Eric

Alright #aws systems manager (ssm) users.. anyone know a way in your SSM document to dynamically reference the EC2 instance ID that your document is running on? For example, if I'm using AWS-RunPowershellScript how could I dynamically inject the instance ID into my script?

Fun fact: The Cb Response live response "reg query" command will truncate registry key values without telling you. Wanna guess how I know?

Got tired of losing the TV remote so we got a tile tracker for it. Tracker adhesive isn't strong enough and the tracker keeps falling off.. So.. I just gutted the remote and embedded the tracker inside it

IMO this commuity would not be about profits or products but about just sharing with each other what we want to share publicly today but chose not to anymore because it is too risky. The vendors running the community should view it as a public service and not a selling point 5/5

I kinda wish that the vendors in the Infosec industry would come together and build a invite only commuity for verified defenders that are vetted by way of being a customer of one of the companies and/or by membership in an industry ISAC. 4/n

I think defenders capable (both in skill and resources) to leverage OST to improve their defenses are coming out better off because of OST, but the teams that can't are literally seeing their risk profile increase because the barrier to entry to attack them has been lowered 3/n

But I can totally see how a defender or heck just a regular Sysadmin could look at OST and think of what a mess it will create for them when they get rolled by some random crew with some OST someone released publicly. 2/n

My take on OST: as a defender in an organization that has budget and people that care enough about security that I can use OST to demonstrate why we need XYZ, I appreciate that OST being publicly released frees me from having to develop tooling myself to test my defense with. 1/n

I know I can fix this with the same sourcetype modification on the indexers. Our env has some shared infra so it's a lot easier for me to modify a sourcetype on my UFs than the indexers themselves. Just whining about the amount of sourcetype options that work from UF.

Splunk, UF, and Timezones. Me: I know this data is coming into the system in EST, I'll just add the TZ to the sourcetype on this Splunk UF and it'll handle it nicely. Indexer: Looks like UTC to me. Search Head: There's no data in this index in the last 60 minutes. Me:

Nothing says Friday night fun like your toddler falling down and standing up screaming with a mouthful of blood.

Has anyone dealt with deploying security monitoring agents to 100+ cloud accounts (AWS, Azure, GCP, etc) and kept effective tabs on which agents belong to which account for things like agent config and upgrade rollouts? What worked well? What didn't? Replies or DMs welcome!

Information security for the business, demystified: Secure Fast Cheap Choose two.

Happy Monday! My ETW modular input for Splunk, TA_ETW, is now available on Splunkbase https://splunkbase.splunk.com/app/4777/ 

Hey @heipei, did the structure of API responses from http://urlscan.io  change recently? Seems like the gsb key under meta:processors has stopped showing up. A 3rd party tool I'm using is a little brittle and doesn't like that gsb key to be missing

Dear IT Vendors of the World, If you cannot spell my organization's name correctly, your sales email immediately gets deleted. Just saying.