Azure Sentinel PowerShell Module

“Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks.” read more

Rules in Azure Sentinel create the basic logic on which Incidents get created. Currently the only way to add, change or delete rules is through the Azure portal. As we’re running a cloud Security Operations Center at Wortell with many customers connected, doing this manually is no option for us.

PowerShell Module

At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API’s that are currently being used by the Azure Portal and based on that we’ve written a PowerShell module to manage Azure Sentinel through PowerShell. Continue reading Azure Sentinel PowerShell Module

Import thumbnailphoto in AD from jpg

The script below will import Jpg file as a thumbnail photo in Active Directory

$username = "p01001"
$jpgfile = "C:\PICTURE.jpg"
 

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=user)(objectcategory=person)(samAccountName=$username))"
$result = $search.FindOne()
 
if ($result -ne $null) {
 $user = $result.GetDirectoryEntry()
 [byte[]]$jpg = Get-Content $jpgfile -encoding byte
 $user.put("thumbnailPhoto",  $jpg )
 $user.setinfo()
 Write-Host $user.displayname "updated"
}celse {
  Write-Host $user "Does not exist"
}

~Pouyan

Creating and using Password Hashes and Secure Strings with Powershell

This is how you can generate a Secure String with powershell and use it in your scripts

secureString = Read-Host -AsSecureString
ConvertFrom-SecureString $secureString | out-file c:\temp\encrypted.txt
$newString = gc C:\temp\encrypted.txt | ConvertTo-SecureString

Load the Secure string from file and use it in your script:

$securePassword = Get-Content c:\temp\encrypted.txt | ConvertTo-SecureString

How to uninstall with msiexec using product id guid

You can find the product code by perusing the registry from this base key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall . Press F3 and search for your product name. (If it’s a 32-bit installer on a 64-bit machine, it might be under HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionUninstall instead).

Finally, you can find the product code also by using PowerShell:

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name

when you found the Guid ID you can use msiexec to uninstall the application

msiexec /x {A4BFF20C-A21E-4720-88E5-79D5A5AEB2E8}

 

PowerShell – How to find details of Operating System

There were several instances where I had to find details of the operating system using PowerShell. Here, I am providing several PowerShell snippets that return various details of the Operating System.

Name of the Operating System

(Get-WmiObject Win32_OperatingSystem).Name

Is Operating System 32-bit or 64-bit

(Get-WmiObject Win32_OperatingSystem).OSArchitecture

Name of the Machine

(Get-WmiObject Win32_OperatingSystem).CSName

There are many more properties of the Operating System that are exposed. To obtain more details, run the following

Get-WmiObject Win32_OperatingSystem | Get-Member