Skip to content

Instantly share code, notes, and snippets.

View albert-widjaja's full-sized avatar

Albert Widjaja albert-widjaja

View GitHub Profile
@ddamenova
ddamenova / IRQL.md
Last active May 11, 2026 18:25

IRQL - Incident Response Query Language

A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect. IRQL encapsulates query logic in repeatable chunks, hides cluster/database locations and join keys, and projects disparate source schemas into a single, predictable schema. In addition, it represents query logic as their semantic intent via function naming. These functions were created by Saar Ron, John Lambert, and Diana Damenova.

These functions were authored alongside the Lift to Graph functions (Lift_To_Graph, Graph_Render_View, Graph_Fold_By_Property) and are designed to compose with them. Many of the IRQL primitives have a tabular form and a graph-lifted form, so the same logic drives both relational hunts and visual graph investigations.

Why IRQL?

KQL is a phenomenal tool for analyzing large quantities of data, but queries can get verbose quickly:

@zjorz
zjorz / Finding-All-Candidate-EXPLICIT-Allow-ACEs-To-Investigate-For-dMSA-Abuse-In-AD-Domain.ps1
Last active June 10, 2025 13:10
#######
# Finding All Candidate EXPLICIT Allow ACEs To Investigate For dMSA Abuse In AD Domain
#######
Clear-Host
# Execution Date/Time
$datetime = Get-Date
# Local Computer Domain
@nathanmcnulty
nathanmcnulty / graph-api-reports-ca-blocked-sign-ins.txt
Last active May 13, 2025 17:53
Graph API Reports for CA Blocked Sign-Ins
Graph PowerShell:
(Invoke-MgGraphRequest -Uri "/beta/reports/serviceActivity/getMetricsForConditionalAccessBlockedSignIn(inclusiveIntervalStartDateTime=$((Get-Date).AddMinutes(-5).ToString("yyyy-MM-ddTHH:mm:ssZ")),exclusiveIntervalEndDateTime=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")),aggregationIntervalInMinutes=5)").value
Logic App:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
@zjorz
zjorz / Create-Application-In-Entra-ID-And-Exchange-Online-To-Send-Email-From-OnPremises-PoSH-Scripts.ps1
Last active September 28, 2025 22:01
Creating An Application In Entra ID And Exchange Online To Be Used As A "Proxy" To Send Emails From On-Premises PowerShell Scripts
$tenantFQDN = "<TENANT NAME>.ONMICROSOFT.COM" # <= CONFIGURE THIS!!!!!
$appRegDisplayName = "<APPLICATION DISPLAY NAME>" # <= CONFIGURE THIS!!!!!
$credentialType = "<CREDENTIAL TYPE>" # "Secret" OR "Certificate" <= CONFIGURE THIS!!!!!
$lifetimeSecretInDays = 365 # <= CONFIGURE THIS!!!!!
$certCERFilePath = "<CERTIFICATE CER FILE PATH>" # <= CONFIGURE THIS!!!!!
$mailboxMailAddress = "<MAIL ADDRESS OF MAILBOX TO ALLOW TO SEND MAIL FROM>" # <= CONFIGURE THIS!!!!!
Invoke-Command -ArgumentList $tenantFQDN,$appRegDisplayName,$credentialType,$lifetimeSecretInDays,$certCERFilePath,$mailboxMailAddress -ScriptBlock {
Param (
$tenantFQDN,
@nathanmcnulty
nathanmcnulty / gist:8c2e28b76f18dcdec12f78799724cffe
Created September 6, 2024 01:48
CA policy for pim-strong-reauth-compliant-device
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "876aef31-50a3-4c79-b77a-7ba8f8941317",
"createdDateTime": "2024-09-06T01:23:30.5342067Z",
"displayName": "PIM - Require strong re-authentication from compliant device",
"state": "enabledForReportingButNotEnforced",
"conditions": {
"clientAppTypes": [ "all" ],
"signInRiskLevels": [ ],
"userRiskLevels": [ ],
@wtfiwtz
wtfiwtz / block-symbio-networks.txt
Last active May 31, 2025 01:09
Blocking Symbio Networks in Australia - the source of most of the spam, scam and abuse calls
Import this list into an app like "Number Shield" that can block whole number ranges
https://apps.apple.com/au/app/number-shield/id1319082167
https://www.kinnamansoftware.com/number-shield
Full number database for Australia - downloadable from https://www.thenumberingsystem.com.au/#!/number-register/search
I haven't tested this yet, but going to very soon now!
02 3813 7xxx
02 3813 9xxx
@atulkamble
atulkamble / windows-keys.md
Created September 14, 2023 17:13
Windows Product Keys
@dafthack
dafthack / azure_client_ids.txt
Created June 16, 2023 11:57
A collection of client IDs that can be used to authenticate a user, and their associated application name that shows up in Azure Sign-In logs.
00b41c95-dab0-4487-9791-b9d2c32c80f2 - Office 365 Management
04b07795-8ddb-461a-bbee-02f9e1bf7b46 - Microsoft Azure CLI
0ec893e0-5785-4de6-99da-4ed124e5296c - Office UWP PWA
18fbca16-2224-45f6-85b0-f7bf2b39b3f3 - Microsoft Docs
1950a258-227b-4e31-a9cf-717495945fc2 - Microsoft Azure PowerShell
1b3c667f-cde3-4090-b60b-3d2abd0117f0 - Windows Spotlight
1b730954-1685-4b74-9bfd-dac224a7b894 - Azure Active Directory PowerShell
1fec8e78-bce4-4aaf-ab1b-5451cc387264 - Microsoft Teams
22098786-6e16-43cc-a27d-191a01a1e3b5 - Microsoft To-Do client
268761a2-03f3-40df-8a8b-c3db24145b6b - Universal Store Native Client
@githubfoam
githubfoam / windows ADBA KMS cheat sheet
Last active August 8, 2024 06:17
windows ADBA KMS cheat sheet
==========================================================================================================
#Slmgr.vbs Options for Volume Activation
Attempting to manage an older system from Windows 7 or Windows Server 2008 R2 will generate a specific version mismatch error
==========================================================================================================
#ChatGPT
Explain Key Management Server in windows.
A Key Management Server (KMS) is a feature in Microsoft Windows that allows organizations to activate volume licensed versions of Windows and Office products within their network environment without the need for individual activation keys for each computer.
@githubfoam
githubfoam / windows event logs cheat sheet
Last active May 12, 2026 23:32
windows event logs cheat sheet
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# PS : ChatGPT makes mistakes, consider "trust but verify" principle
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#Events to Monitor
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#run
eventvwr.msc Event viewer
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Event Viewer(Local)-Windows Logs (shutdown / restart )