Minor cleanup and chaning ProcessLogs to skip processing empty files

2017-05-28 22:20:24 +04:00 · 2017-05-28 22:20:24 +04:00 · dfd3167f33
--- a/Deploy/README.md
+++ b/Deploy/README.md
@ -1 +1,3 @@
+# zMonitor
+
 Please refer to the [documentation](../README.md) for deployment instructions.
--- a/Deploy/ServiceProvider/PS-Ops-CleanupDaily.ps1
+++ b/Deploy/ServiceProvider/PS-Ops-CleanupDaily.ps1
@ -10,7 +10,7 @@ $StorageAccountKey = "<STORAGE ACCOUNT KEY>"

 $Ctx = New-AzureStorageContext $StorageAccountName -StorageAccountKey $StorageAccountKey

-#Cleanup all 0 byte files - no data
+#Cleanup all 0 byte files - should no longer be needed
 Get-AzureStorageBlob -Container $StorageContainerName -Context @Ctx | Where-Object {$_.Length -eq 0} | Remove-AzureStorageBlob

 #Get all blobs older than an hour
--- a/Deploy/Tenant/RB-Ops-Hourly.ps1
+++ b/Deploy/Tenant/RB-Ops-Hourly.ps1
@ -6,7 +6,7 @@
 #All detected threats based on threat status rank.
 .\RB-ProcessLogs.ps1 `
 		-ReportName "securitydetectedthreats" `
-		-dynamicQuery "Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | measure max(ThreatStatusRank) as Rank by Computer | Top 50000"
+		-dynamicQuery "Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | measure max(ThreatStatusRank) as Rank by Computer | Top 5000"

 #All Windows security login failures in the past 1 hours.
 .\RB-ProcessLogs.ps1 `
--- a/Deploy/Tenant/RB-ProcessLogs.ps1
+++ b/Deploy/Tenant/RB-ProcessLogs.ps1
@ -16,22 +16,23 @@ $StorageAccountName = "<STORAGE ACCOUNT>"
 $StorageContainerName = "<STORAGE CONTAINER NAME>"
 $StorageAccountKey = "<STORAGE ACCOUNT KEY>"
 $Ctx = New-AzureStorageContext $StorageAccountName -StorageAccountKey $StorageAccountKey
-#Get-AzureStorageContainer -Name $StorageContainerName -Context $Ctx

 $workspace = Get-AutomationVariable -Name "OMSWorkspaceName"
 $date = get-date -f yyyyMMddHHmm
-#$reportname = "activealertscritical"
-#$dynamicQuery = "Type=Alert (AlertSeverity=error or AlertSeverity=critical) TimeGenerated>NOW-24HOUR AlertState!=Closed"

-# Run the OMS Query Search - Edit Workspace Name Per Tenant
-# NOTE : Results are limited to 5000 results
+# Run the OMS Query Search
+# NOTE : Results are limited to 5000 results by the API
 $result = Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "zMonitor" -WorkspaceName $($workspace) -Top 5000 -Query $dynamicQuery

-$result.Value | ConvertFrom-Json | Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date)-temp.csv -Force
+# Process the report if it contains data
+if ($result.Value.Count -gt 0)
+{
+    $result.Value | ConvertFrom-Json | Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date)-temp.csv -Force

-Import-Csv $env:TEMP\$(Get-AutomationVariable -Name "OMSWorkspaceName")-$($reportname)-$($date)-temp.csv | 
-    select-Object *,@{Name='tenantworkspace';Expression={$($workspace)}},@{Name='reportname';Expression={$($reportname)}} | 
-    Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date).csv
+    Import-Csv $env:TEMP\$(Get-AutomationVariable -Name "OMSWorkspaceName")-$($reportname)-$($date)-temp.csv | 
+        select-Object *,@{Name='tenantworkspace';Expression={$($workspace)}},@{Name='reportname';Expression={$($reportname)}} | 
+        Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date).csv

-#Write-Output "Moving CSV Results File to Azure Blob Storage."
-Set-AzureStorageBlobContent -Context $Ctx -File $env:TEMP\$($workspace)-$($reportname)-$($date).csv -Container $StorageContainerName -Force | Out-Null
+    #Write-Output "Moving CSV Results File to Azure Blob Storage."
+    Set-AzureStorageBlobContent -Context $Ctx -File $env:TEMP\$($workspace)-$($reportname)-$($date).csv -Container $StorageContainerName -Force | Out-Null
+}
--- a/Documentation/Deploy-Tenant.md
+++ b/Documentation/Deploy-Tenant.md
@ -49,7 +49,7 @@ The overall process for tenant monitoring is:

 1. Configure Azure Automation

-    Take your time through this section. The components need time to register and come online. 
+    Take your time through this section. The components need time to register and come online.

    1. Create Run As Account

@ -67,7 +67,7 @@ The overall process for tenant monitoring is:
        $StorageContainerName = "<privatecontainer>"
        $StorageAccountKey = "<storageaccountkey>"
        ```
-        These are the settings in the service providers BLOB storage account 
+        These are the settings in the service providers BLOB storage account.

    1. Import existing runbooks

@ -78,7 +78,7 @@ The overall process for tenant monitoring is:
        * RB-Ops-Hourly.ps1
        * RB-ProcessLogs.ps1

-        For each of the imported runbooks, open the Runbook blade, click "Edit" then "Publish". 
+        For each of the imported runbooks, open the Runbook blade, click "Edit" then "Publish".

        Then create and link schedules for the Daily and Hourly scripts: