Skip to content

Instantly share code, notes, and snippets.

View dstreefkerk's full-sized avatar

Daniel dstreefkerk

41 followers · 9 following
View GitHub Profile
@dstreefkerk
dstreefkerk / KQL_best_practices.md
Created December 11, 2025 04:56

KQL Best Practices for LLM Query Development

Core Performance Principle

"Query performance depends directly on the amount of data processed" - Always minimize data processing through strategic filtering and early reduction.

1. Data Reduction First

Time Filtering (Critical)

// ✅ GOOD: Time filter first (leverages indexing)
@dstreefkerk
dstreefkerk / 40-fortianalyzer-cef-syslog-ng.conf
Last active September 12, 2025 00:10
#####################################################################
# FortiAnalyzer CEF Integration - Syslog-ng Configuration
#####################################################################
# Equivalent to the rsyslog configuration for FortiAnalyzer CEF forwarding
# to Microsoft Sentinel via Azure Monitor Agent
#
# PROBLEM:
# --------
# FortiAnalyzer sends CEF messages in partial syslog format:
# SENDS: "MMM dd HH:mm:ss hostname CEF:0|..."
@dstreefkerk
dstreefkerk / 40-fortianalyzer-filtered-cef.conf
Last active October 1, 2025 02:06
rsyslog conf.d file to handle FortiAnalyzer's malformed CEF format and ingest to Sentinel via AMA
#####################################################################
# FortiAnalyzer CEF Integration - Production Configuration
#####################################################################
#
# PURPOSE:
# --------
# This configuration solves the critical protocol compliance issue with
# FortiAnalyzer CEF log forwarding to Microsoft Sentinel via Azure Monitor Agent.
#
# PROBLEM:
@dstreefkerk
dstreefkerk / wp_to_jekyll.py
Last active May 20, 2025 10:15
Quick and dirty script to migrate wordpress.com XML exported posts to Jekyll markdown, and update/check them using Claude Code.
#!/usr/bin/env python3
"""
WordPress to Jekyll Migration Script using Claude Code CLI
This script:
1. Takes a WordPress export XML file path as input
2. Lists all matching posts based on runtime parameters
3. Allows the user to select which posts to migrate
4. Extracts posts from the WordPress export
5. Uses Claude CLI to convert each post to Jekyll format (or simulates conversion with --dry-run)
@dstreefkerk
dstreefkerk / ai_user_expertise_summary.md
Created April 29, 2025 23:00
Summarise an AI conversation to infer and summarise the user's apparent expertise, professional background, and relevant technical knowledge.

Task

Based on this conversation, infer and summarise the user's apparent expertise, professional background, and relevant technical knowledge.

Support your inferences by citing specific examples from the conversation, such as:

  • technical terminology used accurately,
  • problem-solving approaches demonstrated, or
  • domain-specific insights provided.

Ensure your summary is objective, evidence-based, and concise.

@dstreefkerk
dstreefkerk / sigma_converter.py
Created April 16, 2025 10:30
POC code only. Do not use.
"""
Sigma to Microsoft Sentinel KQL Converter
-----------------------------------------
This script converts Sigma detection rules to Microsoft Sentinel KQL (Kusto Query Language) format
using the SOC Prime translation service.
SOC Prime, Inc (https://socprime.com) provides the translation API (uncoder.io) that powers this converter.
This script is a client for that service and is not affiliated with or endorsed by SOC Prime, Inc.
@dstreefkerk
dstreefkerk / azure-mgmt-securityinsight-api-reference.md
Last active April 14, 2025 23:22
LLM-generated documentation for the Azure Management SecurityInsight SDK for Python
@dstreefkerk
dstreefkerk / gas_stove_vulnerability.md
Created April 12, 2025 02:02

MCP Safety Audit: Gas Stoves with Manual Cooking Protocol Allow Major Burn Vulnerabilities

Executive Summary
Gas stoves, which operate under the legacy Manual Cooking Protocol (MCP), have been found to allow users to willingly place their hands on active burners, resulting in severe thermal compromise. Despite long-standing warnings, manufacturers continue to ship these devices with unrestricted flame access and no built-in user safety interlocks.

Key Findings

  • No Authentication for Ignition: Any user, regardless of clearance or training, can initiate flame generation with a simple knob twist.
  • Direct Contact Vulnerability: Users can directly touch the burner while it's active. No safeguards prevent this. Zero.
  • Lack of User Behaviour Sandboxing: The system permits reckless multi-tasking, such as reaching over multiple lit burners to grab a spice jar.
  • No Real-Time Alerting: Burn events are not logged, monitored, or alerted. Incident response relies on screaming.
@dstreefkerk
dstreefkerk / opinsights-all.kql
Last active February 12, 2025 04:44
Azure Resource Graph Query - Retrieve details of all accessible Sentinel-enabled Operational Insights Workspaces
// This query retrieves all Microsoft Sentinel-enabled Log Analytics workspaces the user has access to.
// It checks for Sentinel by looking for the 'SecurityInsights' solution in 'Microsoft.OperationsManagement/solutions'.
// The join is done using the full resource ID of the workspace.
resources
| where type == "microsoft.operationalinsights/workspaces"
| extend workspaceId = tostring(properties.customerId), workspaceName = name, workspaceResourceId = tolower(id)
| join kind=leftouter (
resources
| where type == "microsoft.operationsmanagement/solutions"
@dstreefkerk
dstreefkerk / oob_update.json
Last active January 9, 2025 23:29 — forked from bisskar/oob_update.json
This ARM template deploys an Azure Logic App workflow designed to notify users about updates to Microsoft Sentinel analytic rules.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"NamePrefix": {
"defaultValue": "",
"type": "String",
"metadata": {
"description": "Optional prefix to prepend to all resource names for easy identification."
}