Skip to content

Instantly share code, notes, and snippets.

Avatar

Alex Verboon alexverboon

52 followers · 115 following · 306
View GitHub Profile
@alexverboon
alexverboon / MDE Safe Links.md
Created Mar 31, 2021
View MDE Safe Links.md
@alexverboon
alexverboon / huntsecurityupdates.kql
Created Mar 19, 2021
Hunt for missing patches
View huntsecurityupdates.kql
let all_windows10_devices = DeviceInfo
| where isnotempty( OSArchitecture)
| extend WinVersion = case(
OSBuild == "19041","2004",
OSBuild == "19042","20H2",
OSBuild == "18363","1909",
OSBuild == "18362","1903",
OSBuild == "17763","1809",
OSBuild == "17134","1803",
OSBuild == "16299","1709",
@alexverboon
alexverboon / mde2sentinel.kql
Created Feb 22, 2021
MDE Data Ingestion to Sentinel
View mde2sentinel.kql
// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector
// The calculation is done as following:
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents'
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents"
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client
// 4 finally 'uniion' all tables
let xagotime = 32d;
let xstarttime = 31d;
// File Events
@alexverboon
alexverboon / win10versiondistribution.kql
Created Jan 26, 2021
KQL_Windows10versiondistribution
View win10versiondistribution.kql
// Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/
DeviceInfo
| where isnotempty( OSPlatform) and OSPlatform == "Windows10"
| summarize arg_max(Timestamp,*) by DeviceId
| extend Version = case(
OSBuild == "19041","2004",
OSBuild == "19042","20H2",
OSBuild == "18363","1909",
OSBuild == "18362","1903",
OSBuild == "17763","1809",
@alexverboon
alexverboon / get-mfastats.ps1
Last active Apr 29, 2021
Get MFA Stats
View get-mfastats.ps1
# run the modified mfa info gathering script stored here
# https://gist.github.com/alexverboon/f8fd3300dcf999e1a5f5554cad05030d
$mfa = .\MfaAuthMethodsAnalysis.ps1 -TenantId <TENANT ID>
$MFA_Inactive = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0})
$MFA_Active = @( $MFA | Where-Object {$_.MfaAuthMethodCount -gt 0})
$MFA_Inactive_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $False})
$MFA_Active_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $False})
$MFA_InActive_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $true})
$MFA_Active_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $true})
@alexverboon
alexverboon / MfaAuthMethodsAnalysis.ps1
Created Dec 10, 2020
MfaAuthMethodsAnalysis.ps1
View MfaAuthMethodsAnalysis.ps1
##########################################################################################################
##########################################################################################################
<#
.SYNOPSIS
Analyses Azure AD users to make recommendations on how to improve their MFA stance.
.DESCRIPTION
@alexverboon
alexverboon / CI_AsrPersistenceThroughWmi_Remediation.ps1
Created Oct 29, 2020
CI_AsrPersistenceThroughWmi_Remediation.ps1
View CI_AsrPersistenceThroughWmi_Remediation.ps1
<#
.Synopsis
CI_AsrPersistenceThroughWmi_Remediation
.DESCRIPTION
Script for Configuration Manager - Configuration Item
CI_AsrPersistenceThroughWmi_Remediation configures the Rule Block persistence through WMI event subscription in Block mode
.NOTES
v1.0, 28.10.2020, alex verboon
@alexverboon
alexverboon / CI_AsrPersistenceThroughWmi_Discovery.ps1
Created Oct 29, 2020
CI_AsrPersistenceThroughWmi_Discovery
View CI_AsrPersistenceThroughWmi_Discovery.ps1
<#
.Synopsis
CI_AsrPersistenceThroughWmi_Discovery
.DESCRIPTION
Script for Configuration Manager - Configuration Item
CI_AsrPersistenceThroughWmi_Discovery checks if the Defender ASR Rule Block persistence through WMI event subscription is configured to Block or Warn
.NOTES
@alexverboon
alexverboon / DeviceNetworkInfo.kql
Created Oct 25, 2020
DeviceNetworkInfo
View DeviceNetworkInfo.kql
// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc.
DeviceNetworkInfo
| where Timestamp > ago (30d)
// | where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
| where NetworkAdapterStatus contains "Up"
| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
| extend Dns1 = tostring(parse_json(DnsAddresses)[0])
@alexverboon
alexverboon / Set-JumpHostDefenderConfiguration.ps1
Created Oct 10, 2020
Set-JumpHostDefenderConfiguration
View Set-JumpHostDefenderConfiguration.ps1
function Set-JumpHostDefenderConfiguration
{
<#
.Synopsis
Set-JumpHostDefenderConfiguration
.DESCRIPTION
Set-JumpHostDefenderConfiguration configures the following Defender Security settings for JumpHosts that are not
managed by Intune