jeff-bb
jeff-bb
Authenticating to Microsoft Graph API... and Authenticating to Azure Service Management API... could use a catch for login being denied for a conditional access policy. # Conditional Access Policy ElseIf($RespErr...
I would like to be able to parse WebKit timestamps. They are very similar to existing Unix timestamps, but it's a 64-bit value for microseconds since Jan 1, 1601 00:00...
"Security Log Maximum Size smaller then 4GB [High] [Expected value (Less Or Equal): 4000, Found value: 4095.94]" To be technically accurate, the rule would be more in line with "value...
For "Port_Scan", where we have a fixed singular "victim", map this value back to the destination. Example. 192.168.0.1 scanned at least 250 unique ports on host 192.168.0.2 in 0m5s notice.src...
A couple of minor best practices changes around null checking and using aliases to maintain readability of the code. Azure CLI tools will now download the latest version if nothing...
RISON decoding is broken. Found the below reference on the initial commit. Well, almost. RISON Decode operation is broken. The "decode option" dropdown contains 3 `undefined` options, and makes it...
Basic parsing of event id 4662. Category is explicitly added and existing SubjectUser/Domain function handles user information with the addition of the event id into the table. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 ## Proposed...
Updating existing function to handle the additional fields for CallerProcess found in 4799. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4799 ## Proposed commit message ## Checklist - [ ] My code follows the style guidelines of...
Primarily category, type, and user mappings. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136 ## Proposed commit message ## Checklist - [ ] My code follows the style guidelines of this project - [ ] I have...
Add category and type actions for workstation lock and unlock. Reuse existing functions to populate user information, and use existing logon.id to track the session. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4800 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4801 ## Proposed commit...