Metrics Library

Looks for applications with expiring/expired secrets (within 30 days), then outputs the Application name, and the secrets associated that are expiring/expired. Applications[?passwordCredentials[?time_until(endDateTime, days ) < 30 ].endDateTime].['Application Name: 'displayName, 'Secret Name: 'passwordCredentials[?time_until(endDateTime, days ) < 30 ].displayName]

Title: Enhancement: Report Detailed AD Sync Errors (Entra Connect) from Local Server Category: Inspector Enhancement (Active Directory or Windows Server) What is your feedback? Why is it important to you? Currently, Liongard reports on the service status of the AD Sync (Microsoft Entra Connect) service (i.e., is the service "Running" or "Stopped"), but it does not capture the content of synchronization errors. We frequently encounter scenarios where the sync service is technically "Running" (so no alert is triggered), but objects are failing to sync due to specific errors like AttributeValueMustBeUnique, InvalidSoftMatch, or LargeObject. These errors are critical because they result in users not being created in M365, password changes failing to sync, or group membership discrepancies. Without this data in Liongard, our team has to manually remote into the AD Connect server to check the "Synchronization Service Manager" UI or Event Viewer for every ticket, which defeats the purpose of centralized visibility. What is your ideal solution? I would like the Active Directory Inspector (or the Windows Inspector) to have the ability to query the local AD Connect instance (typically leveraging the MIIS_Server WMI class or parsing the Application Event Log for Source ADSync) to report: Error Count: The number of objects with sync errors. Error Details: A table listing the specific error type (e.g., sync-generic-failure) and the DN (Distinguished Name) of the impacted object. Last Successful Sync Time: The timestamp of the last fully successful export to Azure AD, not just the last time the scheduler ran. Business Impact: This would allow us to create Actionable Alerts for "AD Sync contains Errors," enabling proactive remediation of identity issues before end-users report login failures or missing account data.

Title: Enhance Google Workspace Inspector to Capture User Mailbox Filters (Detect Hidden Forwarding Rules) One-Sentence Summary: Expand the Google Workspace Inspector to pull data from the Gmail API's users.settings.filters endpoint, enabling partners to detect malicious forwarding rules and unauthorized data exfiltration. The "Why" (Partner Use Case): Bad actors are increasingly using hidden mailbox filters to maintain persistence in a compromised tenant. By setting up rules to automatically forward emails to an external address (or delete notifications), they can exfiltrate sensitive data or hide their tracks without the user ever knowing. Currently, auditing these filters requires manually logging into user accounts or running custom scripts per tenant. Partners need an automated, scalable way to: Audit all user filters across an entire Google Workspace environment. Create Actionable Alerts for high-risk filter criteria (e.g., "Action: Forward" OR "Action: Delete"). Detect Persistence: Identify rules created by attackers to hide their activity (e.g., automatically trashing security alerts from Microsoft or Google). This addition would significantly enhance the security posture of our partners' managed environments and provide a critical layer of defense against Business Email Compromise (BEC). Technical Details & API Reference: This data is available via the Gmail API. We recommend adding a new Data View to the Google Workspace Inspector that captures the output of the users.settings.filters.list method. API Resource: users.settings.filters Method: list Google Documentation: https://developers.google.com/gmail/api/reference/rest/v1/users.settings.filters/list Required Scope: https://www.googleapis.com/auth/gmail.settings.basic (Read-only access to settings) Proposed Data to Capture: For each filter, we should capture: ID: Unique filter ID. Criteria: The trigger conditions (e.g., from, to, subject, query). Action: The automated response (e.g., addLabelIds, removeLabelIds, forward). Crucial: specifically looking for the forward property. Example "Work Smarter" Win for Partners: Instead of a reactive fire drill after a breach, a partner could have a Liongard Alert: "Critical: Email Forwarding Rule Detected on Executive Mailbox." This allows them to investigate and remediate before significant data loss occurs.

This will look for users with mailboxes larger than 45. Customize the value to change Metric. Output will include mailname and size of mailbox. Users[?Storage_Used >'45'].join( : , [mail,to_string(Storage_Used)])

Devices[?operatingSystem == Windows && accountEnabled == true && operatingSystemVersion >= 10.0.19041 && operatingSystemVersion <= 10.0.19045.4412 && approximateLastSignInDateTime != null && time_since(approximateLastSignInDateTime, days )< 30 ].[displayName, operatingSystemVersion, approximateLastSignInDateTime] | sort_by(@, &[0])

Category: Storage Insights MetricsDescription:This metric generates a comprehensive summary of Microsoft 365 drive storage details. It includes key information such as site name, drive name, creator, creation date, and the remaining storage percentage for each drive.Purpose:To provide IT organizations with a clear and concise overview of storage utilization across Microsoft 365 environments, enabling better management, planning, and resolution of storage-related issues.Use Cases:Resource Monitoring: Keep track of storage utilization across all drives to ensure sufficient capacity is available.Capacity Planning: Use remaining storage data to plan for upgrades or archival actions, ensuring continued system performance.Accountability: Identify the owner (Created By) of drives to facilitate follow-ups for cleaning or optimizing storage.Auditing: Document drive creation dates and usage trends to support audits and compliance efforts.Optimization Opportunities: Highlight drives with very high or very low usage for potential cleanup or reallocation.How it Works:The metric utilizes Liongard’s Microsoft 365 Inspector to extract and summarize storage-related data for each drive. The JMESPath query outputs the following details for every drive:Site NameDrive NameCreated By (Owner)Created On (Date of Creation)Remaining Storage in PercentageBeneficiaries:IT Teams: Gain insights into storage usage across all sites and drives.Organizations: Plan for future storage needs and maintain efficient operations.Decision-Makers: Access actionable summaries to guide resource allocation and policy adjustments.Notes for Customization:Additional Enhancements:Add Usage Details: Include fields like Used Storage or Total Capacity to provide a fuller picture of the drive’s storage status.Highlight Critical Drives: Apply conditional formatting or flags for drives with less than a specified threshold of remaining storage (e.g., 10%).Aggregate Data: Create summary statistics, such as total remaining storage or average usage across all drives.Why Modify:Tailored Reporting: Customize the fields and output to align with organizational needs, such as compliance with specific storage policies.Enhanced Usability: Expand data points to allow quicker decision-making, such as identifying which drives to prioritize for cleanup or migration.Automation Opportunities: Tie the metric to workflows that notify teams of critical storage issues or trigger cleanup operations. drives[].[['Site Name:'siteName_r],['Name:'name],['Created By:' createdBy.user.displayName],['Created On:'createdDateTime],['Remaining Storage in %:'quota.percentOfQuotaRemaining_r],['--']][]

A simple metric returning the number of workstations. This is a useful metric when reconciling services in the Gradient MSP billing module. Workstations | length(@)

This is helpful to someone who's trying to obtain/maintain visibility into a server. This is a good Metric for QBRs, recurring site reviews, and an onboarding report. SystemInfo.[join( , [ Name: , to_string(Name)]), join( , [ Type: , to_string(MachineType)]), join( , [ OS: , to_string(Caption)]), join( , [ Make: , to_string(Manufacturer)]), join( , [ Model: , to_string(MachineModel)]), join( , [ Serial Number: , to_string(SerialNumber)]), join( , [ Physical Memory: , to_string(TotalVisibleMemorySize)]), join( , [ Virtual Memory: , to_string(TotalVirtualMemorySize)]), join( , [ Processors: , to_string(Processor)]), join( , [ Drive Breakdown: , to_string(StrHardDrives)])]

Displays what generation the SonicWall is; Gen 6 or Gen 7. 'Gen 6' for latest'Gen 7' for 7.0

Windows Server metric for Drives and Volumes to use in Visual Insight. Join this metric with Windows Server: Hostname(VI) to add the host name, then add updated data set to table widget in Visual Insights Drives[?TotalSize != null && SpaceUsed != null ].{ Drive: DriveName, TotalGB: TotalSize, UsedGB: SpaceUsed, FreeGB: SpaceRemaining, UsedPercent: UsedSpacePct, Bitlocker: BitlockerStatus, FileSystem: DriveFormat }