Skip to content

Instantly share code, notes, and snippets.

View nickpieper's full-sized avatar

Nick Pieper nickpieper

5 followers · 14 following
  • Hampton Roads, Virginia
View GitHub Profile
@ag-michael
ag-michael / FalconHuntqueries.md
Last active June 5, 2025 12:36
Falcon hunt queries

timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count <4 | sort – count
@halr9000
halr9000 / Export-SplunkSearch.ps1
Created September 18, 2013 04:27
Splunk export search job using PowerShell
# Conversion of http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2Fexport
# example using curl, to PowerShell with Invoke-RestMethod cmdlet
#
# $ curl -k -u admin:changeme https://localhost:8089/services/search/jobs/export
# --data-urlencode search="search index=_internal | stats count by sourcetype"
# -d output_mode=json -d earliest="rt-5m" -d latest="rt"
$cred = Get-Credential
# This will allow for self-signed SSL certs to work
@urschrei
urschrei / parseml.py
Last active June 12, 2025 08:54
Extract attachments from EML files in the current dir, and write them to the output subdir. Now with recursion and robust filename handling
#!/usr/bin/env python3
"""
2025 update:
- Recursive extraction from nested EML files
- Robust filename handling with sanitization and deduplication
- Proper logging instead of print statements
- Enhanced error handling and validation
- Binary file reading for better encoding support
- Cross-platform filename compatibility