Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.


🥴 See something off? Open a support chat to let us know.

ADD A NEW METRIC ENTRY

All Metric entries

Showing 878 of 878

Internet Domain/DNS: Multiple SPF Records

This is actually a built in metric, but it can be used to detect when multiple SPF records are defined by the following alert rule: Metric: Internet Domain/DNS: SPF Records (SPFRecord metric)Operator: containsThreshold: ,v=spf1
Darren White 4 months ago in Internet Domain/DNS 0

M365: PerfectData App Check

Malicious actors are utilizing a vulnerability with the "PerfectData Software" Entra(AKA Azure) enterprise application. This metric can query each M365 inspector and display whether or not the app is present in the tenant. This can be used with ou...
David Chapman 2 months ago in Microsoft 365 1

Microsoft 365: Shared Mailbox Listing

This metric displays a list of the names of the shared mailboxes.
Michael Thompson 2 months ago in Microsoft 365 0

Microsoft 365: Shared Mailbox Count

This metric displays a count of shared mailboxes.
Michael Thompson 2 months ago in Microsoft 365 0

Fortinet Fortigate: DMZ Default Config

If the defaults are in place it will report back with [dmz]. if disabled or changed from defaults it will report back with [].
Bill Krauss (Applied Tech) 2 months ago in Fortinet FortiGate 0

Fortinet FortiGate: HTTP and/or SSH Enabled on an Interface

This metric checks to see if the HTTP or SSH protocols are being used on any interfaces and then lists the interface name if either HTTP or SSH is enabled.
Michael Thompson 2 months ago in Fortinet FortiGate 0

Microsoft 365: New users created 7 days ago with MFA disabled

This metric will allow you to find M365 users created 7 days ago and MFA is Disabled. We are using this metric along with an actionable alert to create tickets when one of these users are found. This can be adjusted to find users created in a rang...
Guest 2 months ago in Microsoft 365 0

macOS: Huntress Installed

This will return a true or false value for the installation of Huntress
De'Shard Brown 4 months ago in macOS 0

Fortinet FortiGate: FortiManager Enabled on an Interface

This metric checks to see if the FortiGate to FortiManager (FGFM) protocol is being used on any interfaces and then lists the interface name if it is.
Michael Thompson 2 months ago in Fortinet FortiGate 0

Azure Active Directory: Conditional Access Policies with Excluded Users Summary

I based this off another metric created by David Chapman, so thanks to him for the original idea! I added the ability to also bring in users from excluded groups for a full picture of what users are excluded from CA policies. There might be a more...
Noah Tatum 5 months ago in Azure Active Directory 0