Skip to content

Instantly share code, notes, and snippets.

@codingoutloud
Created November 26, 2023 19:14
Show Gist options
  • Save codingoutloud/058a5c82a1aea5cd87982fa8e6a1a3a5 to your computer and use it in GitHub Desktop.
Save codingoutloud/058a5c82a1aea5cd87982fa8e6a1a3a5 to your computer and use it in GitHub Desktop.
Azure CLI wrapped for seeing who created a VM or reset the password. Uses only Activity Log (control plane) logs.
#!/bin/bash
rgName=qu-rg
# comment out setting of the VM name to instead use the resource group (more results may be returned)
# you can also change the VM name here to focus on a different VM
###vmName=qu-sam-vm
if [ -z "${vmName}" ]; then
# if vmName is not set, use the resource group
RESOURCESCOPE="--resource-group $rgName"
echo "Scope of scan is the $rgName resource group."
else
vmId=$(az vm show --resource-group $rgName --name $vmName --query id -o tsv)
RESOURCESCOPE="--resource-id $vmId"
echo "Scope of scan is the $vmName VM."
fi
# echo "RESOURCESCOPE = $RESOURCESCOPE"
echo ""
echo "Activity Log (control plane) audit trail for creation of Windows Server VM resources"
echo ".... WHO CREATED VMs? ...."
az monitor activity-log list --max-events 10000 --offset 90d $RESOURCESCOPE --query "[?resourceType.value=='Microsoft.Compute/virtualMachines' && status.value=='Succeeded' && operationName.value=='Microsoft.Compute/virtualMachines/write'].{By:caller, At:eventTimestamp, Operation:operationName.localizedValue, Status:status.value, VM:resourceId}" -o table | sed 's|/subscriptions/.*/||' | sed 's/-\{20,\}$/------/g'
echo ""
echo "Activity Log (control plane) audit trail for invocation of VM extension \"enablevmAccess\" for password resets in Windows Server VMs"
echo ".... WHO RESET VM PASSWORDS? ...."
az monitor activity-log list --max-events 10000 --offset 90d $RESOURCESCOPE --query "[?ends_with(resourceId, 'enablevmAccess') && status.value=='Succeeded' && operationName.value == 'Microsoft.Compute/virtualMachines/extensions/write'].{By:caller, At:eventTimestamp, Operation:operationName.localizedValue, Status:status.value, VM:resourceId}" -o table | sed 's|/subscriptions/.*virtualMachines/||' | sed 's|/extensions/enablevmAccess||' | sed 's/-\{20,\}$/------/g'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment