ranieuwe/FetchLogs.ps1

## FetchLogs.ps1
$GetDate = (Get-Date).AddDays((-1))

$dateFormatForQuery = $GetDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")

# Getting Azure context for the API call
$currentContext = Get-AzContext

# Fetching new token
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azureRmProfile)
$token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id)

# Modify the URI to filter on the action
$uri = https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter=eventTimestamp ge '$($dateFormatForQuery)'&`$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

# Invoke the REST API call
$listOperations = @{
    Uri     = $uri
    Headers = @{
        Authorization  = "Bearer $($token.AccessToken)"
        'Content-Type' = 'application/json'
    }
    Method  = 'GET'
}

$list = Invoke-RestMethod @listOperations

# Print the data for items with the specified operationName
foreach ($item in $list.value) {
    $operationNameValue = $item.operationName.value -replace '@{value=', '' -replace '; localizedValue.*', ''
    if ($operationNameValue -eq 'Microsoft.Authorization/elevateAccess/action') {
        Write-Output "Event Name: $($item.eventName.value)"
        Write-Output "ID: $($item.id)"
        Write-Output "Resource Group Name: $($item.resourceGroupName)"
        Write-Output "Resource Provider Name: $($item.resourceProviderName)"
        Write-Output "Operation Name: $($operationNameValue)"
        Write-Output "Status: $($item.status)"
        Write-Output "Event Timestamp: $($item.eventTimestamp)"
        Write-Output "Correlation ID: $($item.correlationId)"
        Write-Output "Submission Timestamp: $($item.submissionTimestamp)"
        Write-Output "Level: $($item.level)"
        Write-Output "------------------------"
    }
}
	$GetDate = (Get-Date).AddDays((-1))

	$dateFormatForQuery = $GetDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")

	# Getting Azure context for the API call
	$currentContext = Get-AzContext

	# Fetching new token
	$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
	$profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azureRmProfile)
	$token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id)

	# Modify the URI to filter on the action
	$uri = https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter=eventTimestamp ge '$($dateFormatForQuery)'&`$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

	# Invoke the REST API call
	$listOperations = @{
	Uri = $uri
	Headers = @{
	Authorization = "Bearer $($token.AccessToken)"
	'Content-Type' = 'application/json'
	}
	Method = 'GET'
	}

	$list = Invoke-RestMethod @listOperations

	# Print the data for items with the specified operationName
	foreach ($item in $list.value) {
	$operationNameValue = $item.operationName.value -replace '@{value=', '' -replace '; localizedValue.*', ''
	if ($operationNameValue -eq 'Microsoft.Authorization/elevateAccess/action') {
	Write-Output "Event Name: $($item.eventName.value)"
	Write-Output "ID: $($item.id)"
	Write-Output "Resource Group Name: $($item.resourceGroupName)"
	Write-Output "Resource Provider Name: $($item.resourceProviderName)"
	Write-Output "Operation Name: $($operationNameValue)"
	Write-Output "Status: $($item.status)"
	Write-Output "Event Timestamp: $($item.eventTimestamp)"
	Write-Output "Correlation ID: $($item.correlationId)"
	Write-Output "Submission Timestamp: $($item.submissionTimestamp)"
	Write-Output "Level: $($item.level)"
	Write-Output "------------------------"
	}
	}