We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have 4 columns, instead of 3. in line 5.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RoleName,ID,DisplayName,Description | |
APIConnectors.Read.All,b86848a7-d5b1-41eb-a9b4-54a4e6306e97,Read API connectors for authentication flows,"Allows the app to read the API connectors used in user authentication flows, without a signed-in user." | |
APIConnectors.ReadWrite.All,1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171,Read and write API connectors for authentication flows,"Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user." | |
AccessReview.Read.All,d07a8cc0-3d51-4b77-b3b0-32704d1f69fa,Read all access reviews,"Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user." | |
AccessReview.ReadWrite.All,ef5f7d5c-338f-44b0-86c3-351f46c8bb5f,Manage all access reviews,"Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user." | |
AccessReview.ReadWrite.Membership,18228521-a591-40f1-b215-5fad4488c117,Manage |
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"srcdev=10.10.10.10,date=Mar 13th 2023,time=08.00.00(+5 GMT),action=accept,sourceip=50.50.50.50,dstip=192.168.200.100,srcprt=443,dstprt=443,xproto=tcp,bytesin=39230,bytesout=392378" | |
"srcdev=10.10.10.10,date=Mar 13th 2023,time=07.44.33(+5 GMT),action=accept,sourceip=50.50.50.40,dstip=192.168.200.150,srcprt=2343,dstprt=22,xproto=tcp,bytesin=65122,bytesout=238944" | |
"srcdev=10.10.10.10,date=Mar 16th 2023,time=17.34.11(+5 GMT),action=accept,sourceip=50.50.60.50,dstip=192.168.200.133,srcprt=34234,dstprt=21,xproto=tcp,bytesin=94382300,bytesout=23409239239" | |
"srcdev=10.10.10.10,date=Mar 13th 2023,time=11.44.04(+5 GMT),action=drop,sourceip=50.60.50.50,dstip=192.168.200.111,srcprt=8500,dstprt=8500,xproto=tcp,bytesin=39230,bytesout=392378" | |
"device:10.10.10.30,timestamp:4/25/2023 07:44:44z,policy:default-corp-in,outcome:allow,src=50.23.23.23:48236/tcp,dst=192.168.200.158:3389/tcp,datain=390389bytes,dataout=402394bytes,tz=-4" | |
"device:10.10.10.30,timestamp:4/26/2023 14:22:55z,policy:default-dmz,outcome:deny,src=50.23.26.23:4 |
We can make this file beautiful and searchable if this error is corrected: It looks like row 10 should actually have 3 columns, instead of 2. in line 9.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RoleName,RoleDescription,RoleId | |
AcrDelete,"Delete repositories, tags, or manifests from a container registry.",c2f4ef07-c644-48eb-af81-4b1b4947fb11 | |
AcrImageSigner,Push trusted images to or pull trusted images from a container registry enabled for content trust.,6cef56e8-d556-48e5-a04f-b8e64114680f | |
AcrPull,Pull artifacts from a container registry.,7f951dda-4ed3-4680-a7ca-43fe172d538d | |
AcrPush,Push artifacts to or pull artifacts from a container registry.,8311e382-0749-4cb8-b61a-304f252e45ec | |
AcrQuarantineReader,Pull quarantined images from a container registry.,cdda3590-29a3-44f6-95f2-9f980659eb04 | |
AcrQuarantineWriter,Push quarantined images to or pull quarantined images from a container registry.,c8d4ff99-41c3-41a8-9f60-21dfdad59608 | |
API Management Service Contributor,Can manage service and the APIs,312a565d-c81f-4fd8-895a-4e21e48d571c | |
API Management Service Operator Role,Can manage service but not the APIs,e022efe7-f5ba-4159-bbe4-b44f577e9b61 | |
API Management Service Reader Role,Read-only access to service and API |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Look for low prevalance SHA256's associated with service creation that are new to your environment in the last day | |
//credit to mRr3b00t @UK_Daniel_Card for the idea and starting point and @lawndoc for the updates | |
let PrevalenceThreshold = 1000; | |
let knownSHA= | |
//Find all the existing SHA256s associated with service creation events in the last 30 days (excluding the last day) | |
DeviceEvents | |
| where Timestamp > ago(30d) and Timestamp < ago(1d) | |
| where ActionType == "ServiceInstalled" | |
| join (DeviceFileEvents) on FileName | |
| project-away SHA256 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. How many distinct users signed into the tenant in February? | |
SigninLogs | |
| distinct UserPrincipalName | |
| count | |
841 | |
2. Which application had the most signins? List the application name. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Azure AD Audit | 31 | |
---|---|---|
Azure AD Signins | 24 | |
Office 365 Activity | 14 | |
Active Directory | 12 | |
Defender for Endpoint | 26 | |
Azure Activity | 6 | |
Microsoft Sentinel Incidents | 2 | |
Azure AD Risk Events | 1 | |
Heartbeat | 2 | |
Functions | 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE,Vendor,Product,Name | |
CVE-2021-27104,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability | |
CVE-2021-27102,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability | |
CVE-2021-27101,Accellion,FTA,Accellion FTA SQL Injection Vulnerability | |
CVE-2021-27103,Accellion,FTA,Accellion FTA SSRF Vulnerability | |
CVE-2021-21017,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability | |
CVE-2021-28550,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Use-After-Free Vulnerability | |
CVE-2018-4939,Adobe,ColdFusion,Adobe ColdFusion Deserialization of Untrusted Data vulnerability | |
CVE-2018-15961,Adobe,ColdFusion,Adobe ColdFusion RCE | |
CVE-2018-4878,Adobe,Flash Player,Adobe Flash Player Use after Free vulnerability |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Name,Id | |
AcrPush,8311e382-0749-4cb8-b61a-304f252e45ec | |
API Management Service Contributor,312a565d-c81f-4fd8-895a-4e21e48d571c | |
AcrPull,7f951dda-4ed3-4680-a7ca-43fe172d538d | |
AcrImageSigner,6cef56e8-d556-48e5-a04f-b8e64114680f | |
AcrDelete,c2f4ef07-c644-48eb-af81-4b1b4947fb11 | |
AcrQuarantineReader,cdda3590-29a3-44f6-95f2-9f980659eb04 | |
AcrQuarantineWriter,c8d4ff99-41c3-41a8-9f60-21dfdad59608 | |
API Management Service Operator Role,e022efe7-f5ba-4159-bbe4-b44f577e9b61 | |
API Management Service Reader Role,71522526-b88f-4d52-b57f-d31fc3546d0d |