Jesse secabstraction
secabstraction
/ InvokePowerStash.ps1
Last active
February 16, 2016 19:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pass your collection script and parameters, it will do the rest | |
| Invoke-PowerStash -Scriptblock ${function:Get-CimEvents} ` | |
| -Parameters @{CimSession=$Sessions;LogName='Security';EventId=4624} |
secabstraction
/ PowerStashIndexTemplate.ps1
Last active
February 16, 2016 19:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $JSON = @' | |
| { | |
| "template": "powerstash-*", | |
| "mappings": { | |
| "eventlogentry": { | |
| "properties" : { | |
| "Id": { "type": "string" }, | |
| "TimeCreated" : { "type" : "date" }, | |
| "DateCreated" : { "type" : "date" }, | |
| "EventId" : { "type" : "integer" }, |
secabstraction
/ StashableObjects.ps1
Created
February 16, 2016 19:10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Parameters = @{ | |
| CimSession = $CimSession | |
| ClassName = 'Win32_NTLogEvent' | |
| Filter = $Filter | |
| ErrorAction = 'Continue' | |
| ErrorVariable = 'Errors' | |
| } | |
| Get-CimInstance @Parameters | foreach { | |
secabstraction
/ ExportElastic.ps1
Created
February 16, 2016 18:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First lets collect some objects | |
| $Logons = Get-CimInstance -ClassName Win32_NtLogEvent -Filter "LogFile='Security' AND EventCode='4624'" | |
| # Now for the export | |
| $Logons | Export-Elastic -Node http://myelastic:9200 |
secabstraction
/ BulkIndexRequest.ps1
Last active
February 16, 2016 18:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| begin { $JsonStrings = [Collections.Generic.List[String]]::new() } | |
| process { | |
| foreach ($Object in $InputObject) { | |
| $IndexProperties = @{ | |
| index = @{ | |
| _index = $Index | |
| _type = $Type | |
| _id = $Id |
secabstraction
/ ComplexElasticClient.ps1
Last active
February 16, 2016 17:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a connection pool | |
| $Pool = New-ConnectionPool -Nodes @('http://test1:9200','http://test2:9200') -Sniffing | |
| # Create a connection configuration from the pool | |
| $Config = New-ConnectionConfiguration -Pool $Pool | |
| # Tweak the configuration | |
| $Config.SetBasicAuthentication('username','password') | |
| $Config.SetProxy('http://myproxy:8080','username','password') |
secabstraction
/ SimpleElasticClient.ps1
Last active
February 16, 2016 17:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a simple client via Elastic's Uri | |
| $Client = New-ElasticClient -Node http://myelastic:9200 | |
| # Test connection | |
| $Client.CatHealth() | |
| # Stash | |
| $Client.BulkAsync($AllTheThings) |
secabstraction
/ Get-CimEvents.ps1
Last active
February 16, 2016 10:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-CimEvents { | |
| [CmdLetBinding(DefaultParameterSetName = 'Filter')] | |
| param ( | |
| [Parameter(Mandatory = $true)] | |
| [Alias('Session')] | |
| [Microsoft.Management.Infrastructure.CimSession[]] | |
| $CimSession, | |
| [Parameter(ParameterSetName = 'Filter')] | |
| [ValidateNotNullOrEmpty()] |
secabstraction
/ logstash-template.json
Created
February 8, 2016 19:47
— forked from reyjrar/logstash-template.json
Template for logstash indexes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "template": "logstash-*", | |
| "settings" : { | |
| "index.number_of_shards" : 3, | |
| "index.number_of_replicas" : 1, | |
| "index.query.default_field" : "@message", | |
| "index.routing.allocation.total_shards_per_node" : 2, | |
| "index.auto_expand_replicas": false | |
| }, | |
| "mappings": { |
secabstraction
/ elasticsearch.yml
Created
February 8, 2016 19:46
— forked from reyjrar/elasticsearch.yml
ElasticSearch config for a write-heavy cluster
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################## | |
| # /etc/elasticsearch/elasticsearch.yml | |
| # | |
| # Base configuration for a write heavy cluster | |
| # | |
| # Cluster / Node Basics | |
| cluster.name: logng | |
| # Node can have abritrary attributes we can use for routing |
NewerOlder