API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 24th, 2016
100
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.29 KB | None | 0 0
raw download clone embed print report
  1. #region Install Modules
  2.  
  3. # Run as Administrator
  4. Find-Module AzureRM.OperationalInsights | Install-Module
  5.  
  6. # Or run as the current user
  7. Install-Module AzureRM.OperationalInsights -Scope CurrentUser
  8.  
  9. #endregion
  10.  
  11. #region Auto Logon to Azure & choose Azure subscription
  12.  
  13. ### Auto Log into Azure with an Organisational Account
  14. $secpasswd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
  15. $Cred = New-Object System.Management.Automation.PSCredential ("account@TenantName.onmicrosoft.com", $secpasswd)
  16. Login-AzureRmAccount -Credential $cred
  17.  
  18. $Subscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose a Source & Target Subscription ..." -PassThru)
  19. Get-AzureRmSubscription -SubscriptionName $Subscription.SubscriptionName -WarningAction SilentlyContinue | Select-AzureRmSubscription
  20.  
  21. #endregion
  22.  
  23. $ResourceGroupName = "mms-eus"
  24. $WorkSpaceName = "c6d60c3c-3f1d-412d-a736-0338f372d709"
  25.  
  26. ##########################################################################################
  27. ################################# Saved Searches ##################################
  28. ##########################################################################################
  29.  
  30. # See all saved searches
  31. $query = Get-AzureRmOperationalInsightsSavedSearch `
  32. -ResourceGroupName $ResourceGroupName `
  33. -WorkspaceName $WorkSpaceName
  34. $query.value | fl ID, @{Name='Category';Expression={$_.properties.Category}}, @{Name='DisplayName';Expression={$_.properties.DisplayName}}
  35.  
  36. # Run a saved search - Saved Search name 01
  37. $result = Get-AzureRmOperationalInsightsSavedSearchResults `
  38. -ResourceGroupName $ResourceGroupName `
  39. -WorkspaceName $WorkSpaceName `
  40. -SavedSearchId "system update assessment|Saved Search name 01"
  41. $result.value | ConvertFrom-Json
  42.  
  43. # Run a saved search - Saved Search name 02
  44. $result = Get-AzureRmOperationalInsightsSavedSearchResults `
  45. -ResourceGroupName $ResourceGroupName `
  46. -WorkspaceName $WorkSpaceName `
  47. -SavedSearchId "alert management|Saved Search name 02"
  48. $result.value | ConvertFrom-Json
  49.  
  50. ##########################################################################################
  51. ############################### Identity & Access #################################
  52. ##########################################################################################
  53.  
  54. # Identity & Access - Number of security events per user name
  55. $dynamicQuery = "Type=SecurityEvent | Measure count() by TargetUserName"
  56. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  57. $EndDateAndTime = "2016-10-17T18:30:58.8Z"
  58. $result = Get-AzureRmOperationalInsightsSearchResults `
  59. -ResourceGroupName $ResourceGroupName `
  60. -WorkspaceName $WorkSpaceName `
  61. -Query $dynamicQuery `
  62. -Start $StartDateAndTime `
  63. -End $EndDateAndTime -Top 20
  64. $result.Value | ConvertFrom-Json
  65.  
  66. # Identity & Access - Number of security events per user name
  67. $dynamicQuery = "Type=SecurityEvent TargetUserName=UserName EventID=4625"
  68. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  69. $EndDateAndTime = "2016-10-17T18:30:58.8Z"
  70. $result = Get-AzureRmOperationalInsightsSearchResults `
  71. -ResourceGroupName $ResourceGroupName `
  72. -WorkspaceName $WorkSpaceName `
  73. -Query $dynamicQuery `
  74. -Start $StartDateAndTime `
  75. -End $EndDateAndTime -Top 20
  76. $result.Value | ConvertFrom-Json
  77.  
