// Blocked Phish and Malware in mailflow let _startTime = datetime(2024-03-21T11:22:15Z); let _endTime = datetime(2024-04-04T11:22:15Z); EmailEvents | where Timestamp between (_startTime .. _endTime) | extend MDO_detection = parse_json(DetectionMethods) | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0])) | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)") | where FirstSubcategory contains "Malware" or FirstSubcategory contains "Phish" | summarize count(NetworkMessageId)
Jonathan Devere-Ellery jonade
jonade
/ FindDeviceMDOSafeLinksClick.kql
Created
August 18, 2025 07:49
Find Device which made MDO SafeLinks click
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Find Device which made MDO SafeLinks click | |
| let Hosts = AlertEvidence | |
| | where Title in ("A potentially malicious URL click was detected","A user clicked through to a potentially malicious URL") | where EntityType == "Url" | |
| | extend RemoteHost = parse_url(RemoteUrl).Host | |
| | distinct tostring(RemoteHost); | |
| DeviceEvents | |
| | where ActionType == "BrowserLaunchedToOpenUrl" | |
| | extend RemoteHost = tostring(parse_url(RemoteUrl).Host) | |
| | where RemoteHost in (Hosts) | |
| | project Timestamp, ActionType, DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessCommandLine, ReportId, RemoteUrl, RemoteHost |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Thumbprint = (Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Issuer -Match "Let's Encrypt"} | Sort NotBefore -Descending | Select-Object -First 1).Thumbprint | |
| $WMIpath = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path | |
| Set-WmiInstance -Path $WMIpath -Arguments @{SSLCertificateSHA1Hash=$Thumbprint} |
jonade
/ MDO-AdvancedHunting-FalseNegativePositive.kusto
Created
April 19, 2024 11:24
MDO Advanced Hunting queries - Tracking FN and FP metrics
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Blocked Phish and Malware in mailflow | |
| let _startTime = datetime(2024-03-22T00:00:00Z); | |
| let _endTime = datetime(2024-04-04T23:59:59Z); | |
| EmailEvents | |
| | where Timestamp between (_startTime .. _endTime) | |
| | extend MDO_detection = parse_json(DetectionMethods) | |
| | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0])) | |
| | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)") | |
| | where FirstSubcategory contains "Malware" or FirstSubcategory contains "Phish" | |
| | summarize count(NetworkMessageId) |
jonade
/ MDO-AdvancedHunting-FalseNegativePositive.md
Last active
April 4, 2024 12:52
MDO Advanced Hunting queries - False-Negative and False-Positive rates
jonade
/ MDI-AccessToken-APIRequest.md
Last active
March 4, 2024 13:34
Defender for Identity - Request MDI Access Token and make API requests
$ExoModule = Get-Module -Name "ExchangeOnlineManagement" -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1
$MSAL = Join-Path $ExoModule.ModuleBase "NetFramework\Microsoft.Identity.Client.dll"
Try {Add-Type -LiteralPath $MSAL | Out-Null} Catch {}
jonade
/ BulkCloseFileHandles.ps1
Created
September 6, 2023 11:06
Use handles.exe to bulk close file handles on folder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $handles = handle.exe "C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.4.0" -nobanner -v | ConvertFrom-Csv | |
| ForEach ($handle in $handles) { | |
| handle.exe -nobanner -c $handle.handle -p $handle.PID -y | |
| } |
jonade
/ PowerShell-ConfigureMMA.ps1
Created
May 15, 2023 13:03
Use PowerShell to configure Microsoft Monitoring Agent
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $WorkspaceID = "<WorkspaceID>" | |
| $WorkspaceKey = "<WorkspaceKey>" | |
| $mma = New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg' | |
| $mma.AddCloudWorkspace($WorkspaceID, $WorkspaceKey, 1) | |
| $mma.ReloadConfiguration() |
$STSRecord = "v=STSv1; id=$(Get-Date -UFormat +%Y%m%d%H%M%SZ)"
Add-DnsServerResourceRecord -Name "_mta-sts" -Txt -DescriptiveText $STSRecord -ZoneName "contoso.com" -TimeToLive 0:1:0:0
jonade
/ UpdateXS4ALLIPTVStaticRoute.md
Created
January 3, 2022 07:32
Updating XS4ALL IPTV static routes on Unifi USG router
sudo vbash -c 'cat > /config/scripts/tvroute.sh' << EOF
#!/bin/vbash
# configured static route target
CUR_IP=$(cat /config/config.boot | grep 213.75.112.0/21 -A1 | grep next-hop | awk '{ print $2}');
jonade
/ EXO-ODA-LogAnalyticsQueries.md
Last active
February 21, 2022 09:42
Exchange Online On-Demand Assessment - Log Analytics queries
ExchangeOnlineAssessmentRecommendation | where RecommendationResult == "Failed"
ExchangeOnlineAssessmentRecommendation | where RecommendationResult == "Failed" | sort by TimeGenerated descLook for issues with collection, likely due to MFA
NewerOlder