From dfd3167f337e06b466d15c2d16b300fce37fbae0 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Sun, 28 May 2017 22:20:24 +0400 Subject: [PATCH] Minor cleanup and chaning ProcessLogs to skip processing empty files --- Deploy/README.md | 2 ++ .../ServiceProvider/PS-Ops-CleanupDaily.ps1 | 2 +- Deploy/Tenant/RB-Ops-Hourly.ps1 | 2 +- Deploy/Tenant/RB-ProcessLogs.ps1 | 23 ++++++++++--------- Documentation/Deploy-Tenant.md | 6 ++--- 5 files changed, 19 insertions(+), 16 deletions(-) diff --git a/Deploy/README.md b/Deploy/README.md index 200a4cd..ee115f1 100644 --- a/Deploy/README.md +++ b/Deploy/README.md @@ -1 +1,3 @@ +# zMonitor + Please refer to the [documentation](../README.md) for deployment instructions. \ No newline at end of file diff --git a/Deploy/ServiceProvider/PS-Ops-CleanupDaily.ps1 b/Deploy/ServiceProvider/PS-Ops-CleanupDaily.ps1 index 47c888a..ad6cfc7 100644 --- a/Deploy/ServiceProvider/PS-Ops-CleanupDaily.ps1 +++ b/Deploy/ServiceProvider/PS-Ops-CleanupDaily.ps1 @@ -10,7 +10,7 @@ $StorageAccountKey = "" $Ctx = New-AzureStorageContext $StorageAccountName -StorageAccountKey $StorageAccountKey -#Cleanup all 0 byte files - no data +#Cleanup all 0 byte files - should no longer be needed Get-AzureStorageBlob -Container $StorageContainerName -Context @Ctx | Where-Object {$_.Length -eq 0} | Remove-AzureStorageBlob #Get all blobs older than an hour diff --git a/Deploy/Tenant/RB-Ops-Hourly.ps1 b/Deploy/Tenant/RB-Ops-Hourly.ps1 index 7032439..c9bfdb3 100644 --- a/Deploy/Tenant/RB-Ops-Hourly.ps1 +++ b/Deploy/Tenant/RB-Ops-Hourly.ps1 @@ -6,7 +6,7 @@ #All detected threats based on threat status rank. .\RB-ProcessLogs.ps1 ` -ReportName "securitydetectedthreats" ` - -dynamicQuery "Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | measure max(ThreatStatusRank) as Rank by Computer | Top 50000" + -dynamicQuery "Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | measure max(ThreatStatusRank) as Rank by Computer | Top 5000" #All Windows security login failures in the past 1 hours. .\RB-ProcessLogs.ps1 ` diff --git a/Deploy/Tenant/RB-ProcessLogs.ps1 b/Deploy/Tenant/RB-ProcessLogs.ps1 index 59fada0..77fd312 100644 --- a/Deploy/Tenant/RB-ProcessLogs.ps1 +++ b/Deploy/Tenant/RB-ProcessLogs.ps1 @@ -16,22 +16,23 @@ $StorageAccountName = "" $StorageContainerName = "" $StorageAccountKey = "" $Ctx = New-AzureStorageContext $StorageAccountName -StorageAccountKey $StorageAccountKey -#Get-AzureStorageContainer -Name $StorageContainerName -Context $Ctx $workspace = Get-AutomationVariable -Name "OMSWorkspaceName" $date = get-date -f yyyyMMddHHmm -#$reportname = "activealertscritical" -#$dynamicQuery = "Type=Alert (AlertSeverity=error or AlertSeverity=critical) TimeGenerated>NOW-24HOUR AlertState!=Closed" -# Run the OMS Query Search - Edit Workspace Name Per Tenant -# NOTE : Results are limited to 5000 results +# Run the OMS Query Search +# NOTE : Results are limited to 5000 results by the API $result = Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "zMonitor" -WorkspaceName $($workspace) -Top 5000 -Query $dynamicQuery -$result.Value | ConvertFrom-Json | Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date)-temp.csv -Force +# Process the report if it contains data +if ($result.Value.Count -gt 0) +{ + $result.Value | ConvertFrom-Json | Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date)-temp.csv -Force -Import-Csv $env:TEMP\$(Get-AutomationVariable -Name "OMSWorkspaceName")-$($reportname)-$($date)-temp.csv | - select-Object *,@{Name='tenantworkspace';Expression={$($workspace)}},@{Name='reportname';Expression={$($reportname)}} | - Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date).csv + Import-Csv $env:TEMP\$(Get-AutomationVariable -Name "OMSWorkspaceName")-$($reportname)-$($date)-temp.csv | + select-Object *,@{Name='tenantworkspace';Expression={$($workspace)}},@{Name='reportname';Expression={$($reportname)}} | + Export-Csv -NoTypeInformation $env:TEMP\$($workspace)-$($reportname)-$($date).csv -#Write-Output "Moving CSV Results File to Azure Blob Storage." -Set-AzureStorageBlobContent -Context $Ctx -File $env:TEMP\$($workspace)-$($reportname)-$($date).csv -Container $StorageContainerName -Force | Out-Null + #Write-Output "Moving CSV Results File to Azure Blob Storage." + Set-AzureStorageBlobContent -Context $Ctx -File $env:TEMP\$($workspace)-$($reportname)-$($date).csv -Container $StorageContainerName -Force | Out-Null +} \ No newline at end of file diff --git a/Documentation/Deploy-Tenant.md b/Documentation/Deploy-Tenant.md index 38878de..cd9d75f 100644 --- a/Documentation/Deploy-Tenant.md +++ b/Documentation/Deploy-Tenant.md @@ -49,7 +49,7 @@ The overall process for tenant monitoring is: 1. Configure Azure Automation - Take your time through this section. The components need time to register and come online. + Take your time through this section. The components need time to register and come online. 1. Create Run As Account @@ -67,7 +67,7 @@ The overall process for tenant monitoring is: $StorageContainerName = "" $StorageAccountKey = "" ``` - These are the settings in the service providers BLOB storage account + These are the settings in the service providers BLOB storage account. 1. Import existing runbooks @@ -78,7 +78,7 @@ The overall process for tenant monitoring is: * RB-Ops-Hourly.ps1 * RB-ProcessLogs.ps1 - For each of the imported runbooks, open the Runbook blade, click "Edit" then "Publish". + For each of the imported runbooks, open the Runbook blade, click "Edit" then "Publish". Then create and link schedules for the Daily and Hourly scripts: