
/ misp-parser.rb
Last active
August 7, 2024 13:57
MISP parser for Chronicle SIEM using Logstash format. #misp #chronicle #parser #logstash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Product: MISP Threat Intelligence | |
| # Category: Information Security | |
| # Supported Format: JSON | |
| # Reference: https://medium.com/@thatsiemguy/how-to-integrate-misp-and-chronicle-siem-9e5fe5fde97c | |
| # Last Updated: 2024-06-01 | |
| filter { | |
| ## | |
| # BASIC VARIABLES ASSERTION AND FIELDS EXTRACTION | |
| # |
lopes
/ lobotomy.py
Last active
August 7, 2024 13:56
Simple script to test the Cortex API with Advanced and Standard keys #python #paloalto #cortex #edr #xdr #alert #api
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sys import argv | |
| from datetime import datetime, timezone | |
| from secrets import choice | |
| from string import ascii_letters, digits | |
| from hashlib import sha256 | |
| from json import dumps | |
| from http.client import HTTPSConnection | |
| ''' |
lopes
/ cortex-get-alerts.sh
Last active
August 7, 2024 13:56
Retrieves alerts from Cortex XDR. #shell #shellscript #paloalto #cortex #edr #xdr #alert #api
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Retrieves alerts from Cortex XDR. | |
| # PARAMETERS: | |
| # - $1: First item (start) | |
| # - $2: Number of items at each round (must be <= 100) | |
| # - $3: Number of pages desired (number of rounds) | |
| # REQUIRES: | |
| # - API key and its ID from Cortex XDR | |
| # - Standard Authentication for the API key |
NewerOlder