Add forensics

profiseedev · Sep 25, 2023 · 881e3de · 881e3de
1 parent ddbba6e
commit 881e3de
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/Azure-ARM/forensics_log_pull.ps1 b/Azure-ARM/forensics_log_pull.ps1
@@ -0,0 +1,24 @@
+#Pull Product Services, IIS, Event Viewer logs as well as Netstat and TCPConnection logs
+$DT = get-date -Format "ddd-MM-dd-yy-HHmmss-ffff-Z" 
+mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs"
+mkdir "$env:TEMP\all-Logs\$DT\EventViewerLogs"
+mkdir "$env:TEMP\all-Logs\$DT\TCPLogs"
+mkdir "$env:TEMP\all-Logs\$DT\IISLogs"
+copy "$env:SystemRoot\System32\winevt\Logs\*" "$env:TEMP\all-Logs\$DT\EventViewerLogs\"
+copy c:\profisee\configuration\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\config-log.log
+copy c:\profisee\gateway\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\gateway-log.log
+copy c:\profisee\services\attachments\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\attachments-log.log
+copy c:\profisee\services\auth\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\auth-log.log
+copy c:\profisee\services\governance\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\governance-log.log
+copy c:\profisee\services\machinelearning\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\ml-log.log
+copy c:\profisee\services\monolith\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\monolith-log.log
+copy c:\profisee\services\workflows\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\workflows-log.log
+copy c:\profisee\web\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\web-log.log
+copy c:\profisee\webportal\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\webportal-log.log
+copy C:\inetpub\logs\LogFiles\W3SVC1\*.log $env:TEMP\all-Logs\$DT\IISLogs\
+netstat -anobq > $env:TEMP\all-Logs\$DT\TCPLogs\netstat.txt
+Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | out-file $env:TEMP\all-Logs\$DT\TCPLogs\TCPconnections.txt
+
+#Compress and copy to fileshare
+compress-archive -Path "$env:TEMP\all-Logs\$DT\" -DestinationPath "$env:TEMP\all-Logs-$DT.zip"
+copy "$env:TEMP\all-Logs-$DT.zip" "C:\fileshare\"
diff --git a/Azure-ARM/prereqcheck.sh b/Azure-ARM/prereqcheck.sh
@@ -67,7 +67,7 @@ echo "Is the Deployment Managed Identity assigned the Contributor Role at the Su
 subscriptionContributor=$(az role assignment list --all --assignee $currentIdentityId --output json --include-inherited --query "[?roleDefinitionName=='Contributor' && scope=='/subscriptions/$SUBSCRIPTIONID'].roleDefinitionName" --output tsv)
 if [ -z "$subscriptionContributor" ]; then
 	echo "Role is NOT assigned at Subscription level. Exiting with error. Please assign the Contributor role to the Deployment Managed Identity at the Subscription Level. Please visit https://support.profisee.com/wikis/profiseeplatform/planning_your_managed_identity_configuration for more information."
-	#Deployment MAnaged Identity is not granted Contributor at Subscription level, checking Resource Group level.
+	#Deployment Managed Identity is not granted Contributor at Subscription level, checking Resource Group level.
 	#rgContributor=$(az role assignment list --all --assignee $currentIdentityId --output json --include-inherited --query "[?roleDefinitionName=='Contributor' && scope=='/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME'].roleDefinitionName" --output tsv)
 	#if [ -z "$rgContributor" ]; then
 		#err="Role is NOT assigned at either Subscription or Resource Group level. Exiting with error. Please assign the Contributor role to the Deployment Managed Identity at either Subscription or Resource Group level. Please visit https://support.profisee.com/wikis/profiseeplatform/planning_your_managed_identity_configuration for more information."