This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector | |
// The calculation is done as following: | |
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents' | |
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents" | |
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client | |
// 4 finally 'uniion' all tables | |
let xagotime = 32d; | |
let xstarttime = 31d; | |
// File Events |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/ | |
DeviceInfo | |
| where isnotempty( OSPlatform) and OSPlatform == "Windows10" | |
| summarize arg_max(Timestamp,*) by DeviceId | |
| extend Version = case( | |
OSBuild == "19041","2004", | |
OSBuild == "19042","20H2", | |
OSBuild == "18363","1909", | |
OSBuild == "18362","1903", | |
OSBuild == "17763","1809", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# run the modified mfa info gathering script stored here | |
# https://gist.github.com/alexverboon/f8fd3300dcf999e1a5f5554cad05030d | |
$mfa = .\MfaAuthMethodsAnalysis.ps1 -TenantId <TENANT ID> | |
$MFA_Inactive = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0}) | |
$MFA_Active = @( $MFA | Where-Object {$_.MfaAuthMethodCount -gt 0}) | |
$MFA_Inactive_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $False}) | |
$MFA_Active_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $False}) | |
$MFA_InActive_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $true}) | |
$MFA_Active_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $true}) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################################################################## | |
########################################################################################################## | |
<# | |
.SYNOPSIS | |
Analyses Azure AD users to make recommendations on how to improve their MFA stance. | |
.DESCRIPTION |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
CI_AsrPersistenceThroughWmi_Remediation | |
.DESCRIPTION | |
Script for Configuration Manager - Configuration Item | |
CI_AsrPersistenceThroughWmi_Remediation configures the Rule Block persistence through WMI event subscription in Block mode | |
.NOTES | |
v1.0, 28.10.2020, alex verboon |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
CI_AsrPersistenceThroughWmi_Discovery | |
.DESCRIPTION | |
Script for Configuration Manager - Configuration Item | |
CI_AsrPersistenceThroughWmi_Discovery checks if the Defender ASR Rule Block persistence through WMI event subscription is configured to Block or Warn | |
.NOTES |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc. | |
DeviceNetworkInfo | |
| where Timestamp > ago (30d) | |
// | where DeviceName contains "ADD YOUR COMPUTERNAME HERE" | |
| where NetworkAdapterStatus contains "Up" | |
| extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name) | |
| extend Description = tostring(parse_json(ConnectedNetworks)[0].Description) | |
| extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet) | |
| extend Category = tostring(parse_json(ConnectedNetworks)[0].Category) | |
| extend Dns1 = tostring(parse_json(DnsAddresses)[0]) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Set-JumpHostDefenderConfiguration | |
{ | |
<# | |
.Synopsis | |
Set-JumpHostDefenderConfiguration | |
.DESCRIPTION | |
Set-JumpHostDefenderConfiguration configures the following Defender Security settings for JumpHosts that are not | |
managed by Intune |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# convert service types | |
$sku_lookup1 = @{ | |
1 ="KernelDriver" | |
2 = "FileSystemDriver" | |
4 ="Adapter" | |
8 = "RecognizerDriver" | |
16= "Win32OwnProcess" | |
32 ="Win32ShareProcess" | |
48 = "Win32" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# video hub: https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub | |
# Ignite API: - https://api.myignite.microsoft.com/api/session/all | |
$ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all" | |
$sessions = $ALLSESSIONS | ConvertFrom-Json; | |
# Solution Areas | |
$sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name | |
# Search Samples |