Skip to content

Instantly share code, notes, and snippets.

Jon Bryan jkbryan

View GitHub Profile
@jkbryan
jkbryan / Get-AzureRoleAssignments.ps1
Created Apr 12, 2019
Script to report on all role assignments to a subscription or optionally to look for a named users role assignments.
View Get-AzureRoleAssignments.ps1
Connect-AzureRmAccount
$Logfile = "C:\Temp\RoleAssignmentsLog.csv"
If (Test-Path $Logfile) {
Clear-Content -Path $Logfile
}
$Subscription1 = "<SubscriptionGUID>"
$Subscription2 = "<SubscriptionGUID>"
Add-Content $Logfile "RG/Subscription,RoleDefinitionName,DisplayName,SignInName,ObjectType"
#Do first subscription top level
Set-AzureRmContext -Subscription $Subscription1
@jkbryan
jkbryan / BACKUP_AND_CLEAR_EVENTLOGS.ps1
Last active Mar 11, 2019
Script to first backup to file, copy to archive(s) and then clear Windows security event logs.
View BACKUP_AND_CLEAR_EVENTLOGS.ps1
Param(
$computer,
[switch]$clear
)
Function DeleteOldEventLogs {
# Clear old local log files - 7 days kept
$LogdateFormat = "dd-MM-yyyy"
$Logdate = Get-Date -Format $LogdateFormat
$CleanupExec = "C:\BackupScript\DELETEOLD.PS1 -folderpath C:\Event_Logs -fileage 7 -logfile C:\Event_Logs\leanupLog_$Logdate.txt -verboselog"
Invoke-Expression $CleanupExec
@jkbryan
jkbryan / LogParser-Files-User.sql
Created Mar 9, 2019
Find strings like 'jon' or 'dave' in the exported security event log(s) held in C;\TEMP\logs
View LogParser-Files-User.sql
SELECT * INTO C:\TEMP\Output\output.csv
FROM C:\TEMP\Logs\*
WHERE TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
( Strings LIKE '%jon%' OR strings LIKE '%dave%')
@jkbryan
jkbryan / LogParser-Servers-User.sql
Created Mar 8, 2019
Find strings like 'jon' or 'dave' in the security event log of the servers named DC01.OHOLICS.NET, DC03.OHOLICS.NET and DC03.OHOLICS.NET
View LogParser-Servers-User.sql
SELECT * INTO C:\TEMP\Output\output.csv
FROM \\DC01.OHOLICS.NET\security;\\DC02.OHOLICS.NET\security;\\DC03.OHOLICS.NET\security
WHERE TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
( Strings LIKE '%jon%' OR strings LIKE '%dave%')
@jkbryan
jkbryan / LogParser-Server-User.sql
Created Mar 8, 2019
Find strings like 'jon' or 'dave' in the security event log of a server named DC01.OHOLICS.NET
View LogParser-Server-User.sql
SELECT * INTO C:\TEMP\Output\output.csv
FROM \\DC01.OHOLICS.NET\security
WHERE TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
( Strings LIKE '%jon%' OR strings LIKE '%dave%')
@jkbryan
jkbryan / LogParserRedaction.sql
Last active Mar 7, 2019
LogParserRedactionSQL
View LogParserRedaction.sql
SELECT
EventLog,
RecordNumber,
TimeGenerated,
TimeWritten,
EventID,
EventType,
EventTypeName,
EventCategory,
EventCategoryName,
@jkbryan
jkbryan / Get-AzureNSGs.ps1
Last active Feb 8, 2019
A script to present Azure NSG's into a csv file
View Get-AzureNSGs.ps1
Connect-AzureRmAccount
$Subscription = "<Subscription-GUID>"
$LogFile = "C:\<PATH>\NSGs.csv"
If (Test-Path $Logfile) {
Clear-Content -Path $Logfile
}
Add-Content $LogFile "nsg,rule,protocol,SourcePortRange,DestinationPortRange,SourceAddressPrefix,DestinationAddressPrefix,SourceApplicationSecurityGroups,DestinationApplicationSecurityGroups,Access,Priority,Direction"
Set-AzureRmContext -Subscription $Subscription
$NSGs = Get-AzureRmNetworkSecurityGroup
foreach ($nsg in $NSGs) {
@jkbryan
jkbryan / Get-AzureRoutes.ps1
Created Feb 8, 2019
A script to present Azure Route Tables into a csv file
View Get-AzureRoutes.ps1
Connect-AzureRmAccount
$Subscription = "<Subscription-GUID>"
$LogFile = "C:\<PATH>\RouteTables.csv"
If (Test-Path $Logfile) {
Clear-Content -Path $Logfile
}
Add-Content $Logfile "Name,ResourceGroupName,Location,RouteName,Id,Etag,ProvisioningState,AddressPrefix,NextHopType,NextHopIpAddress"
Set-AzureRmContext -Subscription $Subscription
$RTs = Get-AzureRmRouteTable
ForEach ($RT in $RTs) {
@jkbryan
jkbryan / ConnectToAzureADOrAzureRM.ps1
Created Jan 30, 2019
Use the Service Principle created previosly to connect to services - Azure AD and AzureRM as examples
View ConnectToAzureADOrAzureRM.ps1
$TenantId = "<AzureADTenantID>"
$ApplicationId = "<AppID>"
$Cert=Get-ChildItem cert:\CurrentUser\My\"<CertificateThumbprint>"
# Connect to Azure AD:
Connect-AzureAD -TenantId $TenantId -ApplicationId $ApplicationId -CertificateThumbprint $Cert.Thumbprint
# e.g. Get-AzureADUsers
# Connect to AzureRM:
Connect-AzureRmAccount -CertificateThumbprint $Cert.Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal
# e.g. Get-AzureRMResourceGroup
@jkbryan
jkbryan / GrantServicePrincipleAzureSubscriptionReadAccess.ps1
Created Jan 30, 2019
Grants an Azure Service Principle READ access to the Subscription
View GrantServicePrincipleAzureSubscriptionReadAccess.ps1
$Subscription = "<Subscription-GUID>"
$ApplicationName = "<AppName>"
$ServicePrincipal = Get-AzureRMADServicePrincipal -DisplayName $ApplicationName
Set-AzureRmContext -Subscription $Subscription
$NewRole = $null
$Retries = 0;
While ($NewRole -eq $null -and $Retries -le 6) {
Sleep 15
New-AzureRMRoleAssignment -ResourceGroupName -RoleDefinitionName Reader -ServicePrincipalName $ServicePrincipal.ApplicationId | Write-Verbose -ErrorAction SilentlyContinue
$NewRole = Get-AzureRMRoleAssignment -ObjectId $ServicePrincipal.Id -ErrorAction SilentlyContinue
You can’t perform that action at this time.