Brian Carroll n3tsurge
n3tsurge
/ fetch-ms-ips.py
Created
October 26, 2022 13:15
Downloads Microsoft IPs for specific URLs to a file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from datetime import datetime | |
| from requests import Session | |
| def fetch_microsoft_ips(url: str) -> dict: | |
| ''' | |
| Pulls down the Microsoft IP JSON list | |
| ''' | |
| s = Session() | |
| result = s.get(url) | |
| if result.status_code == 200: |
n3tsurge
/ Get nested fields in a dictionary based on dotted names
Last active
November 7, 2021 03:59
get_nested.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_nested_field(message: dict, field: str): | |
| ''' | |
| Iterates over nested fields to get the final desired value | |
| e.g signal.rule.name should return the value of name | |
| Paramters: | |
| message (dict): A dictionary of values you want to iterate over | |
| field (str): The field you want to extract from the message in dotted format | |
| Return: |
n3tsurge
/ close-indices.py
Last active
August 18, 2021 04:25
Close Elasticsearch indices older than X days
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import datetime | |
| from requests.auth import HTTPBasicAuth | |
| auth = HTTPBasicAuth('elastic', '') | |
| index_pattern = "winlogbeat-*" | |
| days = 90 | |
| response = requests.get(f'https://mtllppsecelk01:9200/{index_pattern}/_settings/index.creation_date_string?flat_settings=true&human&expand_wildcards=open', verify=False, auth=auth) |
n3tsurge
/ winlogbeat-sysmon-22-parsing
Last active
August 22, 2019 04:54
Adds the parsing of DNS query responses to the winlogbeat-sysmon.js file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Add this above extractIP4 | |
| var splitIps = function(evt) { | |
| extractIP4(evt, "winlog.event_data.QueryResults") | |
| } | |
| // Add this above event22 | |
| var extractIP4 = function(evt, queryResultField) { | |
| var addresses = []; | |
| var ips = evt.Get(queryResultField) |