Jon Bryan jkbryan

## LogParser-Files-User.sql
SELECT * INTO C:\TEMP\Output\output.csv
FROM C:\TEMP\Logs\*
WHERE  TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
       ( Strings LIKE '%jon%' OR strings LIKE '%dave%')

## LogParser-Servers-User.sql
SELECT * INTO C:\TEMP\Output\output.csv
FROM \\DC01.OHOLICS.NET\security;\\DC02.OHOLICS.NET\security;\\DC03.OHOLICS.NET\security
WHERE  TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
       ( Strings LIKE '%jon%' OR strings LIKE '%dave%')

## LogParser-Server-User.sql
SELECT * INTO C:\TEMP\Output\output.csv
FROM \\DC01.OHOLICS.NET\security
WHERE  TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
       ( Strings LIKE '%jon%' OR strings LIKE '%dave%')

## LogParserRedaction.sql
SELECT
	EventLog,
	RecordNumber,
	TimeGenerated,
	TimeWritten,
	EventID,
	EventType,
	EventTypeName,
	EventCategory,
	EventCategoryName,

## Get-AzureNSGs.ps1
Connect-AzureRmAccount
$Subscription = "<Subscription-GUID>"
$LogFile = "C:\<PATH>\NSGs.csv"
If (Test-Path $Logfile) {
    Clear-Content -Path $Logfile
}
Add-Content $LogFile "nsg,rule,protocol,SourcePortRange,DestinationPortRange,SourceAddressPrefix,DestinationAddressPrefix,SourceApplicationSecurityGroups,DestinationApplicationSecurityGroups,Access,Priority,Direction"
Set-AzureRmContext -Subscription $Subscription
$NSGs = Get-AzureRmNetworkSecurityGroup
foreach ($nsg in $NSGs) {

## Get-AzureRoutes.ps1
Connect-AzureRmAccount
$Subscription = "<Subscription-GUID>"
$LogFile = "C:\<PATH>\RouteTables.csv"
If (Test-Path $Logfile) {
    Clear-Content -Path $Logfile
}
Add-Content $Logfile "Name,ResourceGroupName,Location,RouteName,Id,Etag,ProvisioningState,AddressPrefix,NextHopType,NextHopIpAddress"
Set-AzureRmContext -Subscription $Subscription
$RTs = Get-AzureRmRouteTable
ForEach ($RT in $RTs) {

## ConnectToAzureADOrAzureRM.ps1
$TenantId = "<AzureADTenantID>"
$ApplicationId = "<AppID>"
$Cert=Get-ChildItem cert:\CurrentUser\My\"<CertificateThumbprint>"
# Connect to Azure AD:
Connect-AzureAD -TenantId $TenantId -ApplicationId $ApplicationId -CertificateThumbprint $Cert.Thumbprint
# e.g. Get-AzureADUsers
# Connect to AzureRM:
Connect-AzureRmAccount -CertificateThumbprint $Cert.Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal
# e.g. Get-AzureRMResourceGroup

## GrantServicePrincipleAzureSubscriptionReadAccess.ps1
$Subscription = "<Subscription-GUID>"
$ApplicationName = "<AppName>"
$ServicePrincipal = Get-AzureRMADServicePrincipal -DisplayName $ApplicationName
Set-AzureRmContext -Subscription $Subscription
$NewRole = $null
$Retries = 0;
While ($NewRole -eq $null -and $Retries -le 6) {
    Sleep 15
    New-AzureRMRoleAssignment -ResourceGroupName -RoleDefinitionName Reader -ServicePrincipalName $ServicePrincipal.ApplicationId | Write-Verbose -ErrorAction SilentlyContinue
    $NewRole = Get-AzureRMRoleAssignment -ObjectId $ServicePrincipal.Id -ErrorAction SilentlyContinue

## CreateAzureServicePrinciple.ps1
$Subscription = "<Subscription-GUID>"
$PathToPFXCertificate = "C:\<PATH>\<CertName>.pfx"
$PFXPassword = "<Password>"
$CertPassword = ConvertTo-SecureString $PFXPassword -AsPlainText -Force
$ApplicationName = "<AppName>"
Import-Module AzureRM.Resources
Connect-AzureRmAccount
Set-AzureRmContext -Subscription $Subscription
$PFXCert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($PathToPFXCertificate, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($PFXCert.GetRawCertData())

