Skip to content

Instantly share code, notes, and snippets.

Avatar

Alex Verboon alexverboon

View GitHub Profile
@alexverboon
alexverboon / mde2sentinel.kql
Created Feb 22, 2021
MDE Data Ingestion to Sentinel
View mde2sentinel.kql
// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector
// The calculation is done as following:
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents'
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents"
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client
// 4 finally 'uniion' all tables
let xagotime = 32d;
let xstarttime = 31d;
// File Events
@alexverboon
alexverboon / win10versiondistribution.kql
Created Jan 26, 2021
KQL_Windows10versiondistribution
View win10versiondistribution.kql
// Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/
DeviceInfo
| where isnotempty( OSPlatform) and OSPlatform == "Windows10"
| summarize arg_max(Timestamp,*) by DeviceId
| extend Version = case(
OSBuild == "19041","2004",
OSBuild == "19042","20H2",
OSBuild == "18363","1909",
OSBuild == "18362","1903",
OSBuild == "17763","1809",
View get-mfastats.ps1
# run the modified mfa info gathering script stored here
# https://gist.github.com/alexverboon/f8fd3300dcf999e1a5f5554cad05030d
$mfa = .\MfaAuthMethodsAnalysis.ps1 -TenantId <TENANT ID>
$MFA_Inactive = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0})
$MFA_Active = @( $MFA | Where-Object {$_.MfaAuthMethodCount -gt 0})
$MFA_Inactive_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $False})
$MFA_Active_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $False})
$MFA_InActive_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $true})
$MFA_Active_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $true})
View MfaAuthMethodsAnalysis.ps1
##########################################################################################################
##########################################################################################################
<#
.SYNOPSIS
Analyses Azure AD users to make recommendations on how to improve their MFA stance.
.DESCRIPTION
@alexverboon
alexverboon / CI_AsrPersistenceThroughWmi_Remediation.ps1
Created Oct 29, 2020
CI_AsrPersistenceThroughWmi_Remediation.ps1
View CI_AsrPersistenceThroughWmi_Remediation.ps1
<#
.Synopsis
CI_AsrPersistenceThroughWmi_Remediation
.DESCRIPTION
Script for Configuration Manager - Configuration Item
CI_AsrPersistenceThroughWmi_Remediation configures the Rule Block persistence through WMI event subscription in Block mode
.NOTES
v1.0, 28.10.2020, alex verboon
@alexverboon
alexverboon / CI_AsrPersistenceThroughWmi_Discovery.ps1
Created Oct 29, 2020
CI_AsrPersistenceThroughWmi_Discovery
View CI_AsrPersistenceThroughWmi_Discovery.ps1
<#
.Synopsis
CI_AsrPersistenceThroughWmi_Discovery
.DESCRIPTION
Script for Configuration Manager - Configuration Item
CI_AsrPersistenceThroughWmi_Discovery checks if the Defender ASR Rule Block persistence through WMI event subscription is configured to Block or Warn
.NOTES
View DeviceNetworkInfo.kql
// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc.
DeviceNetworkInfo
| where Timestamp > ago (30d)
// | where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
| where NetworkAdapterStatus contains "Up"
| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
| extend Dns1 = tostring(parse_json(DnsAddresses)[0])
View Set-JumpHostDefenderConfiguration.ps1
function Set-JumpHostDefenderConfiguration
{
<#
.Synopsis
Set-JumpHostDefenderConfiguration
.DESCRIPTION
Set-JumpHostDefenderConfiguration configures the following Defender Security settings for JumpHosts that are not
managed by Intune
View servicetypes.ps1
# convert service types
$sku_lookup1 = @{
1 ="KernelDriver"
2 = "FileSystemDriver"
4 ="Adapter"
8 = "RecognizerDriver"
16= "Win32OwnProcess"
32 ="Win32ShareProcess"
48 = "Win32"
@alexverboon
alexverboon / ignitesessionfinder.ps1
Last active Nov 1, 2020
PowerShell session finder for Ignite and video hub
View ignitesessionfinder.ps1
# video hub: https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub
# Ignite API: - https://api.myignite.microsoft.com/api/session/all
$ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all"
$sessions = $ALLSESSIONS | ConvertFrom-Json;
# Solution Areas
$sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name
# Search Samples