reprise99
reprise99
/ gist:64ff76ccdbbc6cecba8180bd1fe56597
Last active
November 26, 2023 10:52
We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have 4 columns, instead of 3. in line 5.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RoleName,ID,DisplayName,Description | |
| APIConnectors.Read.All,b86848a7-d5b1-41eb-a9b4-54a4e6306e97,Read API connectors for authentication flows,"Allows the app to read the API connectors used in user authentication flows, without a signed-in user." | |
| APIConnectors.ReadWrite.All,1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171,Read and write API connectors for authentication flows,"Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user." | |
| AccessReview.Read.All,d07a8cc0-3d51-4b77-b3b0-32704d1f69fa,Read all access reviews,"Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user." | |
| AccessReview.ReadWrite.All,ef5f7d5c-338f-44b0-86c3-351f46c8bb5f,Manage all access reviews,"Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user." | |
| AccessReview.ReadWrite.Membership,18228521-a591-40f1-b215-5fad4488c117,Manage |
reprise99
/ fwlogs.csv
Last active
October 12, 2023 00:45
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "srcdev=10.10.10.10,date=Mar 13th 2023,time=08.00.00(+5 GMT),action=accept,sourceip=50.50.50.50,dstip=192.168.200.100,srcprt=443,dstprt=443,xproto=tcp,bytesin=39230,bytesout=392378" | |
| "srcdev=10.10.10.10,date=Mar 13th 2023,time=07.44.33(+5 GMT),action=accept,sourceip=50.50.50.40,dstip=192.168.200.150,srcprt=2343,dstprt=22,xproto=tcp,bytesin=65122,bytesout=238944" | |
| "srcdev=10.10.10.10,date=Mar 16th 2023,time=17.34.11(+5 GMT),action=accept,sourceip=50.50.60.50,dstip=192.168.200.133,srcprt=34234,dstprt=21,xproto=tcp,bytesin=94382300,bytesout=23409239239" | |
| "srcdev=10.10.10.10,date=Mar 13th 2023,time=11.44.04(+5 GMT),action=drop,sourceip=50.60.50.50,dstip=192.168.200.111,srcprt=8500,dstprt=8500,xproto=tcp,bytesin=39230,bytesout=392378" | |
| "device:10.10.10.30,timestamp:4/25/2023 07:44:44z,policy:default-corp-in,outcome:allow,src=50.23.23.23:48236/tcp,dst=192.168.200.158:3389/tcp,datain=390389bytes,dataout=402394bytes,tz=-4" | |
| "device:10.10.10.30,timestamp:4/26/2023 14:22:55z,policy:default-dmz,outcome:deny,src=50.23.26.23:4 |
reprise99
/ azureroles.csv
Created
August 29, 2023 04:07
We can make this file beautiful and searchable if this error is corrected: It looks like row 10 should actually have 3 columns, instead of 2. in line 9.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RoleName,RoleDescription,RoleId | |
| AcrDelete,"Delete repositories, tags, or manifests from a container registry.",c2f4ef07-c644-48eb-af81-4b1b4947fb11 | |
| AcrImageSigner,Push trusted images to or pull trusted images from a container registry enabled for content trust.,6cef56e8-d556-48e5-a04f-b8e64114680f | |
| AcrPull,Pull artifacts from a container registry.,7f951dda-4ed3-4680-a7ca-43fe172d538d | |
| AcrPush,Push artifacts to or pull artifacts from a container registry.,8311e382-0749-4cb8-b61a-304f252e45ec | |
| AcrQuarantineReader,Pull quarantined images from a container registry.,cdda3590-29a3-44f6-95f2-9f980659eb04 | |
| AcrQuarantineWriter,Push quarantined images to or pull quarantined images from a container registry.,c8d4ff99-41c3-41a8-9f60-21dfdad59608 | |
| API Management Service Contributor,Can manage service and the APIs,312a565d-c81f-4fd8-895a-4e21e48d571c | |
| API Management Service Operator Role,Can manage service but not the APIs,e022efe7-f5ba-4159-bbe4-b44f577e9b61 | |
| API Management Service Reader Role,Read-only access to service and API |
reprise99
/ randokql.kql
Created
May 12, 2023 23:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Look for low prevalance SHA256's associated with service creation that are new to your environment in the last day | |
| //credit to mRr3b00t @UK_Daniel_Card for the idea and starting point and @lawndoc for the updates | |
| let PrevalenceThreshold = 1000; | |
| let knownSHA= | |
| //Find all the existing SHA256s associated with service creation events in the last 30 days (excluding the last day) | |
| DeviceEvents | |
| | where Timestamp > ago(30d) and Timestamp < ago(1d) | |
| | where ActionType == "ServiceInstalled" | |
| | join (DeviceFileEvents) on FileName | |
| | project-away SHA256 |
reprise99
/ 365daysofkql hunt 1
Last active
April 7, 2022 22:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. How many distinct users signed into the tenant in February? | |
| SigninLogs | |
| | distinct UserPrincipalName | |
| | count | |
| 841 | |
| 2. Which application had the most signins? List the application name. |
reprise99
/ 365daysofkql.csv
Last active
March 7, 2022 02:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Azure AD Audit | 31 | |
|---|---|---|
| Azure AD Signins | 24 | |
| Office 365 Activity | 14 | |
| Active Directory | 12 | |
| Defender for Endpoint | 26 | |
| Azure Activity | 6 | |
| Microsoft Sentinel Incidents | 2 | |
| Azure AD Risk Events | 1 | |
| Heartbeat | 2 | |
| Functions | 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE,Vendor,Product,Name | |
| CVE-2021-27104,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability | |
| CVE-2021-27102,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability | |
| CVE-2021-27101,Accellion,FTA,Accellion FTA SQL Injection Vulnerability | |
| CVE-2021-27103,Accellion,FTA,Accellion FTA SSRF Vulnerability | |
| CVE-2021-21017,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability | |
| CVE-2021-28550,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Use-After-Free Vulnerability | |
| CVE-2018-4939,Adobe,ColdFusion,Adobe ColdFusion Deserialization of Untrusted Data vulnerability | |
| CVE-2018-15961,Adobe,ColdFusion,Adobe ColdFusion RCE | |
| CVE-2018-4878,Adobe,Flash Player,Adobe Flash Player Use after Free vulnerability |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name,Id | |
| AcrPush,8311e382-0749-4cb8-b61a-304f252e45ec | |
| API Management Service Contributor,312a565d-c81f-4fd8-895a-4e21e48d571c | |
| AcrPull,7f951dda-4ed3-4680-a7ca-43fe172d538d | |
| AcrImageSigner,6cef56e8-d556-48e5-a04f-b8e64114680f | |
| AcrDelete,c2f4ef07-c644-48eb-af81-4b1b4947fb11 | |
| AcrQuarantineReader,cdda3590-29a3-44f6-95f2-9f980659eb04 | |
| AcrQuarantineWriter,c8d4ff99-41c3-41a8-9f60-21dfdad59608 | |
| API Management Service Operator Role,e022efe7-f5ba-4159-bbe4-b44f577e9b61 | |
| API Management Service Reader Role,71522526-b88f-4d52-b57f-d31fc3546d0d |