Last active
October 24, 2016 03:55
-
-
Save marckean/c7f4ec654ac9ce127618a68b2e182d1f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#region Install Modules | |
# Run as Administrator | |
Find-Module AzureRM.OperationalInsights | Install-Module | |
# Or run as the current user | |
Install-Module AzureRM.OperationalInsights -Scope CurrentUser | |
#endregion | |
#region Auto Logon to Azure & choose Azure subscription | |
### Auto Log into Azure with an Organisational Account | |
$secpasswd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force | |
$Cred = New-Object System.Management.Automation.PSCredential ("account@TenantName.onmicrosoft.com", $secpasswd) | |
Login-AzureRmAccount -Credential $cred | |
$Subscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose a Source & Target Subscription ..." -PassThru) | |
Get-AzureRmSubscription -SubscriptionName $Subscription.SubscriptionName -WarningAction SilentlyContinue | Select-AzureRmSubscription | |
#endregion | |
$ResourceGroupName = "mms-eus" | |
$WorkSpaceName = "c6d60c3c-3f1d-412d-a736-0338f372d709" | |
########################################################################################## | |
################################# Saved Searches ################################## | |
########################################################################################## | |
# See all saved searches | |
$query = Get-AzureRmOperationalInsightsSavedSearch ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName | |
$query.value | fl ID, @{Name='Category';Expression={$_.properties.Category}}, @{Name='DisplayName';Expression={$_.properties.DisplayName}} | |
# Run a saved search - Saved Search name 01 | |
$result = Get-AzureRmOperationalInsightsSavedSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-SavedSearchId "system update assessment|Saved Search name 01" | |
$result.value | ConvertFrom-Json | |
# Run a saved search - Saved Search name 02 | |
$result = Get-AzureRmOperationalInsightsSavedSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-SavedSearchId "alert management|Saved Search name 02" | |
$result.value | ConvertFrom-Json | |
########################################################################################## | |
############################### Identity & Access ################################# | |
########################################################################################## | |
# Identity & Access - Number of security events per user name | |
$dynamicQuery = "Type=SecurityEvent | Measure count() by TargetUserName" | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-17T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
# Identity & Access - Number of security events per user name | |
$dynamicQuery = "Type=SecurityEvent TargetUserName=UserName EventID=4625" | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-17T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
# Identity & Access - Grouped Accounts Failed Logons | |
$dynamicQuery = 'Type=SecurityEvent EventID=4625 | measure count() by TargetAccount' | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-18T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
# Identity & Access - Failed Logons by a specific account | |
$dynamicQuery = 'Type=SecurityEvent EventID=4625 TargetAccount="ADMINISTRATOR"' | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-18T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
########################################################################################## | |
############################## Threat Intelligence ################################ | |
########################################################################################## | |
# Threat Intelligence - Threats | |
$dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) | measure count() by IndicatorThreatType' | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-18T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
# Threat Intelligence - Look at all Botnets | |
$dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) IndicatorThreatType=Botnet' | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-18T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
########################################################################################## | |
######################### Security Baseline Assessment ############################ | |
########################################################################################## | |
# Security Baseline Assessment - Failed Logons by a specific account | |
$dynamicQuery = 'Type=SecurityEvent EventID=4624 | Measure count() as LogonCount by Account | Where LogonCount<5' | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-18T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$result.Value | ConvertFrom-Json | |
# Security Baseline Assessment - Failed Logons by a specific account | |
$dynamicQuery = 'Type=SecurityBaseline AnalyzeResult=Failed RuleSeverity=Critical' | |
$StartDateAndTime = "2016-10-10T18:20:58.8Z" | |
$EndDateAndTime = "2016-10-18T18:30:58.8Z" | |
$result = Get-AzureRmOperationalInsightsSearchResults ` | |
-ResourceGroupName $ResourceGroupName ` | |
-WorkspaceName $WorkSpaceName ` | |
-Query $dynamicQuery ` | |
-Start $StartDateAndTime ` | |
-End $EndDateAndTime -Top 20 | |
$SecurityBaselineAssessment = $result.Value | ConvertFrom-Json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment