Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#region Install Modules
# Run as Administrator
Find-Module AzureRM.OperationalInsights | Install-Module
# Or run as the current user
Install-Module AzureRM.OperationalInsights -Scope CurrentUser
#endregion
#region Auto Logon to Azure & choose Azure subscription
### Auto Log into Azure with an Organisational Account
$secpasswd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ("account@TenantName.onmicrosoft.com", $secpasswd)
Login-AzureRmAccount -Credential $cred
$Subscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose a Source & Target Subscription ..." -PassThru)
Get-AzureRmSubscription -SubscriptionName $Subscription.SubscriptionName -WarningAction SilentlyContinue | Select-AzureRmSubscription
#endregion
$ResourceGroupName = "mms-eus"
$WorkSpaceName = "c6d60c3c-3f1d-412d-a736-0338f372d709"
##########################################################################################
################################# Saved Searches ##################################
##########################################################################################
# See all saved searches
$query = Get-AzureRmOperationalInsightsSavedSearch `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName
$query.value | fl ID, @{Name='Category';Expression={$_.properties.Category}}, @{Name='DisplayName';Expression={$_.properties.DisplayName}}
# Run a saved search - Saved Search name 01
$result = Get-AzureRmOperationalInsightsSavedSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-SavedSearchId "system update assessment|Saved Search name 01"
$result.value | ConvertFrom-Json
# Run a saved search - Saved Search name 02
$result = Get-AzureRmOperationalInsightsSavedSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-SavedSearchId "alert management|Saved Search name 02"
$result.value | ConvertFrom-Json
##########################################################################################
############################### Identity & Access #################################
##########################################################################################
# Identity & Access - Number of security events per user name
$dynamicQuery = "Type=SecurityEvent | Measure count() by TargetUserName"
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-17T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
# Identity & Access - Number of security events per user name
$dynamicQuery = "Type=SecurityEvent TargetUserName=UserName EventID=4625"
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-17T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
# Identity & Access - Grouped Accounts Failed Logons
$dynamicQuery = 'Type=SecurityEvent EventID=4625 | measure count() by TargetAccount'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
# Identity & Access - Failed Logons by a specific account
$dynamicQuery = 'Type=SecurityEvent EventID=4625 TargetAccount="ADMINISTRATOR"'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
##########################################################################################
############################## Threat Intelligence ################################
##########################################################################################
# Threat Intelligence - Threats
$dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) | measure count() by IndicatorThreatType'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
# Threat Intelligence - Look at all Botnets
$dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) IndicatorThreatType=Botnet'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
##########################################################################################
######################### Security Baseline Assessment ############################
##########################################################################################
# Security Baseline Assessment - Failed Logons by a specific account
$dynamicQuery = 'Type=SecurityEvent EventID=4624 | Measure count() as LogonCount by Account | Where LogonCount<5'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$result.Value | ConvertFrom-Json
# Security Baseline Assessment - Failed Logons by a specific account
$dynamicQuery = 'Type=SecurityBaseline AnalyzeResult=Failed RuleSeverity=Critical'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
-ResourceGroupName $ResourceGroupName `
-WorkspaceName $WorkSpaceName `
-Query $dynamicQuery `
-Start $StartDateAndTime `
-End $EndDateAndTime -Top 20
$SecurityBaselineAssessment = $result.Value | ConvertFrom-Json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment