Alex Asplund AlexAsplund

## Get-EventInformation.ps1
$Publishers = wevtutil ep

# Mååånga fel, antagligen pga. att inte eventet är dokumenterat OK hos provider

$ErrorActionPreference = "SilentlyContinue" # Shh sh sh
$AllEventData = Foreach($Publisher in $Publishers){
    [XML]$Events = wevtutil gp $Publisher /ge /gm:true /f:xml
    $Events.provider.events.event | Foreach {
        [PSCustomObject]@{
            event_id = $_.value

## ad-events.csv

          
            event_id
            potential_criticality
            event_summary

            
              4618
              High
              A monitored security event pattern has occurred.

            
              4649
              High
              A replay attack was detected. May be a harmless false positive due to misconfiguration error.

            
              4719
              High
              System audit policy was changed.

            
              4765
              High
              SID History was added to an account.

            
              4766
              High
              An attempt to add SID History to an account failed.

            
              4794
              High
              An attempt was made to set the Directory Services Restore Mode.

            
              4897
              High
              Role separation enabled:

            
              4964
              High
              Special groups have been assigned to a new logon.

            
              5124
              High
              A security setting was updated on the OCSP Responder Service

## Add-OpsGenieUser.ps1
Function Add-OpsGenieUser {
    [cmdletbinding()]
    param(
        [parameter(mandatory)]
        [string]$UserName,

        [parameter(mandatory)]
        [string]$FullName,

        [parameter(mandatory)]

## Get-AzureADAlertsToGraylog.ps1
param(
    # User = ClientId Pass = Secret
    [parameter(Mandatory)]
    [PSCredential]$Credential,

    [parameter(Mandatory)]
    $TenantName

    [parameter(Mandatory)]
    $GelfServer

## Send-AdhcResultToPrtg.ps1
$PRTGUrl = "http://prtg.contoso.com:5050/"

#################################
# Functions
#################################
function New-PRTGResult {
    param(
        [string]$Channel,
        [string]$Value,
        [string]$Float,

## ADHealthCheck-NoReport.ps1
<#
Author: Alex Asplund

Description:
Will perform a series of health checks on AD.

Designed to be ran on a Domain Controller as a Domain Admin
Uses WSMAN, LDAP, RPC etc to speak to other DomainControllers.

#>

## New-AdhcResult
Function New-AdhcResult {
    [cmdletbinding()]
    param(
        # Source of the result. The computer that was tested
        [parameter(ValueFromPipelineByPropertyName)]
        [string]$Source = $env:COMPUTERNAME,

        # Name of the test
        [parameter(Mandatory,ValueFromPipelineByPropertyName)]
        [string]$TestName,

## Test-AdhcDcDiag.ps1
Class AdhcResult {
    [string]$Source
    [string]$TestName
    [bool]$Pass
    $Was
    $ShouldBe
    [string]$Category
    [string]$Message
    $Data
    [string[]]$Tags

## Copy-CustomADUser.ps1
<#
.Synopsis
   Kopierar en användare
.DESCRIPTION
   Kopierar en användare med hjälp av en hashtable för mappning av attributer.
   Hashtable ska vara enligt format @{>SourceUserAttribute> = <New-ADUser parametername>}

   Exempel:
   $Hashtable = @{
        mail = 'EmailAddress'

## Send-AzureIdentityRiskLogsToGelf.ps1
<#
.SYNOPSIS
    Pulls Azure Identity Risk logs and sends them to a gelf-server through TCP.
.DESCRIPTION
    Pulls Azure Identity Risk logs and sends them to a gelf-server.
    Requires the PSGelf module (Install-Module -Name PSGELF).
    AppCredentials should be supplied as Credential object with AppID as username and AppKey as password.
.EXAMPLE
    PS C:\> .\Script.ps1 -AppCredential $Credential -TenantName mytenant.onmicrosoft.com -GelfServer gelf.domain.com -GelfPort <portnumber>
    Explanation of what the example does
	$Publishers = wevtutil ep

	# Mååånga fel, antagligen pga. att inte eventet är dokumenterat OK hos provider

	$ErrorActionPreference = "SilentlyContinue" # Shh sh sh
	$AllEventData = Foreach($Publisher in $Publishers){
	[XML]$Events = wevtutil gp $Publisher /ge /gm:true /f:xml
	$Events.provider.events.event \| Foreach {
	[PSCustomObject]@{
	event_id = $_.value
event_id	potential_criticality	event_summary
4618	High	A monitored security event pattern has occurred.
4649	High	A replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719	High	System audit policy was changed.
4765	High	SID History was added to an account.
4766	High	An attempt to add SID History to an account failed.
4794	High	An attempt was made to set the Directory Services Restore Mode.
4897	High	Role separation enabled:
4964	High	Special groups have been assigned to a new logon.
5124	High	A security setting was updated on the OCSP Responder Service
	Function Add-OpsGenieUser {
	[cmdletbinding()]
	param(
	[parameter(mandatory)]
	[string]$UserName,

	[parameter(mandatory)]
	[string]$FullName,

	[parameter(mandatory)]
	param(
	# User = ClientId Pass = Secret
	[parameter(Mandatory)]
	[PSCredential]$Credential,

	[parameter(Mandatory)]
	$TenantName

	[parameter(Mandatory)]
	$GelfServer
	$PRTGUrl = "http://prtg.contoso.com:5050/"

	#################################
	# Functions
	#################################
	function New-PRTGResult {
	param(
	[string]$Channel,
	[string]$Value,
	[string]$Float,
	<#
	Author: Alex Asplund

	Description:
	Will perform a series of health checks on AD.

	Designed to be ran on a Domain Controller as a Domain Admin
	Uses WSMAN, LDAP, RPC etc to speak to other DomainControllers.

	#>
	Function New-AdhcResult {
	[cmdletbinding()]
	param(
	# Source of the result. The computer that was tested
	[parameter(ValueFromPipelineByPropertyName)]
	[string]$Source = $env:COMPUTERNAME,

	# Name of the test
	[parameter(Mandatory,ValueFromPipelineByPropertyName)]
	[string]$TestName,
	Class AdhcResult {
	[string]$Source
	[string]$TestName
	[bool]$Pass
	$Was
	$ShouldBe
	[string]$Category
	[string]$Message
	$Data
	[string[]]$Tags
	<#
	.Synopsis
	Kopierar en användare
	.DESCRIPTION
	Kopierar en användare med hjälp av en hashtable för mappning av attributer.
	Hashtable ska vara enligt format @{>SourceUserAttribute> = <New-ADUser parametername>}

	Exempel:
	$Hashtable = @{
	mail = 'EmailAddress'
	<#
	.SYNOPSIS
	Pulls Azure Identity Risk logs and sends them to a gelf-server through TCP.
	.DESCRIPTION
	Pulls Azure Identity Risk logs and sends them to a gelf-server.
	Requires the PSGelf module (Install-Module -Name PSGELF).
	AppCredentials should be supplied as Credential object with AppID as username and AppKey as password.
	.EXAMPLE
	PS C:\> .\Script.ps1 -AppCredential $Credential -TenantName mytenant.onmicrosoft.com -GelfServer gelf.domain.com -GelfPort <portnumber>
	Explanation of what the example does