CrowdStrike SIEM Connector Grok Rules

I couldn’t find a good set of Grok rules for the CrowdStrike SIEM connector so I wrote my own. You need two rule sets. Set1: %{IPV4:source_collector_ip} CEF: 0\|CrowdStrike\|FalconHost\|1.0\|%{WORD:event_type}\|%{GREEDYDATA:event_subtype}\|%{INT:event_tactic}\|externalId=%{HOSTNAME:externalID} cn2Label=%{WORD:cn2Label} cn2=%{WORD:cn2} cn1Label=%{WORD:cn1Label} cn1=%{WORD:cn1} dhost=%{HOSTNAME:dhost} duser=%{DATA:duser} msg=%{GREEDYDATA:msg} fname=%{DATA:fname} filePath=%{GREEDYDATA:filepath} cs5Label=%{DATA:cs5Label} cs5=%{GREEDYDATA:cs5} fileHash=%{DATA:fileHash} dntdom=%{DATA:dntdom} cs6Label=%{DATA: cs6Label} cs6=%{GREEDYDATA:cs6} cn3Label=%{DATA: cs3Label} cn3=%{DATA:cn3} rt=%{DATA:rt} src=%{IP:src} smac=%{MAC:smac} cat=%{GREEDYDATA:cat} act=%{GREEDYDATA:act} reason=%{GREEDYDATA:reason} outcome=%{DATA:outcome} CSMTRPatternDisposition=%{GREEDYDATA:CSMTRPatternDisposition}... » read more

MISP Diagnostics internal error has occurred

Problem You are using the MISP cloud base image and receive error “Error: an internal error has occurred” when trying to access diagnostics from “administration -> server settings -> diagnostics” Solution As root run the following commands pear install /var/www/MISP/INSTALL/dependencies/Console_CommandLine/package.xml pear install /var/www/MISP/INSTALL/dependencies/Crypt_GPG/package.xml

TheHive Project Cortex IBM Xforce Analyzer is not Working

I kept receiving an “API error” when attempting to run TheHive Project Cortex Analyzer for IBM Xforce. There is currently a bug that is adding an extra / with every request. To fix this issue you need to modify this file: /opt/Cortex-Analyzers/analyzers/IBMXForce Command to fix the problem: perl -pi -e 's|%s/|%s|g' /opt/Cortex-Analyzers/analyzers/IBMXForce/

Querying McAfee ePo on End User Machines

Code loop through a range of IPs and query McAfee epo on client machines # Loop through IP address - and print out # the computer name and the agent version echo "" > output; for ((i=10;i<=20;i++)) do # -s Silent Curl # -m 1 Wait no longer than 1 second per host... » read more

Add icons to your exported Chrome/Firefox Bookmarks

When you export your bookmarks from Chrome and Firefox the resulting HTML looks pretty plain. Exported Bookmarks with Icons To enhance the exported bookmarks file by added icons try the following perl -i'bak' -ple 's/ ICON="([^"]+")>/><img src="$1"> /' bookmarks.html Enhance with CSS You can further enhance the file using this js fiddle:

Convert JSON to CSV

To convert a json file to CSV you will need a linux program called jq. INPUTFILE="inputfile-with-json" OUTPUTFILE="outputfile-formatted.csv" jq -r '(.[0] | keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' ${INPUTFILE} > ${OUTPUTFILE}

Extracting IP Addresses in Bash

One very handy function to have in your .bash_profile is a function to extract IP addresses. ipextract function I frequently use this function during investigations and though I should share it with everyone. ipextract () { # example ipextract < filename egrep --only-matching -E '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' } Example I’ll demonstrate how to use the function Source... » read more

Combine Multiple PCAP Files into a Single File

Problem You have many smaller pcap files that you would like to combine in to a single file Solution mergecap -a* -w output_file.pcap Source: