Skip to content

Instantly share code, notes, and snippets.

View alexverboon's full-sized avatar

Alex Verboon alexverboon

189 followers · 118 following
View GitHub Profile
@alexverboon
alexverboon / mde2sentinel.kql
Created February 22, 2021 18:28
MDE Data Ingestion to Sentinel
// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector
// The calculation is done as following:
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents'
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents"
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client
// 4 finally 'uniion' all tables
let xagotime = 32d;
let xstarttime = 31d;
// File Events
@alexverboon
alexverboon / DeviceNetworkEvents_Iana.kql
Created May 27, 2021 06:55
Enrich DeviceNetworkEvents with the port number Service name information
// Enrich DeviceNetworkEvents with the port number Servicename information
let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
with (format="txt",ignoreFirstRecord=true))
//iana_port_assignments
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
| extend data = parse_csv(entry)
| extend ServiceName = tostring(data[0])
| extend PortNumber = toint(data[1])
| project ServiceName, PortNumber
| summarize any(ServiceName) by PortNumber
@alexverboon
alexverboon / macos mde channel.md
Created August 21, 2022 12:56
MacOS MDE channel

You can check the update channel using the following command: mdatp --health releaseRing

If your device is not already in the InsiderSlow update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).

defaults write com.microsoft.autoupdate2 ChannelName InsiderSlow

@alexverboon
alexverboon / DeviceNetworkInfo.kql
Created October 25, 2020 11:02
DeviceNetworkInfo
// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc.
DeviceNetworkInfo
| where Timestamp > ago (30d)
// | where DeviceName contains "ADD YOUR COMPUTERNAME HERE"
| where NetworkAdapterStatus contains "Up"
| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name)
| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description)
| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet)
| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category)
| extend Dns1 = tostring(parse_json(DnsAddresses)[0])
@alexverboon
alexverboon / Get-log4files.ps1
Created December 14, 2021 21:14
PowerShell script to find log4j-core.jar files
Function Get-log4files(){
$Drives = Get-PSDrive | Select-Object -ExpandProperty 'Name' | Select-String -Pattern '^[a-e]$'
$FileInfo = [System.Collections.ArrayList]::new()
$Filetypes = @("*.jar")
ForEach($DriveLetter in $Drives)
{
$Drive = "$DriveLetter" + ":\"
$Log4Files = Get-ChildItem -Path $Drive -Filter "*log4j-core*" -Include $Filetypes -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName
Foreach($file in $Log4Files)
{
@alexverboon
alexverboon / MDE Safe Links.md
Created March 31, 2021 15:47
@alexverboon
alexverboon / log4jvariable.ps1
Created January 13, 2022 15:22
log4j variable
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS", $null, [EnvironmentVariableTarget]::Machine)
@alexverboon
alexverboon / FlowDefenderATPAlertemail.html
Created March 17, 2019 20:13
Flow - Defender ATP alert email template
<!-- Windows Defender ATP e-mail alert template -->
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style>
.alertTable {
width:750px;
background-color:white;
border-spacing:5px;
font-size:16px;
@alexverboon
alexverboon / mde_cmpivot.kql
Created December 20, 2021 11:07
CM Pivot for Defender Troubleshooting
// CM Pivot for Defender Troubleshooting
// Defender Event logs
WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d)
// MDE Eent logs
WinEvent('Microsoft-Windows-SENSE/Operational', 1d)
// MDE Service Status
Service
| where Name == 'Sense'
@alexverboon
alexverboon / compare-log4j-core hashes
Created December 14, 2021 21:17
Code snippets How To Detect the Log4Shell Vulnerability (CVE-2021-44228) with Microsoft Endpoint Configuration Manager
$log4 = Get-log4files
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64}
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $vulnerablesums -IncludeEqual
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$chck = ((invoke-webrequest https://gist.githubusercontent.com/spasam/7b2b2e03c6dd7bd6f1029e88c7cc82ad/raw/ed104b9bed088c04069b3139ae9adbdc9b99b2ac/log4j-core.csv -UseBasicParsing).content | ConvertFrom-Csv -Delimiter "," | Select-Object).sha256
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $chck -IncludeEqual