Created
February 2, 2024 23:57
-
-
Save ranieuwe/805382542d392011f1e849898bf08280 to your computer and use it in GitHub Desktop.
Fetches logs from Directory Logs to process them or send elsewhere.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$GetDate = (Get-Date).AddDays((-1)) | |
$dateFormatForQuery = $GetDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") | |
# Getting Azure context for the API call | |
$currentContext = Get-AzContext | |
# Fetching new token | |
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile | |
$profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azureRmProfile) | |
$token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id) | |
# Modify the URI to filter on the action | |
$uri = https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter=eventTimestamp ge '$($dateFormatForQuery)'&`$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level | |
# Invoke the REST API call | |
$listOperations = @{ | |
Uri = $uri | |
Headers = @{ | |
Authorization = "Bearer $($token.AccessToken)" | |
'Content-Type' = 'application/json' | |
} | |
Method = 'GET' | |
} | |
$list = Invoke-RestMethod @listOperations | |
# Print the data for items with the specified operationName | |
foreach ($item in $list.value) { | |
$operationNameValue = $item.operationName.value -replace '@{value=', '' -replace '; localizedValue.*', '' | |
if ($operationNameValue -eq 'Microsoft.Authorization/elevateAccess/action') { | |
Write-Output "Event Name: $($item.eventName.value)" | |
Write-Output "ID: $($item.id)" | |
Write-Output "Resource Group Name: $($item.resourceGroupName)" | |
Write-Output "Resource Provider Name: $($item.resourceProviderName)" | |
Write-Output "Operation Name: $($operationNameValue)" | |
Write-Output "Status: $($item.status)" | |
Write-Output "Event Timestamp: $($item.eventTimestamp)" | |
Write-Output "Correlation ID: $($item.correlationId)" | |
Write-Output "Submission Timestamp: $($item.submissionTimestamp)" | |
Write-Output "Level: $($item.level)" | |
Write-Output "------------------------" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks to @grtn316 for developing this after figuring out where the logs go.