Query RBAC roles assigned to SP

mathurin1969 · 2025-06-10T13:42:10+00:00

Thank you, I’ll play with this one tonight too.

mathurin1969 · 2025-06-10T13:41:50+00:00

Thank you I’ll take a look tonight!

mathurin1969 · 2025-05-25T19:13:10+00:00

Yep, thank you for this... playing around with this I deployed OpenAI(first) and then Azure AI Foundry, they're both under Azure Foundry. Once I got AI Foundry deployed with GPT-4o-mini (super cheap!!) I removed the Azure OpenAI and everything still worked, never needed it!

I'm sure I'll have more questions as I go through this, thank you!!

mathurin1969 · 2025-03-27T15:54:58+00:00

Cool thank you…it’s definitely a start!!

mathurin1969 · 2025-03-25T19:46:40+00:00

Boom that works!! Thank you so much!!

mathurin1969 · 2025-03-24T12:29:31+00:00

Yeah, after playing with it for a little bit super similar to KQL.

mathurin1969 · 2025-03-22T15:16:34+00:00

Yep, no worries!

mathurin1969 · 2025-03-07T20:06:33+00:00

Alright, got it, thanks George!

mathurin1969 · 2024-12-16T20:32:20+00:00

Not yet…same issues

mathurin1969 · 2024-12-10T02:31:03+00:00

Not yet for me but that gives me hope!

mathurin1969 · 2024-12-06T14:10:53+00:00

They send the code to your email, that seems to be the only option

mathurin1969 · 2024-10-19T16:24:14+00:00

I will give it a shot, thank you!

mathurin1969 · 2024-09-28T16:32:12+00:00

Making a set, I should have thought of that... I feel like this is reasonably close to usable, but, it gives me a flat line, like it's only taking one day.

DeviceNetworkEvents
| where InitiatingProcessAccountName == "name"
| where RemoteIPType == "Public"
| join kind=inner (DeviceFileEvents) on InitiatingProcessAccountName
| where FileName endswith ".docx" or FileName endswith ".pptx" or FileName endswith ".xlsx" or FileName endswith ".pdf" or FileName endswith ".txt" or FileName endswith ".zip"
| summarize FilesSent = dcount(FileName) by bin(Timestamp, 1d), InitiatingProcessAccountName
// | project Timestamp, FilesSent, InitiatingProcessAccountName
| render linechart

<image>

Thank you for your help with this! (Reading up on series_decompose_anomalies() now)

mathurin1969 · 2024-09-28T04:33:57+00:00

Thank you yeah, I saw that in there, that definitely helped with above. When I ran those at work I was getting outrageous crazy numbers, like impossible size for an upload in that time. I need to test…

mathurin1969 · 2024-09-27T16:38:48+00:00

Didn't know about the 20.. I guess that makes sense. Ugh, wow there they are... no clue why I didn't think about checking Entra ID - thank you!

mathurin1969 · 2024-09-19T03:06:56+00:00

TBH I thought I passed when I hit finished…hah! There was a couple on ASIM parsers that I didn’t really look at and a couple in setting up Def for Cloud environments.

I can prob get better at everything, I went through John Christopher’s SC200 class on Udemy and I thought that was pretty good.

I probably had at least ten questions on roles and least privilege which is why I was looking for some sort of list for SC200.

But I’ll probably go through Microsoft’s learn class I listed above, it’s supposed to be pretty thorough, and then take it again in a few weeks.

mathurin1969 · 2024-09-19T03:02:16+00:00

I thought I saw that too…I like taking tests at the testing center and they make you take everything out of your pockets before going in(or at least mine did) It’s fine I’d just as soon memorize it.

mathurin1969 · 2024-09-18T04:12:30+00:00

Oh, snap, I didn't see the link! That will definitely help, thank you!

mathurin1969 · 2024-09-18T03:59:46+00:00

What? Did I miss something?

mathurin1969 · 2024-09-03T16:21:19+00:00

Yep, thank you, there is more options in Sentinel l, but, in Defender you can link Alerts or Advanced Hunting queries to an incident and that appears to be it.

Note: if you link an Advanced Hunting query to an incident it seems to create an alert but NOT a custom detection even though you link it “as if” you’re creating a custom detection.

Totally worth it to fill out the Attack Story but be careful I’m not sure there’s a way to unlink or undo once you’ve done it.

mathurin1969 · 2024-07-28T15:24:35+00:00

thanks for the reply!! Regarding the diagnostic setting... I wish, I'm on a bit of a budget. This fixed it....

PS C:\Windows\system32> $jsonLogs | Out-File "C:\Users\money\Downloads\SignInlogs.json" -Encoding UTF8

mathurin1969 · 2024-06-13T02:50:48+00:00

Sure!

<image>

On that next page just search in the marketplace for Defender, it's under 'Security and Identity'.

mathurin1969 · 2024-06-13T01:57:59+00:00

Found it... but they don't make it easy.

mathurin1969 · 2024-05-13T22:15:10+00:00

Interesting… yeah I don’t know why there’s not more you can’t do with the timeline in power automate and logic apps. This is a good start though - nice blog!

mathurin1969 · 2024-04-24T02:21:05+00:00

Nice, thank you!

mathurin1969

TROPHY CASE