View mde2sentinel.kql
// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector | |
// The calculation is done as following: | |
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents' | |
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents" | |
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client | |
// 4 finally 'uniion' all tables | |
let xagotime = 32d; | |
let xstarttime = 31d; | |
// File Events |
View win10versiondistribution.kql
// Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/ | |
DeviceInfo | |
| where isnotempty( OSPlatform) and OSPlatform == "Windows10" | |
| summarize arg_max(Timestamp,*) by DeviceId | |
| extend Version = case( | |
OSBuild == "19041","2004", | |
OSBuild == "19042","20H2", | |
OSBuild == "18363","1909", | |
OSBuild == "18362","1903", | |
OSBuild == "17763","1809", |
View get-mfastats.ps1
# run the modified mfa info gathering script stored here | |
# https://gist.github.com/alexverboon/f8fd3300dcf999e1a5f5554cad05030d | |
$mfa = .\MfaAuthMethodsAnalysis.ps1 -TenantId <TENANT ID> | |
$MFA_Inactive = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0}) | |
$MFA_Active = @( $MFA | Where-Object {$_.MfaAuthMethodCount -gt 0}) | |
$MFA_Inactive_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $False}) | |
$MFA_Active_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $False}) | |
$MFA_InActive_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $true}) | |
$MFA_Active_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $true}) |
View MfaAuthMethodsAnalysis.ps1
########################################################################################################## | |
########################################################################################################## | |
<# | |
.SYNOPSIS | |
Analyses Azure AD users to make recommendations on how to improve their MFA stance. | |
.DESCRIPTION |
View CI_AsrPersistenceThroughWmi_Remediation.ps1
<# | |
.Synopsis | |
CI_AsrPersistenceThroughWmi_Remediation | |
.DESCRIPTION | |
Script for Configuration Manager - Configuration Item | |
CI_AsrPersistenceThroughWmi_Remediation configures the Rule Block persistence through WMI event subscription in Block mode | |
.NOTES | |
v1.0, 28.10.2020, alex verboon |
View CI_AsrPersistenceThroughWmi_Discovery.ps1
<# | |
.Synopsis | |
CI_AsrPersistenceThroughWmi_Discovery | |
.DESCRIPTION | |
Script for Configuration Manager - Configuration Item | |
CI_AsrPersistenceThroughWmi_Discovery checks if the Defender ASR Rule Block persistence through WMI event subscription is configured to Block or Warn | |
.NOTES |
View DeviceNetworkInfo.kql
// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc. | |
DeviceNetworkInfo | |
| where Timestamp > ago (30d) | |
// | where DeviceName contains "ADD YOUR COMPUTERNAME HERE" | |
| where NetworkAdapterStatus contains "Up" | |
| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name) | |
| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description) | |
| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet) | |
| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category) | |
| extend Dns1 = tostring(parse_json(DnsAddresses)[0]) |
View Set-JumpHostDefenderConfiguration.ps1
function Set-JumpHostDefenderConfiguration | |
{ | |
<# | |
.Synopsis | |
Set-JumpHostDefenderConfiguration | |
.DESCRIPTION | |
Set-JumpHostDefenderConfiguration configures the following Defender Security settings for JumpHosts that are not | |
managed by Intune |
View servicetypes.ps1
# convert service types | |
$sku_lookup1 = @{ | |
1 ="KernelDriver" | |
2 = "FileSystemDriver" | |
4 ="Adapter" | |
8 = "RecognizerDriver" | |
16= "Win32OwnProcess" | |
32 ="Win32ShareProcess" | |
48 = "Win32" |
View ignitesessionfinder.ps1
# video hub: https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub | |
# Ignite API: - https://api.myignite.microsoft.com/api/session/all | |
$ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all" | |
$sessions = $ALLSESSIONS | ConvertFrom-Json; | |
# Solution Areas | |
$sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name | |
# Search Samples |
NewerOlder