Andrew Matveychuk andrewmatveychuk
☁️
andrewmatveychuk
/ Log-ToLogAnalytics_v2.ps1
Created
February 24, 2024 21:12
An improved Azure Automation runbook that sends custom logs to a Log Analytics workspace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region LogEntry class definition | |
| # Defining your custom categories using enum type | |
| enum OperationResultList : byte { | |
| Disabled | |
| Deleted | |
| Detected | |
| } | |
| # Defining your custom PowerShell class for log entries | |
| class LogEntry { |
andrewmatveychuk
/ LogEntry.ps1
Created
February 23, 2024 20:54
A sample PowerShell class for defining custom log entry objects
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| enum OperationResultList : byte { | |
| Disabled | |
| Deleted | |
| Detected | |
| } | |
| class LogEntry { | |
| [OperationResultList] $OperationResult | |
| [ValidateNotNullOrEmpty()] [string] $OperationDetails |
andrewmatveychuk
/ New-LogEntry.ps1
Last active
February 24, 2024 21:09
A sample PowerShell function to push logs to a Log Analytics workspace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-LogEntry { | |
| <# | |
| .SYNOPSIS | |
| Push a new log entry(s) to a Data Collection Endpoint | |
| .DESCRIPTION | |
| The New-LogEntry cmdlet sends provided JSON payload to the target Data Collection Endpoint | |
| to be processed by Data Collection Rule and logged to an underlying Log Analytics workspace | |
| .PARAMETER DceEndpoint | |
| Data collection endpoint (DCE) to send collected data for processing and ingestion into Azure Monitor | |
| .PARAMETER DcrImmutableId |
andrewmatveychuk
/ Log-ToLogAnalytics_v1.ps1
Created
February 23, 2024 10:12
A basic Azure Automation runbook that sends custom logs to a Log Analytics workspace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Creating your log entries | |
| $logEntry1 = [PSCustomObject]@{ | |
| OperationResult = 'Disabled' | |
| OperationDetails = 'Some operation details goes here...' | |
| } | |
| $logEntry2 = [PSCustomObject]@{ | |
| OperationResult = 'Deleted' | |
| OperationDetails = 'Some operation details goes here...' | |
| } |
andrewmatveychuk
/ GetChangesBeforeSpecificTime.kql
Created
August 1, 2023 11:38
Get changes that happened before specific time in a resource group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resourcechanges | |
| | where resourceGroup =~ '{ResourceGroup:resourcegroup}' | |
| | extend changeTime = todatetime(properties.changeAttributes.timestamp), | |
| targetResourceId = tostring(properties.targetResourceId), | |
| changeType = tostring(properties.changeType), | |
| correlationId = properties.changeAttributes.correlationId, | |
| changedProperties = properties.changes, | |
| changeCount = properties.changeAttributes.changesCount | |
| | where changeTime < todatetime('{fireTime}') | |
| | order by changeTime desc |
andrewmatveychuk
/ GetAlertsInTimeRangeInResourceGroup.kql
Created
August 1, 2023 11:35
Get alerts in a time range in a resource group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alertsmanagementresources | |
| | where properties.essentials.targetResourceGroup =~ '{ResourceGroup:resourcegroup}' | |
| | where properties.essentials.startDateTime {TimeRange} | |
| | where properties.essentials.monitorCondition in ({AlertCondition}) | |
| | extend severity = tostring(properties.essentials.severity), | |
| alertCondition = tostring(properties.essentials.monitorCondition), | |
| userResponse = tostring(properties.essentials.alertState), | |
| targetResource = tostring(properties.essentials.targetResource), | |
| fireTime = todatetime(properties.essentials.startDateTime) | |
| | order by fireTime desc |
andrewmatveychuk
/ GetAllActiveAlertsInResourceGroup.kql
Created
August 1, 2023 11:32
Get all active alerts in a resource group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alertsmanagementresources | |
| | where properties.essentials.targetResourceGroup =~ 'your_resource_group_name' | |
| | where properties.essentials.monitorCondition =~ 'Fired' | |
| | extend severity = tostring(properties.essentials.severity), | |
| alertCondition = tostring(properties.essentials.monitorCondition), | |
| userResponse = tostring(properties.essentials.alertState), | |
| targetResource = tostring(properties.essentials.targetResource), | |
| fireTime = todatetime(properties.essentials.startDateTime) | |
| | order by fireTime desc | |
| | project name, severity, alertCondition, userResponse, targetResource, fireTime, properties |
andrewmatveychuk
/ GetAllChangesInResourceGroup.kql
Created
August 1, 2023 11:29
Get all changes in a resource group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resourcechanges | |
| | where resourceGroup =~ 'your_resource_group_name' | |
| | extend changeTime = todatetime(properties.changeAttributes.timestamp), | |
| targetResourceId = tostring(properties.targetResourceId), | |
| changeType = tostring(properties.changeType), | |
| correlationId = properties.changeAttributes.correlationId, | |
| changedProperties = properties.changes, | |
| changeCount = properties.changeAttributes.changesCount | |
| | order by changeTime desc | |
| | project changeTime, targetResourceId, changeType, correlationId, changeCount, changedProperties |
andrewmatveychuk
/ tag-match-date-policy-rule.json
Created
May 14, 2023 16:38
Sample Azure Policy rule to match a specific date format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "parameters": { | |
| "tagPattern": { | |
| "type": "String", | |
| "metadata": { | |
| "displayName": "Tag pattern", | |
| "description": "An expressions for \"notMatch\" condition" | |
| } | |
| } | |
| // Other policy parameters... | |
| }, |
andrewmatveychuk
/ tag-notIn-numeric-policy-rule.json
Created
May 14, 2023 16:25
Sample Azure Policy rule for a list of allowed tag numeric values
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "parameters": { | |
| "tagAllowedValues": { | |
| "type": "Array", // You can provide allowed tag values as numerics ["1", "2", "3"]. Just remember that they are still treated as strings | |
| "metadata": { | |
| "displayName": "Tag allowed values", | |
| "description": "List of allowed options" | |
| } | |
| } | |
| // Other policy parameters... | |
| }, |
NewerOlder