Skip to content

Instantly share code, notes, and snippets.

View nathanmcnulty's full-sized avatar

Nathan McNulty nathanmcnulty

208 followers · 7 following
View GitHub Profile
@nathanmcnulty
nathanmcnulty / Get-XdrEndpointDeviceTimeline.ps1
Created January 22, 2026 21:20
Get-XdrEndpointDeviceTimeline.ps1
function Get-XdrEndpointDeviceTimeline {
<#
.SYNOPSIS
Retrieves the timeline of events for a specific device from Microsoft Defender XDR.
.DESCRIPTION
Gets the timeline of security events for a device from the Microsoft Defender XDR portal with options to filter by date range and other parameters.
Uses parallel chunked requests (1-hour intervals) to improve performance and support longer date ranges up to 180 days.
.PARAMETER DeviceId
@nathanmcnulty
nathanmcnulty / Get-MTPAPIToken.ps1
Created November 22, 2025 01:16
Get MTP API token using Azure PowerShell
$tenantId = "YOUR-TENANTID"
$fullToken = Get-AzAccessToken -ResourceUrl "https://securitycenter.microsoft.com/mtp" -TenantId $tenantId
$secureToken = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($fullToken.Token)
try {
$token = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($secureToken)
} finally {
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($secureToken)
}
$headers = @{ authorization= "Bearer $token" }
Invoke-Restmethod -Uri "https://mde-dtc-snsexclusions-prd-eus3.securitycenter.windows.com/api/sense-collection/rules" -Headers $headers
@nathanmcnulty
nathanmcnulty / group-use-report.ps1
Created August 4, 2025 21:46
For SuryB
# Connect to Microsoft Graph if not already connected
if (-not (Get-MgContext)) {
Connect-MgGraph -Scopes "Policy.Read.All","Group.Read.All","Application.Read.All","Directory.Read.All"
}
$results = @()
# Conditional Access Policies
$caPolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
foreach ($policy in $caPolicies.value) {
@nathanmcnulty
nathanmcnulty / NRT KQL query
Created July 18, 2025 04:41
Playbook to remove user from CA exclusion group when Sentinel sees user registered passkey
AuditLogs
| where ResultReason == @"User registered Fido2 Authentication Method"
| extend UserId = parse_json(TargetResources)[0]["id"]
@nathanmcnulty
nathanmcnulty / mi-graph-permissions.ps1
Created May 14, 2025 06:16
Add permissions to Managed Identity
$SP_ID = '3b3c5db1-c095-41c7-af10-2a958ccaf91a'
Connect-MgGraph -Scopes appRoleAssignment.ReadWrite.All,Application.Read.All,Group.ReadWrite.All
$GraphSP = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$AppRole = $GraphSP.AppRoles | Where-Object {$_.Value -eq "SecurityEvents.Read.All" -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -AppRoleId $AppRole.Id -ServicePrincipalId $SP_ID -ResourceId $GraphSP.Id -PrincipalId $SP_ID
@nathanmcnulty
nathanmcnulty / graph-api-reports-ca-blocked-sign-ins.txt
Last active May 13, 2025 17:53
Graph API Reports for CA Blocked Sign-Ins
Graph PowerShell:
(Invoke-MgGraphRequest -Uri "/beta/reports/serviceActivity/getMetricsForConditionalAccessBlockedSignIn(inclusiveIntervalStartDateTime=$((Get-Date).AddMinutes(-5).ToString("yyyy-MM-ddTHH:mm:ssZ")),exclusiveIntervalEndDateTime=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")),aggregationIntervalInMinutes=5)").value
Logic App:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
@nathanmcnulty
nathanmcnulty / propertiesCatalog.json
Created December 8, 2024 00:19
Properties catalog
{
"description": "",
"name": "Properties Catalog",
"roleScopeTagIds": [
"0"
],
"platforms": "windows10",
"technologies": "extensibility",
"settings": [
{
@nathanmcnulty
nathanmcnulty / gist:445aea7d5966a267e904f74525721233
Created November 24, 2024 23:25
For Tony
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
$session.Cookies.Add((New-Object System.Net.Cookie("MC1", "<redacted>", "/", ".microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_user", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MicrosoftApplicationsTelemetryDeviceId", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("SSR", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("msresearch", "<redacted>", "/", ".microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MSFPC", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("X-PortalEndpoint-RouteKey", "wusprod_westus", "/", "security.microsoft.com")))
$session.Coo
@nathanmcnulty
nathanmcnulty / gist:8c2e28b76f18dcdec12f78799724cffe
Created September 6, 2024 01:48
CA policy for pim-strong-reauth-compliant-device
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "876aef31-50a3-4c79-b77a-7ba8f8941317",
"createdDateTime": "2024-09-06T01:23:30.5342067Z",
"displayName": "PIM - Require strong re-authentication from compliant device",
"state": "enabledForReportingButNotEnforced",
"conditions": {
"clientAppTypes": [ "all" ],
"signInRiskLevels": [ ],
"userRiskLevels": [ ],
@nathanmcnulty
nathanmcnulty / gist:c353279b9704140a1a8a11c26932f969
Created August 7, 2024 07:34
Set up Maester permissions
# list of permissions
[array]$permissions = "Directory.Read.All","Policy.Read.All","Reports.Read.All","DirectoryRecommendations.Read.All","PrivilegedAccess.Read.AzureAD","IdentityRiskEvent.Read.All","RoleEligibilitySchedule.Read.Directory","RoleManagement.Read.All","Policy.Read.ConditionalAccess","UserAuthenticationMethod.Read.All"
# create application
$app = New-MgApplication -DisplayName "Maester DevOps"
# create service principal
$graphSpId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'").Id
$sp = New-MgServicePrincipal -AppId $app.appId