## openssl.cfg
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd
	SELECT * INTO C:\TEMP\Output\output.csv
	FROM C:\TEMP\Logs\*
	WHERE TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
	( Strings LIKE '%jon%' OR strings LIKE '%dave%')
	SELECT * INTO C:\TEMP\Output\output.csv
	FROM \\DC01.OHOLICS.NET\security;\\DC02.OHOLICS.NET\security;\\DC03.OHOLICS.NET\security
	WHERE TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
	( Strings LIKE '%jon%' OR strings LIKE '%dave%')
	SELECT * INTO C:\TEMP\Output\output.csv
	FROM \\DC01.OHOLICS.NET\security
	WHERE TimeWritten > TIMESTAMP ( '2009-01-01 01:00:00', 'yyyy-MM-dd hh:mm:ss' ) AND SourceName = 'Microsoft-Windows-Security-Auditing' AND
	( Strings LIKE '%jon%' OR strings LIKE '%dave%')
	SELECT
	EventLog,
	RecordNumber,
	TimeGenerated,
	TimeWritten,
	EventID,
	EventType,
	EventTypeName,
	EventCategory,
	EventCategoryName,
	Connect-AzureRmAccount
	$Subscription = "<Subscription-GUID>"
	$LogFile = "C:\<PATH>\NSGs.csv"
	If (Test-Path $Logfile) {
	Clear-Content -Path $Logfile
	}
	Add-Content $LogFile "nsg,rule,protocol,SourcePortRange,DestinationPortRange,SourceAddressPrefix,DestinationAddressPrefix,SourceApplicationSecurityGroups,DestinationApplicationSecurityGroups,Access,Priority,Direction"
	Set-AzureRmContext -Subscription $Subscription
	$NSGs = Get-AzureRmNetworkSecurityGroup
	foreach ($nsg in $NSGs) {
	Connect-AzureRmAccount
	$Subscription = "<Subscription-GUID>"
	$LogFile = "C:\<PATH>\RouteTables.csv"
	If (Test-Path $Logfile) {
	Clear-Content -Path $Logfile
	}
	Add-Content $Logfile "Name,ResourceGroupName,Location,RouteName,Id,Etag,ProvisioningState,AddressPrefix,NextHopType,NextHopIpAddress"
	Set-AzureRmContext -Subscription $Subscription
	$RTs = Get-AzureRmRouteTable
	ForEach ($RT in $RTs) {
	$TenantId = "<AzureADTenantID>"
	$ApplicationId = "<AppID>"
	$Cert=Get-ChildItem cert:\CurrentUser\My\"<CertificateThumbprint>"
	# Connect to Azure AD:
	Connect-AzureAD -TenantId $TenantId -ApplicationId $ApplicationId -CertificateThumbprint $Cert.Thumbprint
	# e.g. Get-AzureADUsers
	# Connect to AzureRM:
	Connect-AzureRmAccount -CertificateThumbprint $Cert.Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal
	# e.g. Get-AzureRMResourceGroup
	$Subscription = "<Subscription-GUID>"
	$ApplicationName = "<AppName>"
	$ServicePrincipal = Get-AzureRMADServicePrincipal -DisplayName $ApplicationName
	Set-AzureRmContext -Subscription $Subscription
	$NewRole = $null
	$Retries = 0;
	While ($NewRole -eq $null -and $Retries -le 6) {
	Sleep 15
	New-AzureRMRoleAssignment -ResourceGroupName -RoleDefinitionName Reader -ServicePrincipalName $ServicePrincipal.ApplicationId \| Write-Verbose -ErrorAction SilentlyContinue
	$NewRole = Get-AzureRMRoleAssignment -ObjectId $ServicePrincipal.Id -ErrorAction SilentlyContinue
	$Subscription = "<Subscription-GUID>"
	$PathToPFXCertificate = "C:\<PATH>\<CertName>.pfx"
	$PFXPassword = "<Password>"
	$CertPassword = ConvertTo-SecureString $PFXPassword -AsPlainText -Force
	$ApplicationName = "<AppName>"
	Import-Module AzureRM.Resources
	Connect-AzureRmAccount
	Set-AzureRmContext -Subscription $Subscription
	$PFXCert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($PathToPFXCertificate, $CertPassword)
	$KeyValue = [System.Convert]::ToBase64String($PFXCert.GetRawCertData())
	#
	# OpenSSL example configuration file.
	# This is mostly being used for generation of certificate requests.
	#

	# This definition stops the following lines choking if HOME isn't
	# defined.
	HOME = .
	RANDFILE = $ENV::HOME/.rnd