Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #region Install Modules
- # Run as Administrator
- Find-Module AzureRM.OperationalInsights | Install-Module
- # Or run as the current user
- Install-Module AzureRM.OperationalInsights -Scope CurrentUser
- #endregion
- #region Auto Logon to Azure & choose Azure subscription
- ### Auto Log into Azure with an Organisational Account
- $secpasswd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
- $Cred = New-Object System.Management.Automation.PSCredential ("account@TenantName.onmicrosoft.com", $secpasswd)
- Login-AzureRmAccount -Credential $cred
- $Subscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose a Source & Target Subscription ..." -PassThru)
- Get-AzureRmSubscription -SubscriptionName $Subscription.SubscriptionName -WarningAction SilentlyContinue | Select-AzureRmSubscription
- #endregion
- $ResourceGroupName = "mms-eus"
- $WorkSpaceName = "c6d60c3c-3f1d-412d-a736-0338f372d709"
- ##########################################################################################
- ################################# Saved Searches ##################################
- ##########################################################################################
- # See all saved searches
- $query = Get-AzureRmOperationalInsightsSavedSearch `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName
- $query.value | fl ID, @{Name='Category';Expression={$_.properties.Category}}, @{Name='DisplayName';Expression={$_.properties.DisplayName}}
- # Run a saved search - Saved Search name 01
- $result = Get-AzureRmOperationalInsightsSavedSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -SavedSearchId "system update assessment|Saved Search name 01"
- $result.value | ConvertFrom-Json
- # Run a saved search - Saved Search name 02
- $result = Get-AzureRmOperationalInsightsSavedSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -SavedSearchId "alert management|Saved Search name 02"
- $result.value | ConvertFrom-Json
- ##########################################################################################
- ############################### Identity & Access #################################
- ##########################################################################################
- # Identity & Access - Number of security events per user name
- $dynamicQuery = "Type=SecurityEvent | Measure count() by TargetUserName"
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-17T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- # Identity & Access - Number of security events per user name
- $dynamicQuery = "Type=SecurityEvent TargetUserName=UserName EventID=4625"
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-17T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- # Identity & Access - Grouped Accounts Failed Logons
- $dynamicQuery = 'Type=SecurityEvent EventID=4625 | measure count() by TargetAccount'
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-18T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- # Identity & Access - Failed Logons by a specific account
- $dynamicQuery = 'Type=SecurityEvent EventID=4625 TargetAccount="ADMINISTRATOR"'
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-18T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- ##########################################################################################
- ############################## Threat Intelligence ################################
- ##########################################################################################
- # Threat Intelligence - Threats
- $dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) | measure count() by IndicatorThreatType'
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-18T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- # Threat Intelligence - Look at all Botnets
- $dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) IndicatorThreatType=Botnet'
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-18T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- ##########################################################################################
- ######################### Security Baseline Assessment ############################
- ##########################################################################################
- # Security Baseline Assessment - Failed Logons by a specific account
- $dynamicQuery = 'Type=SecurityEvent EventID=4624 | Measure count() as LogonCount by Account | Where LogonCount<5'
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-18T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $result.Value | ConvertFrom-Json
- # Security Baseline Assessment - Failed Logons by a specific account
- $dynamicQuery = 'Type=SecurityBaseline AnalyzeResult=Failed RuleSeverity=Critical'
- $StartDateAndTime = "2016-10-10T18:20:58.8Z"
- $EndDateAndTime = "2016-10-18T18:30:58.8Z"
- $result = Get-AzureRmOperationalInsightsSearchResults `
- -ResourceGroupName $ResourceGroupName `
- -WorkspaceName $WorkSpaceName `
- -Query $dynamicQuery `
- -Start $StartDateAndTime `
- -End $EndDateAndTime -Top 20
- $SecurityBaselineAssessment = $result.Value | ConvertFrom-Json
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement