User Profile
dmarquesgn
Iron Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Analytic rules for Microsoft Sentinel based on MS EASM
Hi, I just imported EASM data to Sentinel, so we can create some analytic rules based on EASM data. I'm now thinking on which use cases are interesting to create alerts. Anyone has already followed this path and has some experience of what kind of alerts make sense based on EASM data? ThanksLicensing information - differences between Audit Logs and Azure AD
Hi, I developed a powershell script to extract the licensing attribution and removal (Office 365). I'm using the cmdlet "Seach-UnifiedAuditLog" to extract all events with the operation "Change user license". I'm evaluating if the script is running fine, so I've told our Helpdesk to tell me when they attribute or remove a license, so I could run the script and check. Based on this I've found something odd, there are some cases where I can see on Azure AD Audit Log for that user that the license has been attributed, like this: But this specific user does not show up on the Audit Log. I've also tried to search the Audit Log manually, and the result is the same, this license attribution doesn't show up there. Anyone knows what am I missing here? Shouldn't both platforms give the same data? ThanksDifference between Device Inventory Dashboard and KQL query
Hi, I have an issue with differences which I'm not understanding between Device Inventory dashboard and a kql query. I'm trying to extract some metrics from Defender, like device health status. So I go to the device inventory and manually filter for Sensor health state as "Misconfigured", which includes "Impaired communications" and "No sensor data", I've got 3 devices on the list, like shown bellow: Then I try to reproduce this in a KQL query, which I think it's this one: DeviceInfo | where SensorHealthState contains "No sensor data" or SensorHealthState contains "Misconfigured" | summarize arg_max(Timestamp, *) by DeviceName But I've got 95 devices as a result. What am I missing here? It's a huge difference. ThanksRe: Same device with Onboarded and Not Onboarded status
jbmartin6That really helped. I just changed the DeviceId to DeviceName, as the DeviceId is in fact different, what's equal is the devicename. So now the query is like this: let TableOnboarded = DeviceInfo | where OnboardingStatus == "Onboarded"; let TableCouldBeOnboarded = DeviceInfo | where OnboardingStatus != "Onboarded" and MachineGroup contains "Windows Server"; TableCouldBeOnboarded | join kind=anti TableOnboarded on DeviceName | distinct DeviceName Now there's only one last issue. There's one device which on the "Onboarded" state, the DeviceName has the domain, like "srv-server.domain.local", and the "Not Onboarded" DeviceName is just the server name, without the domain. Is there any chance to parse out the domain name and compare just the server name? ThanksRe: Same device with Onboarded and Not Onboarded status
jbmartin6Yes, the goal is to find which Windows Servers exists without being onboarded. So I can ignore the ones which are not well classified. But there's one big issue, I have a detection rule based on this query, generating alerts, so this means I will generate a lot of false positives, and the SOC analysts will have to treat each alert, so it's kind of bad having false positives, providing them unnecessary work regularly.Hunting for data related to priviledge escalation (like app installs)
Hi, I'm navigating the Defender tables to try to understand how can I hunt for priviledge escalation events, benign ones in this case, for example, when our Helpdesk team connects to a computer to install an application, it will request an elevation of priviledges, as the local users do not have permissions for it. I would like to audit this type of priviledge escalation events, but I can't find the data related to it. Anyone knows in which table can I find this kind of data? ThanksSame device with Onboarded and Not Onboarded status
Hi, I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) with both Onboarding status, which is "Onboarded" and "Can be onboarded". Anyone knows why? This way I get uncorrect results on my detection rule. ThanksRe: Use powershell to add a tag to a MS Defender device
jbmartin6 Well, this is really odd. I had it working, but of course it was in an area of the script for testing. Then moved the code to the correct area of the script and today went to test the full script and it's not working again, prompting the same error of the "InvalidRequestBody". So now I'm not really sure what is the problem, but it's not working anymore and don't have a clue why.Re: Use powershell to add a tag to a MS Defender device
jbmartin6Thanks for the tips. Finally it's working. First, instead of using a variable on the creation of the body, like this: $Body = @{"Value"=$Tag;"Action"="Add"} I removed the variable and added a value and itworked. Then I start messing with the variable values and then, the same variable value I had before worked, without really understanding why, but now it's working fine.Re: Use powershell to add a tag to a MS Defender device
jbmartin6 I did that and don't know how but the token issue seems that is solved. Now I've got the same piece of code but with another error, which is: Invoke-RestMethod: { "error": { "code": "InvalidRequestBody", "message": "Request body is incorrect", "target": "|5ca2fd80-4d6cdfba5c72ce16." } } But the code is just the same. The $body variable has this content: { "Value": "Vulnerability-Update", "Action": "Add" } Which is aligned with the body which is used on the API Explorer in MDE portal. Any way to debug this? ThanksRe: Use powershell to add a tag to a MS Defender device
jbmartin6 Thanks for the tip. I was already able to do a part of the job, which is extracting the "machineid" from Defender, with this code: $apiUrl = "https://api-eu.securitycenter.microsoft.com/api/machines?`$filter=computerDnsName eq '$hostname'" $response = Invoke-RestMethod -Method Get -Uri $apiUrl -Headers $headers $machineId = $response.value[0].id And it's fine as I got the "machineid". But then I'm using this code for the addition of the tag. $Tag = "tag-test" $apiUrl = "https://api-eu.securitycenter.microsoft.com/api/machines/$machineId/tags" $Body = @{"Value"=$Tag;"Action"="Add"} $Body = $Body | ConvertTo-Json $response = Invoke-RestMethod -Method Post -Headers $headers -Body $body -Uri $apiUrl And I've got the error: "code": "Unauthorized", "message": "Invalid Authorization payload." But on the api permissions I've added the permissions which are written on the documentation, which are "Machine.ReadWriteAll" and "Machine.ReadWrite". Is there any way I can try to debug why doesn't this session has the permission to write the tag? ThanksUse powershell to add a tag to a MS Defender device
Hi, I'm automating some security tasks with the help of powershell. One of the things I'm trying to automate now is the creation of a tag on a Defender device, but didn't found much info about it. Anyone sucessfully added tags to Defender devices using powershell? ThanksRe: Powershell extract TPM and Envryption Readiness information from Intune
tobiassandbergHi, after all it was not needed to open a case, as I figured it out. You have to increment the skip in order to move to the next page. Here's my full code to get it working and now I've got all the devices just like I want. $skip = 0 $DevicesEncryptionStatus = @() do { $params = @{ select = @( "DeviceId" "DeviceName" "DeviceType" "OSVersion" "TpmSpecificationVersion" "EncryptionReadinessState" "EncryptionStatus" "UPN" ) filter = "" skip = $skip search = "" top = 50 } Get-MgBetaDeviceManagementReportEncryptionReportForDevice -BodyParameter $params -OutFile "C:\Temp\Intune-Encryption.json" # Assume that $jsonFilePath contains the path to your JSON file $jsonFilePath = "C:\Temp\Intune-Encryption.json" # Read the JSON file and convert it to a PowerShell object $json = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json $totalrows = $json.TotalRowCount $values = $json.values foreach ($value in $values) { $row = new-object PSObject -Property @{ DeviceId = $value[0]; DeviceName = $value[1]; DeviceType = $value[2]; DeviceType_loc = $value[3]; EncryptionReadinessState = $value[4]; EncryptionReadinessState_loc = $value[5]; EncryptionStatus = $value[6]; EncryptionStatus_loc = $value[7]; OSVersion = $value[8]; TpmSpecificationVersion = $value[9]; UPN = $value[10] } $DevicesEncryptionStatus += $row } $skip += 50 } while ($skip -le $totalrows) Hope it might help anyone in the future.
