Henry Robalino animetauren
animetauren
/ drop_events.txt
Created
December 14, 2023 16:03
Regex to Drop Windows Events using Splunk Ingest Actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| blacklist1 = \bEventCode=(4662|566)\b[\s\S]*?\bObject Type:\s+(?!groupPolicyContainer)\b | |
| blacklist2 = \bEventCode=(4656|4670|4663|4703|4658|4688)\b[\s\S]*?\bAccount Name:\s*([^\s\$]+[^\s\$])\b | |
| blacklist3 = \bEventCode=4624\b[\s\S]*?\bAn account was successfully logged on(\n|\r)*\b | |
| blacklist4 = \bEventCode=(4688|4689)\b[\s\S]*?\bProcess Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)\b | |
| blacklist5 = \bEventCode=6278\b[\s\S]*?\bNetwork Policy Server granted full access to a user because the host met the defined health policy.\b |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| blacklist1 = EventCode="(4662|566)" Message="Object Type:\s+(?!groupPolicyContainer)" | |
| blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:\s*([^\s\$]+[^\s\$])" | |
| blacklist3 = EventCode="4624" Message="An account was successfully logged on(\n|\r)*" | |
| blacklist4 = EventCode="(4688|4689)" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
| blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." |
animetauren
/ props.conf
Last active
May 4, 2023 17:57
— forked from automine/props.conf
Windows Event Clean Up in Splunk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [source::WinEventLog:System] | |
| SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g | |
| [source::WinEventLog:Security] | |
| SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g | |
| SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g | |
| SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ | |
| SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ | |
| SEDCMD-remove_ffff = s/::ffff://g | |
| SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g |
animetauren
/ ACMESharpAzureDNS.ps1
Last active
April 30, 2017 05:50
ACMESharp DNS Challenge with Azure DNS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $compACMEChall = Complete-ACMEChallenge $domain -ChallengeType dns-01 -Handler manual | |
| $dnsRRName = ($compACMEChall.Challenges | Where-Object {$_.Type -eq "dns-01"}).Challenge.RecordName | |
| $dnsRRValue = ($compACMEChall.Challenges | Where-Object {$_.Type -eq "dns-01"}).Challenge.RecordValue | |
| $rs = New-AzureRmDnsRecordSet -Name $dnsRRName -RecordType TXT -Ttl 60 -ZoneName $url -ResourceGroupName $RGName | |
| Add-AzureRmDnsRecordConfig -RecordSet $rs -Value $dnsRRValue | |
| Set-AzureRmDnsRecordSet -RecordSet $rs |