  78. # Identity & Access - Grouped Accounts Failed Logons
  79. $dynamicQuery = 'Type=SecurityEvent EventID=4625 | measure count() by TargetAccount'
  80. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  81. $EndDateAndTime = "2016-10-18T18:30:58.8Z"
  82. $result = Get-AzureRmOperationalInsightsSearchResults `
  83. -ResourceGroupName $ResourceGroupName `
  84. -WorkspaceName $WorkSpaceName `
  85. -Query $dynamicQuery `
  86. -Start $StartDateAndTime `
  87. -End $EndDateAndTime -Top 20
  88. $result.Value | ConvertFrom-Json
  89.  
  90. # Identity & Access - Failed Logons by a specific account
  91. $dynamicQuery = 'Type=SecurityEvent EventID=4625 TargetAccount="ADMINISTRATOR"'
  92. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  93. $EndDateAndTime = "2016-10-18T18:30:58.8Z"
  94. $result = Get-AzureRmOperationalInsightsSearchResults `
  95. -ResourceGroupName $ResourceGroupName `
  96. -WorkspaceName $WorkSpaceName `
  97. -Query $dynamicQuery `
  98. -Start $StartDateAndTime `
  99. -End $EndDateAndTime -Top 20
  100. $result.Value | ConvertFrom-Json
  101.  
  102. ##########################################################################################
  103. ############################## Threat Intelligence ################################
  104. ##########################################################################################
  105.  
  106. # Threat Intelligence - Threats
  107. $dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) | measure count() by IndicatorThreatType'
  108. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  109. $EndDateAndTime = "2016-10-18T18:30:58.8Z"
  110. $result = Get-AzureRmOperationalInsightsSearchResults `
  111. -ResourceGroupName $ResourceGroupName `
  112. -WorkspaceName $WorkSpaceName `
  113. -Query $dynamicQuery `
  114. -Start $StartDateAndTime `
  115. -End $EndDateAndTime -Top 20
  116. $result.Value | ConvertFrom-Json
  117.  
  118. # Threat Intelligence - Look at all Botnets
  119. $dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) IndicatorThreatType=Botnet'
  120. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  121. $EndDateAndTime = "2016-10-18T18:30:58.8Z"
  122. $result = Get-AzureRmOperationalInsightsSearchResults `
  123. -ResourceGroupName $ResourceGroupName `
  124. -WorkspaceName $WorkSpaceName `
  125. -Query $dynamicQuery `
  126. -Start $StartDateAndTime `
  127. -End $EndDateAndTime -Top 20
  128. $result.Value | ConvertFrom-Json
  129.  
  130. ##########################################################################################
  131. ######################### Security Baseline Assessment ############################
  132. ##########################################################################################
  133.  
  134. # Security Baseline Assessment - Failed Logons by a specific account
  135. $dynamicQuery = 'Type=SecurityEvent EventID=4624 | Measure count() as LogonCount by Account | Where LogonCount<5'
  136. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  137. $EndDateAndTime = "2016-10-18T18:30:58.8Z"
  138. $result = Get-AzureRmOperationalInsightsSearchResults `
  139. -ResourceGroupName $ResourceGroupName `
  140. -WorkspaceName $WorkSpaceName `
  141. -Query $dynamicQuery `
  142. -Start $StartDateAndTime `
  143. -End $EndDateAndTime -Top 20
  144. $result.Value | ConvertFrom-Json
  145.  
  146. # Security Baseline Assessment - Failed Logons by a specific account
  147. $dynamicQuery = 'Type=SecurityBaseline AnalyzeResult=Failed RuleSeverity=Critical'
  148. $StartDateAndTime = "2016-10-10T18:20:58.8Z"
  149. $EndDateAndTime = "2016-10-18T18:30:58.8Z"
  150. $result = Get-AzureRmOperationalInsightsSearchResults `
  151. -ResourceGroupName $ResourceGroupName `
  152. -WorkspaceName $WorkSpaceName `
  153. -Query $dynamicQuery `
  154. -Start $StartDateAndTime `
  155. -End $EndDateAndTime -Top 20
  156. $SecurityBaselineAssessment = $result.Value | ConvertFrom-Json
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!