-
This script allows you to view events that occurred from suspicious email address. I generally use this script when investigating alerts regarding Password Spray Attacks, Anonymous IP Address or Atypical Travel. Changing the timestamp allows you to view a larger time frame. let ip = “Insert IP ADDRESS”; search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,EmailEvents,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents, DeviceLogonEvents,DeviceEvents,BehaviorEntities,CloudAppEvents,AADSpnSignInEventsBeta,AADSignInEventsBeta) Timestamp between (ago(7d)
-
This is a script I run periodically to hunt down any local accounts on organisational devices. It returns with the device name, the name of the local accounts with admin and the amount of accounts present on the device. Removing the timestamp and adjusting the timestamp manually allows you to narrow down when the account
-
This KQL script provides graphical analysis of email threats in your environment. It uses EmailAction to identify ThreatTypes such as Malware, Phish and Quarantine. It then shows you graphically how many email threats are present and you can use the time parameter to adjust the timespan. let Threshold = 50; EmailEvents | where EmailAction ==
-
This document will outline a basic process of capturing an image from a host PC and deploy it to a different PC on the network. You must ensure that network boot is at the top of the boot sequence in order to allow the PC(s) to find the Fog Server when capturing and deploying. For
-
This command will allow you to export a list of devices in specific OUs to a CSV file. Open PowerShell as an Administrator and run this command: Get-ADComputer -SearchScope Subtree -SearchBase “OU=Room,OU=Building,OU=Staff,OU=Workstations,DC=Domain,DC=co,DC=uk” -Filter * -Properties Name | Export-Csv -Path “c:\Exported_Device_List.csv” You will need to specify the properties of the OU you want to export. The
-
This is only a short list of basics that I use to navigate around Active Directory and administrate machines on a daily basis. Working with Active Directory can be confusing if you don’t know your way round your domain so it’s best to stay away from areas you do not administer. Searching for an Asset
-
If a device has pending commands in the Management tab type: sudo profiles renew -type enrollment This solves issues with configuration profiles and policies not falling down to devices. Once the command is executed you can run: sudo jamf recon This will then instantly reach for any policies or configuration profiles that are pending and
-
Here’s an example of a PowerShell script that can be used to restart multiple computers: Define the list of computers to restart (Parameters) $Computers = @(“Computer1”,“Computer2”,“Computer3”) Loop through each computer and restart it foreach ($Computer in $Computers) {Write-Host “Restarting computer: $Computer”Restart-Computer -ComputerName $Computer -Force} In this script, you need to define an array of computer
-
Here’s an example of a PowerShell script that can be used to install a new user: Define the user details (Parameters) $Username = “newuser”$Password = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force$FullName = “New User”$Description = “This is a new user account.” Create a new user New-LocalUser -Name $Username -Password $Password -FullName $FullName -Description $Description -NoPasswordExpiration Add the
-
This page provides a cheat cheat for mac OS. I use these commands regularly when testing, installing and developing solutions on Mac OS projects. File & Directory Commands Command Description defaults write com.apple.Finder AppleShowAllFiles true && killall Finder Enable the setting to view hidden files in finder from CLI ls Lists directory contents. ls -l
David Williams Technical 