Skip to main content Link Menu Expand (external link) Document Search Copy Copied

dfir / jq

Last update:

misc

| select(.age > 25)
| length
jq 'map(.sendbytes) | add' netflow.json
jq 'map(select(.type == "local").sendbytes) | add' netflow.json

falcon

o365

# display exchange operations on Calendar, Inbox, Drafts
cat o365.json | jq -r '. | select(.Item.Attachments != null) | [.CreationTime,.Workload,.UserId,.Item.Attachments,.Item.ParentFolder.Path] | @csv'

# display resource access from sing-ins logs for the source IP 1.2.3.4
cat NonInteractiveSignIns_2023-10-02.json | jq -r '.[] | select(.ipAddress=="1.2.3.4") | [.createdDateTime,.userPrincipalName,.appDisplayName,.ipAddress,.clientAppUsed,.userAgent,.resourceDisplayName,.resourceTenantId,.authenticationRequirement] | @csv'

okta

# okta global activity
jq -r '. | [.published,.displayMessage,.outcome.result,.outcome.reason,.debugContext.debugData.result,.debugContext.debugData.smsProvider,.debugContext.debugData.phoneNumber,.actor.alternateId,.client.userAgent.os,.client.userAgent.browser,.request.ipChain[0].ip,.client.ipAddress,.client.geographicalContext.city,.client.geographicalContext.country] | @csv' data_export.json

# actions on failure
jq -r '. | select(.outcome.result=="FAILURE") | [.published,.displayMessage,.outcome.result,.outcome.reason,.debugContext.debugData.result,.debugContext.debugData.smsProvider,.debugContext.debugData.phoneNumber,.actor.alternateId,.client.userAgent.os,.request.ipChain[0].ip,.client.ipAddress,.client.geographicalContext.city,.client.geographicalContext.country] | @csv' data_export.json

# user password updated
jq -r '. | select(.displayMessage=="User update password for Okta") |
[.published,.displayMessage,.target[].displayName,.outcome.result,.actor.alternateId,.client.userAgent.os,.request.ipChain[0].ip,.client.ipAddress,.client.geographicalContext.city,.client.geographicalContext.country] | @csv' data_export.json

proofpoint

# proofpoint tap forensics
#
# get all urls
cat forensics_reports_2023-MM-DD.json | jq -r '.[] | select(.type=="url") | .what.url' 

# get all drive by download + hashes
cat forensics_reports_2023-MM-DD.json | jq -r '.[] | select(.type=="file") | [.what.sha256,.what.path]| @csv' | tr -d \" > drive-by-dl.csv'

ywh

# yeswehack
cat ywh_export_report.json | jq -r '.[] | [.company,.title,.scope,.ips] | @csv ' > ywh_impacted_assets.csv