From 881e3de849f86369ae9c815efec5fc1d81eaee60 Mon Sep 17 00:00:00 2001 From: Yonko Ganchev Date: Mon, 25 Sep 2023 19:36:52 -0400 Subject: [PATCH] Add forensics --- Azure-ARM/forensics_log_pull.ps1 | 24 ++++++++++++++++++++++++ Azure-ARM/prereqcheck.sh | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 Azure-ARM/forensics_log_pull.ps1 diff --git a/Azure-ARM/forensics_log_pull.ps1 b/Azure-ARM/forensics_log_pull.ps1 new file mode 100644 index 0000000..0af90d8 --- /dev/null +++ b/Azure-ARM/forensics_log_pull.ps1 @@ -0,0 +1,24 @@ +#Pull Product Services, IIS, Event Viewer logs as well as Netstat and TCPConnection logs +$DT = get-date -Format "ddd-MM-dd-yy-HHmmss-ffff-Z" +mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs" +mkdir "$env:TEMP\all-Logs\$DT\EventViewerLogs" +mkdir "$env:TEMP\all-Logs\$DT\TCPLogs" +mkdir "$env:TEMP\all-Logs\$DT\IISLogs" +copy "$env:SystemRoot\System32\winevt\Logs\*" "$env:TEMP\all-Logs\$DT\EventViewerLogs\" +copy c:\profisee\configuration\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\config-log.log +copy c:\profisee\gateway\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\gateway-log.log +copy c:\profisee\services\attachments\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\attachments-log.log +copy c:\profisee\services\auth\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\auth-log.log +copy c:\profisee\services\governance\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\governance-log.log +copy c:\profisee\services\machinelearning\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\ml-log.log +copy c:\profisee\services\monolith\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\monolith-log.log +copy c:\profisee\services\workflows\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\workflows-log.log +copy c:\profisee\web\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\web-log.log +copy c:\profisee\webportal\logfiles\systemlog.log $env:TEMP\all-Logs\$DT\ProfiseeLogs\webportal-log.log +copy C:\inetpub\logs\LogFiles\W3SVC1\*.log $env:TEMP\all-Logs\$DT\IISLogs\ +netstat -anobq > $env:TEMP\all-Logs\$DT\TCPLogs\netstat.txt +Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | out-file $env:TEMP\all-Logs\$DT\TCPLogs\TCPconnections.txt + +#Compress and copy to fileshare +compress-archive -Path "$env:TEMP\all-Logs\$DT\" -DestinationPath "$env:TEMP\all-Logs-$DT.zip" +copy "$env:TEMP\all-Logs-$DT.zip" "C:\fileshare\" \ No newline at end of file diff --git a/Azure-ARM/prereqcheck.sh b/Azure-ARM/prereqcheck.sh index 7da0c78..e772782 100644 --- a/Azure-ARM/prereqcheck.sh +++ b/Azure-ARM/prereqcheck.sh @@ -67,7 +67,7 @@ echo "Is the Deployment Managed Identity assigned the Contributor Role at the Su subscriptionContributor=$(az role assignment list --all --assignee $currentIdentityId --output json --include-inherited --query "[?roleDefinitionName=='Contributor' && scope=='/subscriptions/$SUBSCRIPTIONID'].roleDefinitionName" --output tsv) if [ -z "$subscriptionContributor" ]; then echo "Role is NOT assigned at Subscription level. Exiting with error. Please assign the Contributor role to the Deployment Managed Identity at the Subscription Level. Please visit https://support.profisee.com/wikis/profiseeplatform/planning_your_managed_identity_configuration for more information." - #Deployment MAnaged Identity is not granted Contributor at Subscription level, checking Resource Group level. + #Deployment Managed Identity is not granted Contributor at Subscription level, checking Resource Group level. #rgContributor=$(az role assignment list --all --assignee $currentIdentityId --output json --include-inherited --query "[?roleDefinitionName=='Contributor' && scope=='/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME'].roleDefinitionName" --output tsv) #if [ -z "$rgContributor" ]; then #err="Role is NOT assigned at either Subscription or Resource Group level. Exiting with error. Please assign the Contributor role to the Deployment Managed Identity at either Subscription or Resource Group level. Please visit https://support.profisee.com/wikis/profiseeplatform/planning_your_managed_identity_configuration for more information."