View mde2sentinel.kql
| // The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector | |
| // The calculation is done as following: | |
| // 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents' | |
| // 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents" | |
| // 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client | |
| // 4 finally 'uniion' all tables | |
| let xagotime = 32d; | |
| let xstarttime = 31d; | |
| // File Events |
View win10versiondistribution.kql
| // Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/ | |
| DeviceInfo | |
| | where isnotempty( OSPlatform) and OSPlatform == "Windows10" | |
| | summarize arg_max(Timestamp,*) by DeviceId | |
| | extend Version = case( | |
| OSBuild == "19041","2004", | |
| OSBuild == "19042","20H2", | |
| OSBuild == "18363","1909", | |
| OSBuild == "18362","1903", | |
| OSBuild == "17763","1809", |
View get-mfastats.ps1
| # run the modified mfa info gathering script stored here | |
| # https://gist.github.com/alexverboon/f8fd3300dcf999e1a5f5554cad05030d | |
| $mfa = .\MfaAuthMethodsAnalysis.ps1 -TenantId <TENANT ID> | |
| $MFA_Inactive = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0}) | |
| $MFA_Active = @( $MFA | Where-Object {$_.MfaAuthMethodCount -gt 0}) | |
| $MFA_Inactive_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $False}) | |
| $MFA_Active_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $False}) | |
| $MFA_InActive_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $true}) | |
| $MFA_Active_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $true}) |
View MfaAuthMethodsAnalysis.ps1
| ########################################################################################################## | |
| ########################################################################################################## | |
| <# | |
| .SYNOPSIS | |
| Analyses Azure AD users to make recommendations on how to improve their MFA stance. | |
| .DESCRIPTION |
alexverboon
/ CI_AsrPersistenceThroughWmi_Remediation.ps1
Created Oct 29, 2020
CI_AsrPersistenceThroughWmi_Remediation.ps1
View CI_AsrPersistenceThroughWmi_Remediation.ps1
| <# | |
| .Synopsis | |
| CI_AsrPersistenceThroughWmi_Remediation | |
| .DESCRIPTION | |
| Script for Configuration Manager - Configuration Item | |
| CI_AsrPersistenceThroughWmi_Remediation configures the Rule Block persistence through WMI event subscription in Block mode | |
| .NOTES | |
| v1.0, 28.10.2020, alex verboon |
alexverboon
/ CI_AsrPersistenceThroughWmi_Discovery.ps1
Created Oct 29, 2020
CI_AsrPersistenceThroughWmi_Discovery
View CI_AsrPersistenceThroughWmi_Discovery.ps1
| <# | |
| .Synopsis | |
| CI_AsrPersistenceThroughWmi_Discovery | |
| .DESCRIPTION | |
| Script for Configuration Manager - Configuration Item | |
| CI_AsrPersistenceThroughWmi_Discovery checks if the Defender ASR Rule Block persistence through WMI event subscription is configured to Block or Warn | |
| .NOTES |
View DeviceNetworkInfo.kql
| // Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc. | |
| DeviceNetworkInfo | |
| | where Timestamp > ago (30d) | |
| // | where DeviceName contains "ADD YOUR COMPUTERNAME HERE" | |
| | where NetworkAdapterStatus contains "Up" | |
| | extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name) | |
| | extend Description = tostring(parse_json(ConnectedNetworks)[0].Description) | |
| | extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet) | |
| | extend Category = tostring(parse_json(ConnectedNetworks)[0].Category) | |
| | extend Dns1 = tostring(parse_json(DnsAddresses)[0]) |
alexverboon
/ Set-JumpHostDefenderConfiguration.ps1
Created Oct 10, 2020
Set-JumpHostDefenderConfiguration
View Set-JumpHostDefenderConfiguration.ps1
| function Set-JumpHostDefenderConfiguration | |
| { | |
| <# | |
| .Synopsis | |
| Set-JumpHostDefenderConfiguration | |
| .DESCRIPTION | |
| Set-JumpHostDefenderConfiguration configures the following Defender Security settings for JumpHosts that are not | |
| managed by Intune |
View servicetypes.ps1
| # convert service types | |
| $sku_lookup1 = @{ | |
| 1 ="KernelDriver" | |
| 2 = "FileSystemDriver" | |
| 4 ="Adapter" | |
| 8 = "RecognizerDriver" | |
| 16= "Win32OwnProcess" | |
| 32 ="Win32ShareProcess" | |
| 48 = "Win32" |
alexverboon
/ ignitesessionfinder.ps1
Last active Nov 1, 2020
PowerShell session finder for Ignite and video hub
View ignitesessionfinder.ps1
| # video hub: https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub | |
| # Ignite API: - https://api.myignite.microsoft.com/api/session/all | |
| $ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all" | |
| $sessions = $ALLSESSIONS | ConvertFrom-Json; | |
| # Solution Areas | |
| $sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name | |
| # Search Samples |
NewerOlder